setup SBOM signing for VPack

2025-08-21 05:43:10 -07:00 · 2024-03-15 13:14:47 +08:00 · 2024-03-15 13:14:47 +08:00 · b17e635c81
commit b17e635c81
parent c3ae2367ca
4 changed files with 25 additions and 3 deletions
--- a/build/pipelines/azure-pipelines.release.yaml
+++ b/build/pipelines/azure-pipelines.release.yaml
@ -8,7 +8,7 @@ trigger: none
 pr: none

 variables:
-  versionMajor: 11
+  versionMajor: 0 # Revert it back after passing tests
  versionMinor: 2403
  versionBuild: $[counter(format('{0}.{1}.*', variables['versionMajor'], variables['versionMinor']), 0)]
  versionPatch: 0
--- a/build/pipelines/templates/build-single-architecture.yaml
+++ b/build/pipelines/templates/build-single-architecture.yaml
@ -55,7 +55,7 @@ jobs:
        downloadDirectory: $(Build.SourcesDirectory)
        vstsFeed: WindowsInboxApps
        vstsFeedPackage: calculator-internals
-        vstsPackageVersion: 0.0.105
+        vstsPackageVersion: 0.0.106

  - task: NuGetToolInstaller@1
    displayName: Use NuGet 6.x
--- a/build/pipelines/templates/package-msixbundle.yaml
+++ b/build/pipelines/templates/package-msixbundle.yaml
@ -91,7 +91,7 @@ jobs:
        downloadDirectory: $(Build.SourcesDirectory)
        vstsFeed: WindowsInboxApps
        vstsFeedPackage: calculator-internals
-        vstsPackageVersion: 0.0.105
+        vstsPackageVersion: 0.0.106

  - task: PowerShell@2
    displayName: Generate MsixBundle mapping
--- a/build/pipelines/templates/release-vpack.yaml
+++ b/build/pipelines/templates/release-vpack.yaml
@ -28,6 +28,23 @@ jobs:
      contents: Microsoft.WindowsCalculator_8wekyb3d8bbwe.msixbundle
      targetFolder: $(Pipeline.Workspace)\vpack\msixBundle

+  - task: UniversalPackages@0
+    displayName: Download internals package
+    inputs:
+      command: download
+      downloadDirectory: $(Build.SourcesDirectory)
+      vstsFeed: WindowsInboxApps
+      vstsFeedPackage: calculator-internals
+      vstsPackageVersion: 0.0.106
+
+  - pwsh: |
+      $configPath = "$(Build.SourcesDirectory)\Tools\Build\Signing\ESRP-auth.json"
+      $auth = Get-Content -Raw $configPath | ConvertFrom-Json
+      $sbomKeyCode = $auth._ExtraContext.SbomKeyCode
+      echo "##vso[task.setvariable variable=keyCode; isOutput=true]key code"
+    displayName: Get SBOM Key Code
+    name: getSbomKeyCode
+
  - task: PkgESVPack@12
    displayName: Create and push vpack for app
    env:
@ -39,3 +56,8 @@ jobs:
      version: $(versionMajor).$(versionMinor).$(versionBuild)
      owner: paxeeapps
      provData: true
+      taskLogVerbosity: Diagnostic
+      coseUsageScenario: 'product'
+      signSbom: true
+      sbomKeyCode: $(getSbomKeyCode.keyCode)
+      pathToEsrpAuthJson: '$(Build.SourcesDirectory)\Tools\Build\Signing\ESRP-auth.json'