Add signing for VSIX, JS, and Windows files

Author: benmcmorran

.github/workflows/build.yml

@@ -73,7 +73,9 @@ jobs:
 
       - name: Check for linting errors
         run: gulp tslint
-      - name: Build and pack extension
+      - name: Build extension
+        run: gulp build --mode=production
+      - name: Pack extension
         run: vsce package --out vscode-arduino.vsix
       - name: Publish extension VSIX as artifact
         uses: actions/upload-artifact@v2

.vscodeignore

@@ -15,4 +15,6 @@ gulpfile.js
 *.log
 webpack.config.js
 node_modules/**
-vendor/**
+vendor/**
+azure-pipelines.yml
+build/**

azure-pipelines.yml

@@ -3,6 +3,16 @@
 
 name: $(Date:yyyyMMdd)$(Rev:.r).0-$(SourceBranchName)
 
+parameters:
+  - name: SignTypeOverride
+    displayName: Signing type override
+    type: string
+    default: default
+    values:
+      - default
+      - test
+      - real
+
 pr:
   - master
   - dev
@@ -19,7 +29,27 @@ trigger:
 pool:
   name: VSEngSS-MicroBuild2019-1ES
 
+variables:
+  # MicroBuild requires TeamName to be set.
+  TeamName: C++ Cross Platform and Cloud
+  # If the user didn't override the signing type, then only real-sign on master
+  # or dev.
+  ${{ if ne(parameters.SignTypeOverride, 'default') }}:
+    SignType: ${{ parameters.SignTypeOverride }}
+  ${{ if and(eq(parameters.SignTypeOverride, 'default'), or(eq(variables['Build.SourceBranchName'], 'master'), eq(variables['Build.SourceBranchName'], 'dev'))) }}:
+    SignType: real
+  ${{ if and(eq(parameters.SignTypeOverride, 'default'), not(or(eq(variables['Build.SourceBranchName'], 'master'), eq(variables['Build.SourceBranchName'], 'dev')))) }}:
+    SignType: test
+
 steps:
+  - task: MicroBuildSigningPlugin@3
+    displayName: Install MicroBuild Signing
+    inputs:
+      signType: $(SignType)
+      zipSources: false
+    # MicroBuild signing will always fail on public PRs.
+    condition: ne(variables['Build.Reason'], 'PullRequest')
+
   # Run these scanners first so that they don't detect issues in dependencies.
   # Failures won't break the build until "Check for compliance errors" step.
   - task: CredScan@2
@@ -48,15 +78,56 @@ steps:
   - script: gulp genAikey
     displayName: Use production AI key
     condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/tags'))
+  - script: gulp build --mode=production
+    displayName: Build extension
+  # Pack the extension now even though it's unsigned so that we ignore files
+  # from .vscodeignore. This will reduce load on the signing server later and
+  # ensure we only attempt to sign shipping files.
   - script: vsce package --out vscode-arduino.vsix
-    displayName: Build and pack extension
-  - publish: vscode-arduino.vsix
-    artifact: VS Code extension VSIX
-    displayName: Publish extension VSIX as artifact
+    displayName: Pack extension
 
   - task: ComponentGovernanceComponentDetection@0
     displayName: Detect components
 
+  # Extract the VSIX, sign what we can, then pack it back up and publish it.
+  - task: ExtractFiles@1
+    displayName: Extract extension for signing
+    inputs:
+      archiveFilePatterns: vscode-arduino.vsix
+      destinationFolder: $(Build.StagingDirectory)\vscode-arduino
+  - task: NuGetToolInstaller@1
+    displayName: Install NuGet
+  - task: NuGetAuthenticate@0
+    displayName: Authenticate NuGet
+  - script: nuget restore .\build\SignFiles.proj -PackagesDirectory .\build\packages
+    displayName: Restore MicroBuild Core
+    # MicroBuild signing will always fail on public PRs.
+    condition: ne(variables['Build.Reason'], 'PullRequest')
+  - task: MSBuild@1
+    displayName: Sign files
+    inputs:
+      solution: .\build\SignFiles.proj
+      msbuildArguments: /p:SignType=$(SignType)
+    # MicroBuild signing will always fail on public PRs.
+    condition: ne(variables['Build.Reason'], 'PullRequest')
+  - task: ArchiveFiles@2
+    displayName: Pack signed files
+    inputs:
+      rootFolderOrFile: $(Build.StagingDirectory)\vscode-arduino
+      includeRootFolder: false
+      archiveType: zip
+      archiveFile: $(Build.StagingDirectory)\vscode-arduino.vsix
+  - task: MSBuild@1
+    displayName: Sign VSIX
+    inputs:
+      solution: .\build\SignVsix.proj
+      msbuildArguments: /p:SignType=$(SignType)
+    # MicroBuild signing will always fail on public PRs.
+    condition: ne(variables['Build.Reason'], 'PullRequest')
+  - publish: $(Build.StagingDirectory)\vscode-arduino.vsix
+    artifact: VS Code extension VSIX
+    displayName: Publish extension VSIX as artifact
+
   # Install the Arduino IDE and run tests.
   - script: curl -LO https://downloads.arduino.cc/arduino-1.8.19-windows.zip
     displayName: Download Arduino IDE
@@ -114,6 +185,9 @@ steps:
       action: create
       target: $(Build.SourceVersion)
       tagSource: auto
-      assets: $(Build.SourcesDirectory)\vscode-arduino.vsix
+      assets: $(Build.StagingDirectory)\vscode-arduino.vsix
       isPreRelease: $[contains(variables['Build.SourceBranch'], '-rc')]
     condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/tags'))
+
+  - task: MicroBuildCleanup@1
+    displayName: Clean up MicroBuild

build/SignFiles.proj

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="SignFiles" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.props" />
+
+  <PropertyGroup>
+    <BaseOutputDirectory>$(BUILD_STAGINGDIRECTORY)\vscode-arduino\extension</BaseOutputDirectory>
+    <!-- These properties are required by MicroBuild, which only signs files that are under these paths -->
+    <IntermediateOutputPath>$(BaseOutputDirectory)</IntermediateOutputPath>
+    <OutDir>$(BaseOutputDirectory)</OutDir>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <FilesToSign Include="$(OutDir)\**\*.js" Exclude="$(OutDir)\**\node_modules\**\*.js">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
+    <FilesToSign Include="$(OutDir)\out\serial-monitor-cli\win32\*.exe">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
+    <FilesToSign Include="$(OutDir)\out\serial-monitor-cli\win32\*.dll">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
+    <FilesToSign Include="$(OutDir)\**\node_modules\**\*.js">
+      <Authenticode>3PartyScriptsSHA2</Authenticode>
+    </FilesToSign>
+  </ItemGroup>
+
+  <Import Project="packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.targets" />
+</Project>

build/SignVsix.proj

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="SignFiles" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.props" />
+
+  <PropertyGroup>
+    <BaseOutputDirectory>$(BUILD_STAGINGDIRECTORY)</BaseOutputDirectory>
+    <!-- These properties are required by MicroBuild, which only signs files that are under these paths -->
+    <IntermediateOutputPath>$(BaseOutputDirectory)</IntermediateOutputPath>
+    <OutDir>$(BaseOutputDirectory)</OutDir>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <FilesToSign Include="$(OutDir)\vscode-arduino.vsix">
+      <Authenticode>VsixSHA2</Authenticode>
+    </FilesToSign>
+  </ItemGroup>
+
+  <Import Project="packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.targets" />
+</Project>

build/packages.config

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Microsoft.VisualStudioEng.MicroBuild.Core" version="0.4.1" developmentDependency="true" />
+</packages>

package.json

@@ -571,7 +571,6 @@
     ]
   },
   "scripts": {
-    "vscode:prepublish": "gulp build --mode=production",
     "postinstall": "cd ./src/views && npm install && node ../../node_modules/node-usb-native/scripts/rebuild-serialport.js",
     "test": "gulp test"
   },