✒️ Enable ESRP Signing on the .VSIX (#1885)

* Add fake MSBuild project to allow signing VSIX and JS

* Sign JS

* Add step to pipeline

* Restrict signing package version

* Add scripts to install signing tool locally

* only go up 1 directory

* fix display name

* fix whitespace -__-

* add build step for installing microbuild

* add sign type parameter

* dont produce alpha package in official drop

* add sign type parameter to default pipeline

* dont publish package in another directory as this causes other issues, instead copy the artifact

* acknowledge the existence of a document explaining the release and other maintenance processes

this information is more suited for internal repo changes.

* change internal stream to a different signing stream

* add dotnet public for notargets sdk

* reduce to 1 feed

* use a different feed

* Use dotnet team

* use explicit feed source

* add feed auth

* fix comment

* rename unsigned vsix so both can get dropped

* use the other type of slash for REN -__-

* try to fix path

* add packages folder with empty gitignore

* figure out dir

* fix rename command

* Fix rename

the 'unsigned' one is actually the signed one

* Fix JS File Sign

dist is at the root of each but this runs in a segregated folder

* produce binlogs and try to fix the path

* Publish SDK Extension Logs

* fix signing

* remove bad slash in path that gets parsed incorrectly

* remove \

* fix microbuild to be installed b5 js signing

* update gitignore

* fix gitignore again

* [REVERT THIS] Add a file A.ts to see if files are signed alphabetical or only non minified JS is signed

* [REVERT THIS] Add content to js to see if minify changes signing

* sign js after webpack

maybe we can sign it after the bundle is created and it will  still be able to edit the bundle vsix internals? I thought not but perhaps extension.js is getting replaced by the webpack, so lets see if this works.

* Revert "[REVERT THIS] Add content to js to see if minify changes signing"

This reverts commit ecacc68.

* Revert "[REVERT THIS] Add a file A.ts to see if files are signed alphabetical or only non minified JS is signed"

This reverts commit 1ab6ea1.

* Update name of incorrect task.

Author: nagilson

Diff for: .gitignore

@@ -3,10 +3,10 @@
 TestResults/
 .nuget/
 .build/
+msbuild/signJs/*.log
 .testPublish/
 *.sln.ide/
 _ReSharper.*/
-packages/
 artifacts/
 .build/
 PublishProfiles/
@@ -34,7 +34,6 @@ project.lock.json
 .build/
 .vs/
 launchSettings.json
-global.json
 BenchmarkDotNet.Artifacts/
 msbuild.binlog
 msbuild.log

Diff for: .vscodeignore

@@ -5,4 +5,8 @@ node_modules/**
 dist/test/**
 src/**
 tslint.json
-*.vsix
+*.vsix
+packages/
+msbuild/**
+global.json
+nuget.config

Diff for: 1es-azure-pipeline.yml

@@ -45,6 +45,11 @@ parameters:
   - name: NetCore1ESPool-Internal
     image: 1es-windows-2022
     os: windows
+- name: SignType
+  displayName: Sign type
+  type: string
+  default: Test
+  values: [ 'Test', 'Real' ]
 
 extends:
   template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
@@ -91,6 +96,7 @@ extends:
             image: 1es-windows-2022
             os: windows
           useOneEngineeringPool: true
+          SignType: ${{ parameters.SignType }}
       - template: pipeline-templates/sbom.yaml@self
         parameters:
           pool:

Diff for: 1pr-azure-pipeline.yml

@@ -54,12 +54,6 @@ stages:
         os: windows
       useOneEngineeringPool: false
   - template: pipeline-templates/lint.yaml
-    parameters:
-      pool:
-        vmImage: windows-latest
-        os: windows
-      useOneEngineeringPool: false
-  - template: pipeline-templates/package-vsix.yaml
     parameters:
       pool:
         vmImage: windows-latest

Diff for: Documentation/release.md

@@ -0,0 +1 @@
+See a copy of this file in the `internal-documentation` branch in our internal repository. Or instead, check out our team one note's 'VSCode Extension' --> 'release.md' file for further information.

Diff for: build.ps1

@@ -81,4 +81,25 @@ popd
 #################### Copy Library Artifacts ####################
 & "$(Split-Path $MyInvocation.MyCommand.Path)/mock-webpack.ps1"
 
-Write-Host "Build Succeeded" -ForegroundColor $successColor
+Write-Host "Build Succeeded" -ForegroundColor $successColor
+
+#################### Install Signing Tool ####################
+
+try
+{
+    $InstallNuGetPkgScriptPath = ".\signing\Install-NuGetPackage.ps1"
+    $nugetVerbosity = 'quiet'
+    if ($Verbose) { $nugetVerbosity = 'normal' }
+    $MicroBuildPackageSource = 'https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json'
+    if ($Signing)
+    {
+        Write-Host "Installing MicroBuild signing plugin" -ForegroundColor $successColor
+        Invoke-Expression "& `"$InstallNuGetPkgScriptPath`" MicroBuild.Plugins.Signing -source $MicroBuildPackageSource -Verbosity $nugetVerbosity"
+        $EnvVars['SignType'] = "Test"
+    }
+
+    & ".\signing\Set-EnvVars.ps1" -Variables $EnvVars -PrependPath $PrependPath | Out-Null
+} catch {
+    Write-Host "Failed to install signing tool" -ForegroundColor $errorColor
+    Write-Host $_.Exception.Message
+}

Diff for: global.json

@@ -0,0 +1,5 @@
+{
+    "msbuild-sdks": {
+      "Microsoft.Build.NoTargets": "3.7.0"
+    }
+}

Diff for: msbuild/Directory.Build.props

@@ -0,0 +1,5 @@
+<Project>
+    <PropertyGroup>
+        <RepoRoot>$(MSBuildThisFileDirectory)../</RepoRoot>
+    </PropertyGroup>
+</Project>

Diff for: msbuild/Directory.Build.rsp

@@ -0,0 +1,16 @@
+#------------------------------------------------------------------------------
+# This file contains command-line options that MSBuild will process as part of
+# every build, unless the "/noautoresponse" switch is specified.
+#
+# MSBuild processes the options in this file first, before processing the
+# options on the command line. As a result, options on the command line can
+# override the options in this file. However, depending on the options being
+# set, the overriding can also result in conflicts.
+#
+# NOTE: The "/noautoresponse" switch cannot be specified in this file, nor in
+# any response file that is referenced by this file.
+#------------------------------------------------------------------------------
+/nr:false
+/m
+/verbosity:minimal
+/clp:Summary;ForceNoAlign

Diff for: msbuild/Directory.Packages.props

@@ -0,0 +1,10 @@
+<Project>
+  <!-- https://learn.microsoft.com/nuget/consume-packages/central-package-management -->
+  <PropertyGroup>
+    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
+  </PropertyGroup>
+  <ItemGroup>
+    <GlobalPackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0" />
+  </ItemGroup>
+</Project>

Diff for: msbuild/signJs/signJs.proj

@@ -0,0 +1,21 @@
+<Project Sdk="Microsoft.Build.NoTargets">
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <GenerateAssemblyVersionInfo>false</GenerateAssemblyVersionInfo>
+    <EnableDefaultSignFiles>false</EnableDefaultSignFiles>
+    <MicroBuild_DoNotStrongNameSign>true</MicroBuild_DoNotStrongNameSign>
+    <IsPackable>false</IsPackable>
+    <OutDir>$(MSBuildProjectDirectory)\$(JSOutputPath)\</OutDir>
+    <MicroBuild_SigningEnabled>true</MicroBuild_SigningEnabled>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="'$(SignType)' == ''">
+      <SignType>test</SignType>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <FilesToSign Include="$(OutDir)*.js">
+      <Authenticode>MicrosoftSHA2</Authenticode>
+    </FilesToSign>
+  </ItemGroup>
+</Project>

Diff for: msbuild/signVsix/signVsix.proj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.Build.NoTargets">
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <GenerateAssemblyVersionInfo>false</GenerateAssemblyVersionInfo>
+    <EnableDefaultSignFiles>false</EnableDefaultSignFiles>
+    <MicroBuild_DoNotStrongNameSign>true</MicroBuild_DoNotStrongNameSign>
+    <IsPackable>false</IsPackable>
+    <OutDir>$(RepoRoot)packages\</OutDir>
+  </PropertyGroup>
+  <ItemGroup>
+    <FilesToSign Include="$(OutDir)*.vsix">
+      <Authenticode>VsixSHA2</Authenticode>
+    </FilesToSign>
+  </ItemGroup>
+</Project>

Diff for: nuget.config

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <config>
+    <add key="repositorypath" value="packages" />
+  </config>
+  <packageSources>
+    <!--To inherit the global NuGet package sources remove the <clear/> line below -->
+    <clear />
+    <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" />
+  </packageSources>
+  <disabledPackageSources>
+    <!-- Defend against user or machine level disabling of sources that we list in this file. -->
+    <clear />
+  </disabledPackageSources>
+</configuration>

Diff for: packages/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

Diff for: pipeline-templates/build-test.yaml

@@ -12,10 +12,15 @@ jobs:
   templateContext:
     outputs:
     - output: pipelineArtifact
-      displayName: '🌐 Publish Logs'
+      displayName: '🌐 Publish Install Tool Logs'
       condition: always()
       targetPath: '$(Build.SourcesDirectory)/vscode-dotnet-runtime-extension/dist/test/functional/logs'
-      artifactName: '${{ parameters.pool.os }} logs'
+      artifactName: '${{ parameters.pool.os }} Install Tool logs'
+    - output: pipelineArtifact
+      displayName: '👜 Publish SDK Logs'
+      condition: always()
+      targetPath: '$(Build.SourcesDirectory)/vscode-dotnet-sdk-extension/dist/test/functional/logs'
+      artifactName: '${{ parameters.pool.os }} SDK logs'
   steps:
   - template: install-node.yaml
   - ${{ if eq(parameters.pool.os, 'windows') }}:

Diff for: pipeline-templates/package-vsix.yaml

@@ -1,5 +1,6 @@
 parameters:
   pool: ''
+  SignType: ''
 
 jobs:
 - job: ${{ parameters.pool.os }}_Package
@@ -12,7 +13,7 @@ jobs:
   dependsOn:
   - ${{ parameters.pool.os }}_Build
   - TSLint
-  condition: succeeded()
+  condition: and(succeeded(), eq('${{ parameters.useOneEngineeringPool }}', 'true'))
   strategy:
     matrix:
       Runtime:
@@ -34,23 +35,60 @@ jobs:
         VERSION=`node -p "require('./package.json').version"`
       else
         VERSION_NUM=`node -p "require('./package.json').version"`
-        VERSION="$VERSION_NUM-alpha-$(Build.BuildId)"
+        VERSION="$VERSION_NUM"
       fi
       npm version $VERSION --allow-same-version
       echo "##vso[task.setvariable variable=version;isOutput=true]$VERSION"
     name: GetVersion
     displayName: '❓ Get Version'
     workingDirectory: $(dir-name)
+  - task: UseDotNet@2
+    displayName: 🔮 Use .NET SDK
+    inputs:
+      packageType: sdk
+      useGlobalJson: true
+  # This is necessary whenever we want to publish/restore to an AzDO private feed
+  # otherwise it'll complain about accessing a private feed.
+  - task: NuGetAuthenticate@1
+    displayName: '🔏 Authenticate to AzDO Feeds'
+  - task: MicroBuildSigningPlugin@4
+    displayName: 🔧 Install MicroBuild Signing Plugin
+    inputs:
+      signType: ${{ parameters.SignType }}
+      zipSources: false
+      feedSource: https://dnceng.pkgs.visualstudio.com/_packaging/MicroBuildToolset/nuget/v3/index.json
+    env:
+      SignType: ${{ parameters.SignType }}
+      TeamName: DotNetCore
   - bash: |
       npm install rimraf --reg https://registry.npmjs.org/ --verbose
       npm install @vscode/vsce@latest -g --reg https://registry.npmjs.org/ --verbose
       vsce package -o $(package-name)-$(GetVersion.version).vsix --ignoreFile ../.vscodeignore --yarn
+      cp $(package-name)-$(GetVersion.version).vsix ../packages/$(package-name)-$(GetVersion.version).vsix
     displayName: 📦 Package Artifact
     workingDirectory: $(dir-name)
+    env:
+      SignType: ${{ parameters.SignType }}
+  - script: dotnet build msbuild/signVsix -v:normal
+    displayName: 🖊️ Sign VSIXes
+    env:
+      SignType: ${{ parameters.SignType }}
+  - task: CmdLine@2
+    displayName: 🤌 Rename Signed VSIX
+
+    inputs:
+      script: rename ".\packages\$(package-name)-$(GetVersion.version).vsix" $(package-name)-$(GetVersion.version)-signed.vsix
   - task: CopyFiles@2
     displayName: '📩 Copy Artifact'
     inputs:
       SourceFolder: '$(Build.SourcesDirectory)'
       Contents: '**\*.vsix'
       TargetFolder: '$(Build.ArtifactStagingDirectory)'
-      flattenFolders: true
+      flattenFolders: true
+  - task: CopyFiles@2
+    displayName: '🏗️ Copy Binlog'
+    inputs:
+      SourceFolder: '$(Build.SourcesDirectory)'
+      Contents: '**\*.binlog'
+      TargetFolder: '$(Build.ArtifactStagingDirectory)'
+      flattenFolders: false

Diff for: sample/package.json

@@ -104,7 +104,7 @@
 		]
 	},
 	"scripts": {
-		"vscode:prepublish": "npm install && npm run compile",
+		"vscode:prepublish": "npm install && npm run compile && dotnet build ../msbuild/signJs --property jsOutputPath=..\\..\\sample\\dist -bl -v:normal",
 		"compile": "npm run clean && tsc -p ./",
 		"watch": "npm run clean && tsc -watch -p ./",
 		"test": "npm run compile && node ./node_modules/vscode/bin/test",

Diff for: signing/Get-NuGetTool.ps1

@@ -0,0 +1,22 @@
+<#
+.SYNOPSIS
+    Downloads the NuGet.exe tool and returns the path to it.
+.PARAMETER NuGetVersion
+    The version of the NuGet tool to acquire.
+#>
+Param(
+    [Parameter()]
+    [string]$NuGetVersion='6.4.0'
+)
+
+$toolsPath = & "$PSScriptRoot\Get-TempToolsPath.ps1"
+$binaryToolsPath = Join-Path $toolsPath $NuGetVersion
+if (!(Test-Path $binaryToolsPath)) { $null = mkdir $binaryToolsPath }
+$nugetPath = Join-Path $binaryToolsPath nuget.exe
+
+if (!(Test-Path $nugetPath)) {
+    Write-Host "Downloading nuget.exe $NuGetVersion..." -ForegroundColor Yellow
+    (New-Object System.Net.WebClient).DownloadFile("https://dist.nuget.org/win-x86-commandline/v$NuGetVersion/NuGet.exe", $nugetPath)
+}
+
+return (Resolve-Path $nugetPath).Path

Diff for: signing/Get-TempToolsPath.ps1

@@ -0,0 +1,13 @@
+if ($env:AGENT_TEMPDIRECTORY) {
+    $path = "$env:AGENT_TEMPDIRECTORY\$env:BUILD_BUILDID"
+} elseif ($env:localappdata) {
+    $path = "$env:localappdata\gitrepos\tools"
+} else {
+    $path = "$PSScriptRoot\..\obj\tools"
+}
+
+if (!(Test-Path $path)) {
+    New-Item -ItemType Directory -Path $Path | Out-Null
+}
+
+(Resolve-Path $path).Path

Diff for: signing/Install-NuGetPackage.ps1

@@ -0,0 +1,55 @@
+<#
+.SYNOPSIS
+    Installs a NuGet package.
+.PARAMETER PackageID
+    The Package ID to install.
+.PARAMETER Version
+    The version of the package to install. If unspecified, the latest stable release is installed.
+.PARAMETER Source
+    The package source feed to find the package to install from.
+.PARAMETER PackagesDir
+    The directory to install the package to. By default, it uses the Packages folder at the root of the repo.
+.PARAMETER ConfigFile
+    The nuget.config file to use. By default, it uses :/nuget.config.
+.OUTPUTS
+    System.String. The path to the installed package.
+#>
+[CmdletBinding(SupportsShouldProcess=$true,ConfirmImpact='Low')]
+Param(
+    [Parameter(Position=1,Mandatory=$true)]
+    [string]$PackageId,
+    [Parameter()]
+    [string]$Version,
+    [Parameter()]
+    [string]$Source,
+    [Parameter()]
+    [switch]$Prerelease,
+    [Parameter()]
+    [string]$PackagesDir="$PSScriptRoot\..\packages",
+    [Parameter()]
+    [string]$ConfigFile="$PSScriptRoot\..\nuget.config",
+    [Parameter()]
+    [ValidateSet('Quiet','Normal','Detailed')]
+    [string]$Verbosity='normal'
+)
+
+$nugetPath = & "$PSScriptRoot\Get-NuGetTool.ps1"
+
+try {
+    Write-Verbose "Installing $PackageId..."
+    $nugetArgs = "Install",$PackageId,"-OutputDirectory",$PackagesDir,'-ConfigFile',$ConfigFile
+    if ($Version) { $nugetArgs += "-Version",$Version }
+    if ($Source) { $nugetArgs += "-FallbackSource",$Source }
+    if ($Prerelease) { $nugetArgs += "-Prerelease" }
+    $nugetArgs += '-Verbosity',$Verbosity
+
+    if ($PSCmdlet.ShouldProcess($PackageId, 'nuget install')) {
+        $p = Start-Process $nugetPath $nugetArgs -NoNewWindow -Wait -PassThru
+        if ($p.ExitCode -ne 0) { throw }
+    }
+
+    # Provide the path to the installed package directory to our caller.
+    Write-Output (Get-ChildItem "$PackagesDir\$PackageId.*")[0].FullName
+} finally {
+    Pop-Location
+}