Skip to main content

Browse the archive

Staging
v0.5.1
https://github.com/python/cpython
09 December 2020, 11:06:31 UTC
Raw File
Tip revision: 21dd01dad7b6b38d4fd40b37d65f1ac7203ec4e6 authored by Ɓukasz Langa on 04 July 2019, 10:50:19 UTC
Python 3.8.0b2
Tip revision: 21dd01d
stage-sign.yml 
jobs:
- job: Sign_Python
  displayName: Sign Python binaries
  condition: and(succeeded(), variables['SigningCertificate'])

  pool:
    name: 'Windows Release'

  workspace:
    clean: all

  strategy:
    matrix:
      win32:
        Name: win32
      amd64:
        Name: amd64

  steps:
  - checkout: none
  - template: ./find-sdk.yml

  - powershell: |
      Write-Host "##vso[build.addbuildtag]signed"
    displayName: 'Add build tags'

  - task: DownloadPipelineArtifact@1
    displayName: 'Download artifact: unsigned_bin_$(Name)'
    inputs:
      artifactName: unsigned_bin_$(Name)
      targetPath: $(Build.BinariesDirectory)\bin

  - powershell: |
      $files = (gi *.exe, *.dll, *.pyd, *.cat -Exclude vcruntime*, libffi*, libcrypto*, libssl*)
      signtool sign /a /n "$(SigningCertificate)" /fd sha256 /d "$(SigningDescription)" $files
    displayName: 'Sign binaries'
    workingDirectory: $(Build.BinariesDirectory)\bin

  - powershell: |
      $files = (gi *.exe, *.dll, *.pyd, *.cat -Exclude vcruntime*, libffi*, libcrypto*, libssl*)
      $failed = $true
      foreach ($retry in 1..10) {
          signtool timestamp /t http://timestamp.verisign.com/scripts/timestamp.dll $files
          if ($?) {
              $failed = $false
              break
          }
          sleep 5
      }
      if ($failed) {
          Write-Host "##vso[task.logissue type=error]Failed to timestamp files"
      }
    displayName: 'Timestamp binaries'
    workingDirectory: $(Build.BinariesDirectory)\bin
    continueOnError: true

  - task: PublishPipelineArtifact@0
    displayName: 'Publish artifact: bin_$(Name)'
    inputs:
      targetPath: '$(Build.BinariesDirectory)\bin'
      artifactName: bin_$(Name)


- job: Dump_CertInfo
  displayName: Capture certificate info
  condition: and(succeeded(), variables['SigningCertificate'])

  pool:
    name: 'Windows Release'

  steps:
  - checkout: none

  - powershell: |
      $m = 'CN=$(SigningCertificate)'
      $c = ((gci Cert:\CurrentUser\My), (gci Cert:\LocalMachine\My)) | %{ $_ } | `
         ?{ $_.Subject -match $m } | `
         select -First 1
      if (-not $c) {
          Write-Host "Failed to find certificate for $(SigningCertificate)"
          exit
      }
      $d = mkdir "$(Build.BinariesDirectory)\tmp" -Force
      $cf = "$d\cert.cer"
      [IO.File]::WriteAllBytes($cf, $c.Export("Cer"))
      $csha = (certutil -dump $cf | sls "Cert Hash\(sha256\): (.+)").Matches.Groups[1].Value

      $info = @{ Subject=$c.Subject; SHA256=$csha; }

      $d = mkdir "$(Build.BinariesDirectory)\cert" -Force
      $info | ConvertTo-JSON -Compress | Out-File -Encoding utf8 "$d\certinfo.json"
    displayName: "Extract certificate info"

  - task: PublishPipelineArtifact@0
    displayName: 'Publish artifact: cert'
    inputs:
      targetPath: '$(Build.BinariesDirectory)\cert'
      artifactName: cert


- job: Mark_Unsigned
  displayName: Tag unsigned build
  condition: and(succeeded(), not(variables['SigningCertificate']))

  pool:
    vmName: win2016-vs2017

  steps:
  - checkout: none

  - powershell: |
      Write-Host "##vso[build.addbuildtag]unsigned"
    displayName: 'Add build tag'
back to top