Signit (#207)

* Sign sign sign

* Needs stage

* Frickin yaml

* More YAML

* Whitespace??

* Whitespace????

* Update build.yaml

* Missing config publish

* verify its not a conditional

* PowerShell escaping can diaf

* Move bruce package

* Update build.yaml for Azure Pipelines

* Update build.yaml for Azure Pipelines

* Update build.yaml for Azure Pipelines

* Update build.yaml for Azure Pipelines

* Add bruce to sign list

* Update build.yaml for Azure Pipelines

* Update build.yaml for Azure Pipelines

Config/SignClient.json

@@ -0,0 +1,13 @@
+{
+  "SignClient": {
+    "AzureAd": {
+      "AADInstance": "https://login.microsoftonline.com/",
+      "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8",
+      "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e"
+    },
+    "Service": {
+      "Url": "https://codesign.dotnetfoundation.org/",
+      "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001"
+    }
+  }
+}

Config/filelist.txt

@@ -0,0 +1,2 @@
+**/Kerberos.NET.*
+**/Bruce.*

build.yaml

@@ -8,82 +8,153 @@ pr:
 - develop
 - rel/*
 
-pool:
-  vmImage: windows-latest
-
-variables:
-  BuildConfiguration: Release
-  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
-
-steps:
-- task: UseDotNet@2
-  displayName: 'Use .NET Core SDK 3.1.x'
-  inputs:
-    version: 3.1.302
-    performMultiLevelLookup: true
-
-- task: DotNetCoreCLI@2
-  inputs:
-    command: custom
-    custom: tool
-    arguments: install --tool-path . nbgv
-  displayName: Install NBGV tool
-
-- script: nbgv cloud
-  displayName: Set Version
-
-- task: MSBuild@1
-  displayName: 'Build solution Kerberos.NET.sln'
-  inputs:
-    solution: Kerberos.NET.sln
-    configuration: $(BuildConfiguration)
-    msbuildArguments: /restore /p:CreatePackage=true
-    maximumCpuCount: true
-
-- task: DotNetCoreCLI@2
-  inputs:
-    command: test
-    projects: Tests/**/*.csproj
-    arguments: -c $(BuildConfiguration) --no-build --no-restore --settings CodeCoverage.runsettings --collect:"XPlat Code Coverage" 
-  displayName: Run Unit Tests
-
-- task: DotNetCoreCLI@2
-  inputs:
-    command: 'pack'
-    packagesToPack: './Bruce/Bruce.csproj'
-    nobuild: true
-  displayName: Pack Bruce tool
+stages:
+- stage: Build
+  jobs:
+  - job: Build
+    pool:
+      vmImage: windows-latest
+
+    variables:
+      BuildConfiguration: Release
+      DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+
+    steps:
+    - task: UseDotNet@2
+      displayName: 'Use .NET Core SDK 3.1.x'
+      inputs:
+        version: 3.1.302
+        performMultiLevelLookup: true
+
+    - task: DotNetCoreCLI@2
+      inputs:
+        command: custom
+        custom: tool
+        arguments: install --tool-path . nbgv
+      displayName: Install NBGV tool
+
+    - script: nbgv cloud
+      displayName: Set Version
+
+    - task: MSBuild@1
+      displayName: 'Build solution Kerberos.NET.sln'
+      inputs:
+        solution: Kerberos.NET.sln
+        configuration: $(BuildConfiguration)
+        msbuildArguments: /restore /p:CreatePackage=true
+        maximumCpuCount: true
+
+    - task: DotNetCoreCLI@2
+      inputs:
+        command: test
+        projects: Tests/**/*.csproj
+        arguments: -c $(BuildConfiguration) --no-build --no-restore --settings CodeCoverage.runsettings --collect:"XPlat Code Coverage" 
+      displayName: Run Unit Tests
+
+    - task: DotNetCoreCLI@2
+      inputs:
+        command: 'pack'
+        packagesToPack: './Bruce/Bruce.csproj'
+        nobuild: true
+        outputDir: $(Build.ArtifactStagingDirectory)
+      displayName: Pack Bruce tool
 
-- task: PublishBuildArtifacts@1
-  inputs:
-    PathtoPublish: '$(Build.ArtifactStagingDirectory)'
-    publishLocation: 'Container'
-
-- task: DotNetCoreCLI@2
-  inputs:
-    command: custom
-    custom: tool
-    arguments: install --tool-path . dotnet-reportgenerator-globaltool
-  displayName: Install ReportGenerator tool
-
-- script: reportgenerator -reports:$(Agent.TempDirectory)/**/coverage.cobertura.xml -targetdir:$(Build.SourcesDirectory)/coverlet/reports -reporttypes:"Cobertura"
-  displayName: Create reports
-
-- task: PublishCodeCoverageResults@1
-  displayName: 'Publish code coverage'
-  inputs:
-    codeCoverageTool: Cobertura
-    summaryFileLocation: $(Build.SourcesDirectory)/coverlet/reports/Cobertura.xml
-
-- task: NuGetAuthenticate@0
-  displayName: 'NuGet Authenticate'
-- task: NuGetCommand@2
-  displayName: 'NuGet push'
-  inputs:
-    command: push
-    publishVstsFeed: 'Kerberos.NET/kerberos.net'
-    allowPackageConflicts: true
-
-- publish: artifacts
-  displayName: Publish build packages
-  artifact: BuildPackages
+    - task: PublishBuildArtifacts@1
+      inputs:
+        PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+        publishLocation: 'Container'
+
+    - task: DotNetCoreCLI@2
+      inputs:
+        command: custom
+        custom: tool
+        arguments: install --tool-path . dotnet-reportgenerator-globaltool
+      displayName: Install ReportGenerator tool
+
+    - script: reportgenerator -reports:$(Agent.TempDirectory)/**/coverage.cobertura.xml -targetdir:$(Build.SourcesDirectory)/coverlet/reports -reporttypes:"Cobertura"
+      displayName: Create reports
+
+    - task: PublishCodeCoverageResults@1
+      displayName: 'Publish code coverage'
+      inputs:
+        codeCoverageTool: Cobertura
+        summaryFileLocation: $(Build.SourcesDirectory)/coverlet/reports/Cobertura.xml
+
+    - task: NuGetAuthenticate@0
+      displayName: 'NuGet Authenticate'
+    - task: NuGetCommand@2
+      displayName: 'NuGet push'
+      inputs:
+        command: push
+        publishVstsFeed: 'Kerberos.NET/kerberos.net'
+        allowPackageConflicts: true
+
+    - publish: artifacts
+      displayName: Publish build packages
+      artifact: BuildPackages
+
+    - publish: config
+      displayName: Publish Signing Scripts
+      artifact: config
+
+- stage: CodeSign
+  # condition: and(succeeded('Build'), not(eq(variables['build.reason'], 'PullRequest')))
+  jobs:
+  - deployment: CodeSign
+    displayName: Code Signing
+    pool:
+      vmImage: windows-latest    
+    environment: Code Sign - Approvals
+    variables:
+    - group: Sign Client Credentials
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          # If you have MSCA: https://aka.ms/mscadocs
+          # - task: ms-codeanalysis.vss-microsoft-security-code-analysis-devops.build-task-antimalware.AntiMalware@3
+          #   displayName: AntiMalware Scan
+          #   inputs:
+          #     EnableServices: true
+          #     FileDirPath: $(Pipeline.Workspace)\BuildPackages
+
+          - task: DotNetCoreCLI@2
+            inputs:
+              command: custom
+              custom: tool
+              arguments: install --tool-path . SignClient
+            displayName: Install SignTool tool
+
+          - pwsh: |
+              .\SignClient "Sign" `
+              --baseDirectory "$(Pipeline.Workspace)\BuildPackages" `
+              --input "**/*.nupkg" `
+              --config "$(Pipeline.Workspace)\config\SignClient.json" `
+              --filelist "$(Pipeline.Workspace)\config\filelist.txt" `
+              --user "$(SignClientUser)" `
+              --secret '$(SignClientSecret)' `
+              --name "Kerberos.NET" `
+              --description "Kerberos.NET" `
+              --descriptionUrl "https://github.com/dotnet/Kerberos.NET"
+            displayName: Sign Kerberos.NET
+            
+          - pwsh: |
+              .\SignClient "Sign" `
+              --baseDirectory "$(Pipeline.Workspace)\drop" `
+              --input "**/*.nupkg" `
+              --config "$(Pipeline.Workspace)\config\SignClient.json" `
+              --filelist "$(Pipeline.Workspace)\config\filelist.txt" `
+              --user "$(SignClientUser)" `
+              --secret '$(SignClientSecret)' `
+              --name "Bruce" `
+              --description "Commandline client for Kerberos.NET" `
+              --descriptionUrl "https://github.com/dotnet/Kerberos.NET"
+            displayName: Sign Bruce
+              
+          - publish: $(Pipeline.Workspace)/BuildPackages
+            displayName: Publish Signed Packages
+            artifact: SignedPackages
+
+          - publish: $(Pipeline.Workspace)/Drop
+            displayName: Publish Signed Drop
+            artifact: SignedDrop