diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2022-08-23 00:19:44 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-23 00:19:44 +0300 |
commit | e69c9d07ab06c606c4e494ab7f41a880a1dcb122 (patch) | |
tree | 37a2f3a17b078e36c38c6dea6aa218c116ffb568 /eng/pipelines/coreclr/templates/sign-diagnostic-files.yml | |
parent | d8e84363082681b59d9c9c2777af9dc5eac5c287 (diff) |
[release/7.0-rc1] Change signature for diagnostic binaries (#74323)
* Add DAC signature infrastructure
* Use a .NET 6 SDK to enable signing
* Add signature verification
Co-authored-by: Juan Sebastian Hoyos Ayala <juan.hoyos@microsoft.com>
Diffstat (limited to 'eng/pipelines/coreclr/templates/sign-diagnostic-files.yml')
-rw-r--r-- | eng/pipelines/coreclr/templates/sign-diagnostic-files.yml | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/eng/pipelines/coreclr/templates/sign-diagnostic-files.yml b/eng/pipelines/coreclr/templates/sign-diagnostic-files.yml new file mode 100644 index 00000000000..7b020552ad5 --- /dev/null +++ b/eng/pipelines/coreclr/templates/sign-diagnostic-files.yml @@ -0,0 +1,80 @@ +parameters: + basePath: '' + isOfficialBuild: '' + timeoutInMinutes: '' + +steps: +- ${{ if and(eq(parameters.isOfficialBuild, true), ne(variables['Build.Reason'], 'PullRequest')) }}: + - task: UseDotNet@2 + displayName: Install .NET 6 SDK for signing. + inputs: + packageType: 'sdk' + version: '6.0.x' + installationPath: '$(Agent.TempDirectory)/dotnet' + + - task: EsrpCodeSigning@1 + displayName: Sign Diagnostic Binaries + inputs: + ConnectedServiceName: 'dotnetesrp-diagnostics-dnceng' + FolderPath: ${{ parameters.basePath }} + Pattern: | + **/mscordaccore*.dll + **/mscordbi*.dll + UseMinimatch: true + signConfigType: 'inlineSignParams' + inlineOperation: >- + [ + { + "keyCode": "CP-471322", + "operationCode": "SigntoolSign", + "parameters": { + "OpusName": "Microsoft", + "OpusInfo": "http://www.microsoft.com", + "PageHash": "/NPH", + "FileDigest": "/fd sha256", + "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "toolName": "sign", + "toolVersion": "1.0" + }, + { + "KeyCode": "CP-471322", + "OperationCode": "SigntoolVerify", + "Parameters": {}, + "ToolName": "sign", + "ToolVersion": "1.0" + } + ] + SessionTimeout: ${{ parameters.timeoutInMinutes }} + MaxConcurrency: '50' + MaxRetryAttempts: '5' + env: + DOTNET_MULTILEVEL_LOOKUP: 0 + DOTNET_ROOT: '$(Agent.TempDirectory)/dotnet' + DOTNET_MSBUILD_SDK_RESOLVER_CLI_DIR: '$(Agent.TempDirectory)/dotnet' + + - powershell: | + $filesToSign = $(Get-ChildItem -Recurse ${{ parameters.basePath }} -Include mscordaccore*.dll, mscordbi*.dll) + foreach ($file in $filesToSign) { + $signingCert = $(Get-AuthenticodeSignature $file).SignerCertificate + if ($signingCert -eq $null) + { + throw "File $file does not contain a signature." + } + + if ($signingCert.Subject -ne "CN=.NET DAC, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ` + -or $signingCert.Issuer -ne "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") + { + throw "File $file not in expected trust chain." + } + + $certEKU = $signingCert.Extensions.Where({ $_.Oid.FriendlyName -eq "Enhanced Key Usage" }) | Select -First 1 + + if ($certEKU.EnhancedKeyUsages.Where({ $_.Value -eq "1.3.6.1.4.1.311.84.4.1" }).Count -ne 1) + { + throw "Signature for $file does not contain expected EKU." + } + + Write-Host "$file is correctly signed." + } + displayName: Validate diagnostic signatures |