Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
microsoft
GitHub Repository: microsoft/vscode
 Path: blob/main/build/azure-pipelines/common/sign.js
3520 views
1
"use strict";

2
var __importDefault = (this && this.__importDefault) || function (mod) {

3
    return (mod && mod.__esModule) ? mod : { "default": mod };

4
};

5
Object.defineProperty(exports, "__esModule", { value: true });

6
exports.Temp = void 0;

7
exports.main = main;

8
/*---------------------------------------------------------------------------------------------

9
 *  Copyright (c) Microsoft Corporation. All rights reserved.

10
 *  Licensed under the MIT License. See License.txt in the project root for license information.

11
 *--------------------------------------------------------------------------------------------*/

12
const child_process_1 = __importDefault(require("child_process"));

13
const fs_1 = __importDefault(require("fs"));

14
const crypto_1 = __importDefault(require("crypto"));

15
const path_1 = __importDefault(require("path"));

16
const os_1 = __importDefault(require("os"));

17
class Temp {

18
    _files = [];

19
    tmpNameSync() {

20
        const file = path_1.default.join(os_1.default.tmpdir(), crypto_1.default.randomBytes(20).toString('hex'));

21
        this._files.push(file);

22
        return file;

23
    }

24
    dispose() {

25
        for (const file of this._files) {

26
            try {

27
                fs_1.default.unlinkSync(file);

28
            }

29
            catch (err) {

30
                // noop

31
            }

32
        }

33
    }

34
}

35
exports.Temp = Temp;

36
function getParams(type) {

37
    switch (type) {

38
        case 'sign-windows':

39
            return [

40
                {

41
                    keyCode: 'CP-230012',

42
                    operationSetCode: 'SigntoolSign',

43
                    parameters: [

44
                        { parameterName: 'OpusName', parameterValue: 'VS Code' },

45
                        { parameterName: 'OpusInfo', parameterValue: 'https://code.visualstudio.com/' },

46
                        { parameterName: 'Append', parameterValue: '/as' },

47
                        { parameterName: 'FileDigest', parameterValue: '/fd "SHA256"' },

48
                        { parameterName: 'PageHash', parameterValue: '/NPH' },

49
                        { parameterName: 'TimeStamp', parameterValue: '/tr "http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer" /td sha256' }

50
                    ],

51
                    toolName: 'sign',

52
                    toolVersion: '1.0'

53
                },

54
                {

55
                    keyCode: 'CP-230012',

56
                    operationSetCode: 'SigntoolVerify',

57
                    parameters: [

58
                        { parameterName: 'VerifyAll', parameterValue: '/all' }

59
                    ],

60
                    toolName: 'sign',

61
                    toolVersion: '1.0'

62
                }

63
            ];

64
        case 'sign-windows-appx':

65
            return [

66
                {

67
                    keyCode: 'CP-229979',

68
                    operationSetCode: 'SigntoolSign',

69
                    parameters: [

70
                        { parameterName: 'OpusName', parameterValue: 'VS Code' },

71
                        { parameterName: 'OpusInfo', parameterValue: 'https://code.visualstudio.com/' },

72
                        { parameterName: 'FileDigest', parameterValue: '/fd "SHA256"' },

73
                        { parameterName: 'PageHash', parameterValue: '/NPH' },

74
                        { parameterName: 'TimeStamp', parameterValue: '/tr "http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer" /td sha256' }

75
                    ],

76
                    toolName: 'sign',

77
                    toolVersion: '1.0'

78
                },

79
                {

80
                    keyCode: 'CP-229979',

81
                    operationSetCode: 'SigntoolVerify',

82
                    parameters: [],

83
                    toolName: 'sign',

84
                    toolVersion: '1.0'

85
                }

86
            ];

87
        case 'sign-pgp':

88
            return [{

89
                    keyCode: 'CP-450779-Pgp',

90
                    operationSetCode: 'LinuxSign',

91
                    parameters: [],

92
                    toolName: 'sign',

93
                    toolVersion: '1.0'

94
                }];

95
        case 'sign-darwin':

96
            return [{

97
                    keyCode: 'CP-401337-Apple',

98
                    operationSetCode: 'MacAppDeveloperSign',

99
                    parameters: [{ parameterName: 'Hardening', parameterValue: '--options=runtime' }],

100
                    toolName: 'sign',

101
                    toolVersion: '1.0'

102
                }];

103
        case 'notarize-darwin':

104
            return [{

105
                    keyCode: 'CP-401337-Apple',

106
                    operationSetCode: 'MacAppNotarize',

107
                    parameters: [],

108
                    toolName: 'sign',

109
                    toolVersion: '1.0'

110
                }];

111
        case 'nuget':

112
            return [{

113
                    keyCode: 'CP-401405',

114
                    operationSetCode: 'NuGetSign',

115
                    parameters: [],

116
                    toolName: 'sign',

117
                    toolVersion: '1.0'

118
                }, {

119
                    keyCode: 'CP-401405',

120
                    operationSetCode: 'NuGetVerify',

121
                    parameters: [],

122
                    toolName: 'sign',

123
                    toolVersion: '1.0'

124
                }];

125
        default:

126
            throw new Error(`Sign type ${type} not found`);

127
    }

128
}

129
function main([esrpCliPath, type, folderPath, pattern]) {

130
    const tmp = new Temp();

131
    process.on('exit', () => tmp.dispose());

132
    const key = crypto_1.default.randomBytes(32);

133
    const iv = crypto_1.default.randomBytes(16);

134
    const cipher = crypto_1.default.createCipheriv('aes-256-cbc', key, iv);

135
    const encryptedToken = cipher.update(process.env['SYSTEM_ACCESSTOKEN'].trim(), 'utf8', 'hex') + cipher.final('hex');

136
    const encryptionDetailsPath = tmp.tmpNameSync();

137
    fs_1.default.writeFileSync(encryptionDetailsPath, JSON.stringify({ key: key.toString('hex'), iv: iv.toString('hex') }));

138
    const encryptedTokenPath = tmp.tmpNameSync();

139
    fs_1.default.writeFileSync(encryptedTokenPath, encryptedToken);

140
    const patternPath = tmp.tmpNameSync();

141
    fs_1.default.writeFileSync(patternPath, pattern);

142
    const paramsPath = tmp.tmpNameSync();

143
    fs_1.default.writeFileSync(paramsPath, JSON.stringify(getParams(type)));

144
    const dotnetVersion = child_process_1.default.execSync('dotnet --version', { encoding: 'utf8' }).trim();

145
    const adoTaskVersion = path_1.default.basename(path_1.default.dirname(path_1.default.dirname(esrpCliPath)));

146
    const federatedTokenData = {

147
        jobId: process.env['SYSTEM_JOBID'],

148
        planId: process.env['SYSTEM_PLANID'],

149
        projectId: process.env['SYSTEM_TEAMPROJECTID'],

150
        hub: process.env['SYSTEM_HOSTTYPE'],

151
        uri: process.env['SYSTEM_COLLECTIONURI'],

152
        managedIdentityId: process.env['VSCODE_ESRP_CLIENT_ID'],

153
        managedIdentityTenantId: process.env['VSCODE_ESRP_TENANT_ID'],

154
        serviceConnectionId: process.env['VSCODE_ESRP_SERVICE_CONNECTION_ID'],

155
        tempDirectory: os_1.default.tmpdir(),

156
        systemAccessToken: encryptedTokenPath,

157
        encryptionKey: encryptionDetailsPath

158
    };

159
    const args = [

160
        esrpCliPath,

161
        'vsts.sign',

162
        '-a',

163
        process.env['ESRP_CLIENT_ID'],

164
        '-d',

165
        process.env['ESRP_TENANT_ID'],

166
        '-k', JSON.stringify({ akv: 'vscode-esrp' }),

167
        '-z', JSON.stringify({ akv: 'vscode-esrp', cert: 'esrp-sign' }),

168
        '-f', folderPath,

169
        '-p', patternPath,

170
        '-u', 'false',

171
        '-x', 'regularSigning',

172
        '-b', 'input.json',

173
        '-l', 'AzSecPack_PublisherPolicyProd.xml',

174
        '-y', 'inlineSignParams',

175
        '-j', paramsPath,

176
        '-c', '9997',

177
        '-t', '120',

178
        '-g', '10',

179
        '-v', 'Tls12',

180
        '-s', 'https://api.esrp.microsoft.com/api/v1',

181
        '-m', '0',

182
        '-o', 'Microsoft',

183
        '-i', 'https://www.microsoft.com',

184
        '-n', '5',

185
        '-r', 'true',

186
        '-w', dotnetVersion,

187
        '-skipAdoReportAttachment', 'false',

188
        '-pendingAnalysisWaitTimeoutMinutes', '5',

189
        '-adoTaskVersion', adoTaskVersion,

190
        '-resourceUri', 'https://msazurecloud.onmicrosoft.com/api.esrp.microsoft.com',

191
        '-esrpClientId',

192
        process.env['ESRP_CLIENT_ID'],

193
        '-useMSIAuthentication', 'true',

194
        '-federatedTokenData', JSON.stringify(federatedTokenData)

195
    ];

196
    try {

197
        child_process_1.default.execFileSync('dotnet', args, { stdio: 'inherit' });

198
    }

199
    catch (err) {

200
        console.error('ESRP failed');

201
        console.error(err);

202
        process.exit(1);

203
    }

204
}

205
if (require.main === module) {

206
    main(process.argv.slice(2));

207
    process.exit(0);

208
}

209
//# sourceMappingURL=sign.js.map

210