Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
microsoft
GitHub Repository: microsoft/vscode
 Path: blob/main/build/azure-pipelines/common/sign.ts
3520 views
1
/*---------------------------------------------------------------------------------------------

2
 *  Copyright (c) Microsoft Corporation. All rights reserved.

3
 *  Licensed under the MIT License. See License.txt in the project root for license information.

4
 *--------------------------------------------------------------------------------------------*/

5


6
import cp from 'child_process';

7
import fs from 'fs';

8
import crypto from 'crypto';

9
import path from 'path';

10
import os from 'os';

11


12
export class Temp {

13
	private _files: string[] = [];

14


15
	tmpNameSync(): string {

16
		const file = path.join(os.tmpdir(), crypto.randomBytes(20).toString('hex'));

17
		this._files.push(file);

18
		return file;

19
	}

20


21
	dispose(): void {

22
		for (const file of this._files) {

23
			try {

24
				fs.unlinkSync(file);

25
			} catch (err) {

26
				// noop

27
			}

28
		}

29
	}

30
}

31


32
interface Params {

33
	readonly keyCode: string;

34
	readonly operationSetCode: string;

35
	readonly parameters: {

36
		readonly parameterName: string;

37
		readonly parameterValue: string;

38
	}[];

39
	readonly toolName: string;

40
	readonly toolVersion: string;

41
}

42


43
function getParams(type: string): Params[] {

44
	switch (type) {

45
		case 'sign-windows':

46
			return [

47
				{

48
					keyCode: 'CP-230012',

49
					operationSetCode: 'SigntoolSign',

50
					parameters: [

51
						{ parameterName: 'OpusName', parameterValue: 'VS Code' },

52
						{ parameterName: 'OpusInfo', parameterValue: 'https://code.visualstudio.com/' },

53
						{ parameterName: 'Append', parameterValue: '/as' },

54
						{ parameterName: 'FileDigest', parameterValue: '/fd "SHA256"' },

55
						{ parameterName: 'PageHash', parameterValue: '/NPH' },

56
						{ parameterName: 'TimeStamp', parameterValue: '/tr "http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer" /td sha256' }

57
					],

58
					toolName: 'sign',

59
					toolVersion: '1.0'

60
				},

61
				{

62
					keyCode: 'CP-230012',

63
					operationSetCode: 'SigntoolVerify',

64
					parameters: [

65
						{ parameterName: 'VerifyAll', parameterValue: '/all' }

66
					],

67
					toolName: 'sign',

68
					toolVersion: '1.0'

69
				}

70
			];

71
		case 'sign-windows-appx':

72
			return [

73
				{

74
					keyCode: 'CP-229979',

75
					operationSetCode: 'SigntoolSign',

76
					parameters: [

77
						{ parameterName: 'OpusName', parameterValue: 'VS Code' },

78
						{ parameterName: 'OpusInfo', parameterValue: 'https://code.visualstudio.com/' },

79
						{ parameterName: 'FileDigest', parameterValue: '/fd "SHA256"' },

80
						{ parameterName: 'PageHash', parameterValue: '/NPH' },

81
						{ parameterName: 'TimeStamp', parameterValue: '/tr "http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer" /td sha256' }

82
					],

83
					toolName: 'sign',

84
					toolVersion: '1.0'

85
				},

86
				{

87
					keyCode: 'CP-229979',

88
					operationSetCode: 'SigntoolVerify',

89
					parameters: [],

90
					toolName: 'sign',

91
					toolVersion: '1.0'

92
				}

93
			];

94
		case 'sign-pgp':

95
			return [{

96
				keyCode: 'CP-450779-Pgp',

97
				operationSetCode: 'LinuxSign',

98
				parameters: [],

99
				toolName: 'sign',

100
				toolVersion: '1.0'

101
			}];

102
		case 'sign-darwin':

103
			return [{

104
				keyCode: 'CP-401337-Apple',

105
				operationSetCode: 'MacAppDeveloperSign',

106
				parameters: [{ parameterName: 'Hardening', parameterValue: '--options=runtime' }],

107
				toolName: 'sign',

108
				toolVersion: '1.0'

109
			}];

110
		case 'notarize-darwin':

111
			return [{

112
				keyCode: 'CP-401337-Apple',

113
				operationSetCode: 'MacAppNotarize',

114
				parameters: [],

115
				toolName: 'sign',

116
				toolVersion: '1.0'

117
			}];

118
		case 'nuget':

119
			return [{

120
				keyCode: 'CP-401405',

121
				operationSetCode: 'NuGetSign',

122
				parameters: [],

123
				toolName: 'sign',

124
				toolVersion: '1.0'

125
			}, {

126
				keyCode: 'CP-401405',

127
				operationSetCode: 'NuGetVerify',

128
				parameters: [],

129
				toolName: 'sign',

130
				toolVersion: '1.0'

131
			}];

132
		default:

133
			throw new Error(`Sign type ${type} not found`);

134
	}

135
}

136


137
export function main([esrpCliPath, type, folderPath, pattern]: string[]) {

138
	const tmp = new Temp();

139
	process.on('exit', () => tmp.dispose());

140


141
	const key = crypto.randomBytes(32);

142
	const iv = crypto.randomBytes(16);

143
	const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);

144
	const encryptedToken = cipher.update(process.env['SYSTEM_ACCESSTOKEN']!.trim(), 'utf8', 'hex') + cipher.final('hex');

145


146
	const encryptionDetailsPath = tmp.tmpNameSync();

147
	fs.writeFileSync(encryptionDetailsPath, JSON.stringify({ key: key.toString('hex'), iv: iv.toString('hex') }));

148


149
	const encryptedTokenPath = tmp.tmpNameSync();

150
	fs.writeFileSync(encryptedTokenPath, encryptedToken);

151


152
	const patternPath = tmp.tmpNameSync();

153
	fs.writeFileSync(patternPath, pattern);

154


155
	const paramsPath = tmp.tmpNameSync();

156
	fs.writeFileSync(paramsPath, JSON.stringify(getParams(type)));

157


158
	const dotnetVersion = cp.execSync('dotnet --version', { encoding: 'utf8' }).trim();

159
	const adoTaskVersion = path.basename(path.dirname(path.dirname(esrpCliPath)));

160


161
	const federatedTokenData = {

162
		jobId: process.env['SYSTEM_JOBID'],

163
		planId: process.env['SYSTEM_PLANID'],

164
		projectId: process.env['SYSTEM_TEAMPROJECTID'],

165
		hub: process.env['SYSTEM_HOSTTYPE'],

166
		uri: process.env['SYSTEM_COLLECTIONURI'],

167
		managedIdentityId: process.env['VSCODE_ESRP_CLIENT_ID'],

168
		managedIdentityTenantId: process.env['VSCODE_ESRP_TENANT_ID'],

169
		serviceConnectionId: process.env['VSCODE_ESRP_SERVICE_CONNECTION_ID'],

170
		tempDirectory: os.tmpdir(),

171
		systemAccessToken: encryptedTokenPath,

172
		encryptionKey: encryptionDetailsPath

173
	};

174


175
	const args = [

176
		esrpCliPath,

177
		'vsts.sign',

178
		'-a', process.env['ESRP_CLIENT_ID']!,

179
		'-d', process.env['ESRP_TENANT_ID']!,

180
		'-k', JSON.stringify({ akv: 'vscode-esrp' }),

181
		'-z', JSON.stringify({ akv: 'vscode-esrp', cert: 'esrp-sign' }),

182
		'-f', folderPath,

183
		'-p', patternPath,

184
		'-u', 'false',

185
		'-x', 'regularSigning',

186
		'-b', 'input.json',

187
		'-l', 'AzSecPack_PublisherPolicyProd.xml',

188
		'-y', 'inlineSignParams',

189
		'-j', paramsPath,

190
		'-c', '9997',

191
		'-t', '120',

192
		'-g', '10',

193
		'-v', 'Tls12',

194
		'-s', 'https://api.esrp.microsoft.com/api/v1',

195
		'-m', '0',

196
		'-o', 'Microsoft',

197
		'-i', 'https://www.microsoft.com',

198
		'-n', '5',

199
		'-r', 'true',

200
		'-w', dotnetVersion,

201
		'-skipAdoReportAttachment', 'false',

202
		'-pendingAnalysisWaitTimeoutMinutes', '5',

203
		'-adoTaskVersion', adoTaskVersion,

204
		'-resourceUri', 'https://msazurecloud.onmicrosoft.com/api.esrp.microsoft.com',

205
		'-esrpClientId', process.env['ESRP_CLIENT_ID']!,

206
		'-useMSIAuthentication', 'true',

207
		'-federatedTokenData', JSON.stringify(federatedTokenData)

208
	];

209


210
	try {

211
		cp.execFileSync('dotnet', args, { stdio: 'inherit' });

212
	} catch (err) {

213
		console.error('ESRP failed');

214
		console.error(err);

215
		process.exit(1);

216
	}

217
}

218


219
if (require.main === module) {

220
	main(process.argv.slice(2));

221
	process.exit(0);

222
}

223


224