Sign nugets (#1588)

microsoft · May 14, 2018 · 45f94ee · 45f94ee
1 parent 2e3ceec
commit 45f94ee
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 4 deletions.
diff --git a/scripts/verify-sign.ps1 b/scripts/verify-sign.ps1
@@ -21,6 +21,7 @@ $ErrorActionPreference = "Continue"
 Write-Verbose "Setup environment variables."
 $env:TP_ROOT_DIR = (Get-Item (Split-Path $MyInvocation.MyCommand.Path)).Parent.FullName
 $env:TP_OUT_DIR = Join-Path $env:TP_ROOT_DIR "artifacts"
+$env:TP_TOOLS_DIR = Join-Path $env:TP_ROOT_DIR "tools"
 
 #
 # Signing configuration
@@ -31,9 +32,9 @@ $TPB_SignCertificate = $Certificate
 $TPB_Configuration = $Configuration
 $TPB_AssembliesPattern = @("*test*.dll", "*qualitytools*.dll", "*test*.exe", "*datacollector*.dll", "*datacollector*.exe", "QTAgent*.exe", "VsWebSite.Interop.dll", "Microsoft.VisualStudio*.dll", "Microsoft.TestPlatform.Build.dll", "Microsoft.DiaSymReader.dll", "Microsoft.IntelliTrace*.dll", "concrt140.dll", "msvcp140.dll", "vccorlib140.dll", "vcruntime140.dll", "codecoveragemessages.dll", "covrun32.dll", "msdia140.dll", "covrun64.dll", "IntelliTrace.exe", "ProcessSnapshotCleanup.exe", "TDEnvCleanup.exe", "CodeCoverage.exe", "Microsoft.ShDocVw.dll", "UIAComwrapper.dll", "Interop.UIAutomationClient.dll")
 
-function Verify-Signature
+function Verify-Assemblies
 {
-    Write-Log "Verify-Signature: Start"
+    Write-Log "Verify-Assemblies: Start"
     $artifactsDirectory = Join-Path $env:TP_OUT_DIR $TPB_Configuration
     foreach ($pattern in $TPB_AssembliesPattern) {
         Write-Log "... Pattern: $pattern"
@@ -68,7 +69,33 @@ function Verify-Signature
         }
     }
 
-    Write-Log "Verify-Signature: Complete"
+    Write-Log "Verify-Assemblies: Complete"
+}
+
+function Verify-NugetPackages
+{
+    Write-Log "Verify-NugetPackages: Start"
+
+    # Move acquiring nuget.exe to external dependencies once Nuget.Commandline for 4.6.1 is available.
+    $nugetInstallDir = Join-Path $env:TP_TOOLS_DIR "nuget"
+    $nugetInstallPath = Join-Path $nugetInstallDir "nuget.exe"
+
+    if(![System.IO.File]::Exists($nugetInstallPath))
+    {
+        # Create the directory for nuget.exe if it does not exist
+        New-Item -ItemType Directory -Force -Path $nugetInstallDir
+        Invoke-WebRequest https://dist.nuget.org/win-x86-commandline/v4.6.1/nuget.exe -OutFile $nugetInstallPath
+    }
+
+	Write-Log "Using nuget.exe installed at $nugetInstallPath"
+
+	$artifactsDirectory = Join-Path $env:TP_OUT_DIR $TPB_Configuration
+    $packagesDirectory = Join-Path $artifactsDirectory "packages"
+    Get-ChildItem -Filter *.nupkg  $packagesDirectory | % {
+    & $nugetInstallPath verify -signature -CertificateFingerprint 3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE $_.FullName
+    }
+
+    Write-Log "Verify-NugetPackages: Complete"
 }
 
 function Write-Log ([string] $message)
@@ -90,4 +117,5 @@ function Write-FailLog ([string] $message)
     }
 }
 
-Verify-Signature
+Verify-Assemblies
+Verify-NugetPackages
diff --git a/src/package/sign/sign.proj b/src/package/sign/sign.proj
@@ -373,6 +373,24 @@
                Type="$(SignType)" />               
   </Target>
 
+  <Target Name="SignNugetPackages">
+    <PropertyGroup>
+      <NugetOutDir>$(ArtifactsBaseDirectory)\packages</NugetOutDir>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <FilesToSign Include="$(NugetOutDir)/*.nupkg">
+        <Authenticode>NuGet</Authenticode>
+      </FilesToSign>
+    </ItemGroup>
+
+    <Message Text="Signing using authenticode certificate '%(FilesToSign.Authenticode)' for @(FilesToSign)"/>
+    <SignFiles Files="@(FilesToSign)"
+               BinariesDirectory="$(NugetOutDir)"
+               IntermediatesDirectory="$(IntermediatesDirectory)"
+               Type="$(SignType)" />
+  </Target>
+
   <Target Name="SignVsix">
     <PropertyGroup>
       <VsixOutDir>$(ArtifactsBaseDirectory)VSIX\</VsixOutDir>