[ci] Use sign-artifacts template for macOS signing (#9091)

Context: xamarin/yaml-templates#317 We've been hitting a lot of issues recently in the macOS developer signing steps that run during the build. Mono MSBuild has been crashing, and signing service requests have been timing out. The macOS developer signing steps have been moved to the post build signing job that runs on Windows agents to try to mitigate these issues.
dotnet · Jul 16, 2024 · b01de22 · b01de22
1 parent 6b3b480
commit b01de22
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 149 deletions.
diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
@@ -468,7 +468,7 @@ extends:
       condition: and(eq(dependencies.mac_build.result, 'Succeeded'), eq(dependencies.linux_build.result, 'Succeeded'), eq(variables['MicroBuildSignType'], 'Real'))
       jobs:
       # Check - "Xamarin.Android (Prepare .NET Release Sign Archives)"
-      - template: sign-artifacts/jobs/v2.yml@yaml-templates
+      - template: sign-artifacts/jobs/v3.yml@yaml-templates
         parameters:
           name: sign_net_mac_win
           poolName: $(VSEngMicroBuildPool)
@@ -477,9 +477,12 @@ extends:
           signedArtifactName: nuget-signed
           usePipelineArtifactTasks: true
           use1ESTemplate: true
+          uploadPrefix: sign-mac-win
+          handleUnmappedFiles: fail
+          timeoutInMinutes: 240
 
       # Check - "Xamarin.Android (Prepare .NET Release Sign Linux Archive)"
-      - template: sign-artifacts/jobs/v2.yml@yaml-templates
+      - template: sign-artifacts/jobs/v3.yml@yaml-templates
         parameters:
           name: sign_net_linux
           displayName: Sign Linux Archive
@@ -489,6 +492,9 @@ extends:
           signedArtifactName: nuget-linux-signed
           usePipelineArtifactTasks: true
           use1ESTemplate: true
+          uploadPrefix: sign-linux
+          handleUnmappedFiles: fail
+          timeoutInMinutes: 120
 
       # Check - "Xamarin.Android (Prepare .NET Release Convert NuGet to MSI)"
       - template: nuget-msi-convert/job/v3.yml@yaml-templates

diff --git a/build-tools/automation/yaml-templates/commercial-build.yaml b/build-tools/automation/yaml-templates/commercial-build.yaml
@@ -66,58 +66,15 @@ steps:
   displayName: CodeQL 3000 Finalize
   condition: and(succeededOrFailed(), eq(variables['Codeql.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
 
-- template: /build-tools/automation/yaml-templates/install-microbuild-tooling.yaml
-  parameters:
-    condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
-
-# Restore needs to be executed first or MicroBuild targets won't be imported in time
 - task: DotNetCoreCLI@2
-  displayName: msbuild /t:Restore sign-content.proj
-  condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
-  inputs:
-    projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
-    arguments: /t:Restore /p:Configuration=$(XA.Build.Configuration) -v:n /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/restore-sign-content.binlog
-
-- task: DotNetCoreCLI@2
-  displayName: PKG signing - add entitlements and sign
+  displayName: macOS signing - add runtime entitlements
   condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
   inputs:
     projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
     arguments: >-
-      /t:AddMachOEntitlements;AddMSBuildFilesUnixSign;AddMSBuildFilesUnixSignAndHarden;Build
-      /p:Configuration=$(XA.Build.Configuration) -v:n
-      /p:SignType=$(MicroBuildSignType)
-      /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins
+      /t:AddMachOEntitlements /p:Configuration=$(XA.Build.Configuration)
       /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-content.binlog
 
-- task: DotNetCoreCLI@2
-  displayName: PKG signing - sign binutils libraries
-  condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
-  inputs:
-    projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
-    arguments: >-
-      /t:AddBinUtilsFilesUnixSign;Build
-      /p:Configuration=$(XA.Build.Configuration) -v:n
-      /p:SignType=$(MicroBuildSignType)
-      /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins
-      /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-bu-lib.binlog
-
-- task: DotNetCoreCLI@2
-  displayName: PKG signing - sign binutils executables
-  condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
-  inputs:
-    projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
-    arguments: >-
-      /t:AddBinUtilsFilesUnixSignAndHarden;Build
-      /p:Configuration=$(XA.Build.Configuration) -v:n
-      /p:SignType=$(MicroBuildSignType)
-      /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins
-      /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-bu-ex.binlog
-
-- template: /build-tools/automation/yaml-templates/remove-microbuild-tooling.yaml
-  parameters:
-    condition: and(succeededOrFailed(), eq(variables['MicroBuildSignType'], 'Real'))
-
 - script: make create-installers CONFIGURATION=$(XA.Build.Configuration) MSBUILD_ARGS='${{ parameters.makeMSBuildArgs }}'
   workingDirectory: ${{ parameters.xaSourcePath }}
   displayName: make create-installers

diff --git a/build-tools/create-packs/SignList.xml b/build-tools/create-packs/SignList.xml
@@ -26,5 +26,12 @@
     <FirstParty Include="*.exe" />
     <!-- First and third party .jar files use the same Authenticode -->
     <FirstParty Include="*.jar" />
+    <MacDeveloperSign Include="*.dylib" />
+    <MacDeveloperSignHarden Include="Darwin/aapt2" />
+    <MacDeveloperSignHarden Include="Darwin/binutils/bin/*as" />
+    <MacDeveloperSignHarden Include="Darwin/binutils/bin/*ld" />
+    <MacDeveloperSignHarden Include="Darwin/binutils/bin/llc" />
+    <MacDeveloperSignHarden Include="Darwin/binutils/bin/llvm-mc" />
+    <MacDeveloperSignHarden Include="Darwin/binutils/bin/*strip" />
   </ItemGroup>
 </Project>
diff --git a/build-tools/installers/sign-content.proj b/build-tools/installers/sign-content.proj
@@ -2,8 +2,8 @@
 ***********************************************************************************************
 sign-content.proj
 
-This project file is used to sign and harden all relevent files included in our legacy .vsix
-and .pkg installers.  ESRP signing does not yet support passing a runtime entitlements
+This project file is used to add runtime entitlements to any file that requires macOS signing
+and runtime hardening. ESRP signing does not yet support passing a runtime entitlements
 file alongside a file that needs runtime hardening, so we have to apply the entitlements
 ourself (using an empty signing identity) before passing these files to ESRP.
 ***********************************************************************************************
@@ -12,118 +12,18 @@ ourself (using an empty signing identity) before passing these files to ESRP.
 
   <Import Project="..\..\Configuration.props" />
   <Import Project="create-installers.targets" />
-  <Import Project="$(XamarinAndroidSourcePath)\build-tools\create-packs\SignList.xml" />
 
   <PropertyGroup>
     <TargetFramework>netstandard2.0</TargetFramework>
     <GenerateDependencyFile>false</GenerateDependencyFile>
     <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
     <!-- NOTE: Any file you want to sign must be under either $(OutDir) or $(IntermediateOutputPath). -->
     <OutDir Condition=" '$(OutDir)' == '' ">$(MicrosoftAndroidSdkOutDir)</OutDir>
-    <UnzippedVsixDir>$(OutDir)vsix-unzip\</UnzippedVsixDir>
   </PropertyGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="$(MicroBuildCoreVersion)">
-      <PrivateAssets>all</PrivateAssets>
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
-    </PackageReference>
-  </ItemGroup>
-
   <Target Name="AddMachOEntitlements" >
     <Exec Command="codesign -vvvv -f -s - -o runtime --entitlements &quot;$(DefaultRuntimeEntitlementsPath)&quot; &quot;%(_MSBuildFilesUnixSignAndHarden.Identity)&quot;" />
     <Exec Command="codesign -vvvv -f -s - -o runtime --entitlements &quot;$(DefaultRuntimeEntitlementsPath)&quot; &quot;%(_BinUtilsFilesUnixSignAndHarden.Identity)&quot;" />
   </Target>
 
-  <Target Name="AddMSBuildFilesUnixSign" >
-    <ItemGroup>
-      <FilesToSign Include="@(_MSBuildFilesUnixSign)">
-        <Authenticode>MacDeveloperVNext</Authenticode>
-        <Zip>true</Zip>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="AddMSBuildFilesUnixSignAndHarden" >
-    <ItemGroup>
-      <FilesToSign Include="@(_MSBuildFilesUnixSignAndHarden)">
-        <Authenticode>MacDeveloperVNextHarden</Authenticode>
-        <Zip>true</Zip>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="AddBinUtilsFilesUnixSign" >
-    <ItemGroup>
-      <FilesToSign Include="@(_BinUtilsFilesUnixSign)">
-        <Authenticode>MacDeveloperVNext</Authenticode>
-        <Zip>true</Zip>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="AddBinUtilsFilesUnixSignAndHarden" >
-    <ItemGroup>
-      <FilesToSign Include="@(_BinUtilsFilesUnixSignAndHarden)">
-        <Authenticode>MacDeveloperVNextHarden</Authenticode>
-        <Zip>true</Zip>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="AddVsixContent" >
-    <RemoveDir Directories="$(UnzippedVsixDir)" />
-    <MakeDir Directories="$(UnzippedVsixDir)" />
-    <Unzip
-        SourceFiles="$(VsixPath)"
-        DestinationFolder="$(UnzippedVsixDir)"
-    />
-    <CreateItem Include="@(ThirdParty -> '$(UnzippedVsixDir)**\%(Identity)')">
-      <Output TaskParameter="Include" ItemName="_ThirdPartyAssemblies" />
-    </CreateItem>
-    <CreateItem Include="@(Skip -> '$(UnzippedVsixDir)**\%(Identity)')">
-      <Output TaskParameter="Include" ItemName="_SkipAssemblies" />
-    </CreateItem>
-    <!-- Allow full wildcards in @(FirstParty) by removing any explicitly listed @(ThirdParty) and @(Skip) content -->
-    <CreateItem Include="@(FirstParty -> '$(UnzippedVsixDir)**\%(Identity)')" Exclude="@(_ThirdPartyAssemblies);@(_SkipAssemblies)">
-      <Output TaskParameter="Include" ItemName="_FirstPartyAssemblies" />
-    </CreateItem>
-    <ItemGroup>
-      <FilesToSign Include="@(_FirstPartyAssemblies)" Condition="%(Extension) == '.dll' or %(Extension) == '.exe'">
-        <Authenticode>Microsoft400</Authenticode>
-      </FilesToSign>
-      <FilesToSign Include="@(_FirstPartyAssemblies)" Condition="%(Extension) == '.jar'">
-        <Authenticode>MicrosoftJARSHA2</Authenticode>
-      </FilesToSign>
-      <FilesToSign Include="@(_ThirdPartyAssemblies)" Condition="%(Extension) == '.dll' or %(Extension) == '.exe'">
-        <Authenticode>3PartySHA2</Authenticode>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="ZipVsixContent" >
-    <Delete Files="$(VsixPath)" />
-    <ZipDirectory
-        SourceDirectory="$(UnzippedVsixDir)"
-        DestinationFile="$(VsixPath)"
-    />
-  </Target>
-
-  <Target Name="SignVsix" >
-    <ItemGroup>
-      <FilesToSign Include="$(OutDir)\Xamarin.Android.Sdk-*.vsix">
-        <Authenticode>VsixSHA2</Authenticode>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="SignPkg" >
-    <ItemGroup>
-      <FilesToSign Include="$(OutDir)\xamarin.android-*.pkg">
-        <Authenticode>MacDeveloperVNext</Authenticode>
-        <Zip>true</Zip>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
 </Project>