From 6ea4ce6b07f5dfb1896ba638aa6b339bd6d0513e Mon Sep 17 00:00:00 2001 From: "Dustin L. Howett" Date: Wed, 21 Jun 2023 16:01:45 -0500 Subject: [PATCH] Add the drop validator task, rework some build artifacts (#15568) I originally intended to add the Drop Validator (which is a compliance requirement) task to the build, but I quickly realized that we weren't generating a complete SBOM manifest covering every artifact that we produced. We were generating the SBOM manifest, and then re-packing the Terminal app which very likely invalidated all of the hashes and signatures in the SBOM manifest! We were also missing the unpackaged build. I've removed the `appx-PLATFORM-CONFIG` and `unpackaged-PLAT-CONF` artifacts and combined them into a single one, `terminal-PLAT-CONF`. (cherry picked from commit 191eb00f43cce6f0a7c35404937ab1a870aef775) Service-Card-Id: 89624682 Service-Version: 1.17 --- build/pipelines/release.yml | 69 ++++++++++++++++++++++++------------- 1 file changed, 46 insertions(+), 23 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 834df750d9..8429f0abe0 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -245,10 +245,6 @@ jobs: TargetFolder: $(Build.ArtifactStagingDirectory)/appx OverWrite: true flattenFolders: true - - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 - displayName: 'Generate SBOM manifest' - inputs: - BuildDropPath: '$(System.ArtifactsDirectory)/appx' - pwsh: |- $Package = (Get-ChildItem "$(Build.ArtifactStagingDirectory)/appx" -Recurse -Filter "Cascadia*.msix" | Select -First 1) @@ -271,20 +267,29 @@ jobs: & "$(MakeAppxPath)" pack /h SHA256 /o /p $PackageFilename /d "$(Build.SourcesDirectory)\UnpackedTerminalPackage" displayName: Re-pack the new Terminal package after signing - - task: PublishBuildArtifacts@1 - displayName: Publish Artifact (appx) - inputs: - PathtoPublish: $(Build.ArtifactStagingDirectory)/appx - ArtifactName: appx-$(BuildPlatform)-$(BuildConfiguration) - - pwsh: |- $XamlAppxPath = (Get-Item "src\cascadia\CascadiaPackage\AppPackages\*\Dependencies\$(BuildPlatform)\Microsoft.UI.Xaml*.appx").FullName - & .\build\scripts\New-UnpackagedTerminalDistribution.ps1 -TerminalAppX $(WindowsTerminalPackagePath) -XamlAppX $XamlAppxPath -Destination "$(Build.ArtifactStagingDirectory)/unpackaged" + & .\build\scripts\New-UnpackagedTerminalDistribution.ps1 -TerminalAppX $(WindowsTerminalPackagePath) -XamlAppX $XamlAppxPath -Destination "$(Build.ArtifactStagingDirectory)/appx" displayName: Build Unpackaged Distribution - - publish: $(Build.ArtifactStagingDirectory)/unpackaged - artifact: unpackaged-$(BuildPlatform)-$(BuildConfiguration) - displayName: Publish Artifact (unpackaged) + - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: 'Generate SBOM manifest (application)' + inputs: + BuildDropPath: '$(System.ArtifactsDirectory)/appx' + + - task: DropValidatorTask@0 + displayName: 'Validate application SBOM manifest' + inputs: + BuildDropPath: '$(System.ArtifactsDirectory)/appx' + OutputPath: 'output.json' + ValidateSignature: true + Verbosity: 'Verbose' + + - task: PublishBuildArtifacts@1 + displayName: Publish Artifact (Terminal app) + inputs: + PathtoPublish: $(Build.ArtifactStagingDirectory)/appx + ArtifactName: terminal-$(BuildPlatform)-$(BuildConfiguration) - ${{ if eq(parameters.buildConPTY, true) }}: - task: CopyFiles@2 @@ -355,10 +360,13 @@ jobs: inputs: disableOutputRedirect: true - ${{ each platform in parameters.buildPlatforms }}: - - task: DownloadBuildArtifacts@0 + - task: DownloadBuildArtifacts@1 displayName: Download Artifacts ${{ platform }} inputs: - artifactName: appx-${{ platform }}-Release + # Make sure to download the entire artifact, because it includes the SPDX SBOM + artifactName: terminal-${{ platform }}-Release + # Downloading to the source directory should ensure that the later SBOM generator can see the earlier SBOMs. + downloadPath: '$(Build.SourcesDirectory)/appx-artifacts' # Add 3000 to the major version component, but only for the bundle. # This is to ensure that it is newer than "2022.xx.yy.zz" or whatever the original bundle versions were before # we switched to uniform naming. @@ -368,7 +376,7 @@ jobs: $Components[0] = ([int]$Components[0] + $VersionEpoch) $BundleVersion = $Components -Join "." New-Item -Type Directory "$(System.ArtifactsDirectory)\bundle" - .\build\scripts\Create-AppxBundle.ps1 -InputPath "$(System.ArtifactsDirectory)" -ProjectName CascadiaPackage -BundleVersion $BundleVersion -OutputPath "$(System.ArtifactsDirectory)\bundle\$(BundleStemName)_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle" + .\build\scripts\Create-AppxBundle.ps1 -InputPath "$(Build.SourcesDirectory)/appx-artifacts" -ProjectName CascadiaPackage -BundleVersion $BundleVersion -OutputPath "$(System.ArtifactsDirectory)\bundle\$(BundleStemName)_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle" displayName: Create WindowsTerminal*.msixbundle - task: EsrpCodeSigning@1 displayName: Submit *.msixbundle to ESRP for code signing @@ -405,6 +413,20 @@ jobs: } ] + - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: 'Generate SBOM manifest (bundle)' + inputs: + BuildDropPath: '$(System.ArtifactsDirectory)/bundle' + BuildComponentPath: '$(Build.SourcesDirectory)/appx-artifacts' + + - task: DropValidatorTask@0 + displayName: 'Validate bundle SBOM manifest' + inputs: + BuildDropPath: '$(System.ArtifactsDirectory)/bundle' + OutputPath: 'output.json' + ValidateSignature: true + Verbosity: 'Verbose' + - task: PublishBuildArtifacts@1 displayName: 'Publish Artifact: appxbundle-signed' inputs: @@ -431,7 +453,7 @@ jobs: inputs: disableOutputRedirect: true - ${{ each platform in parameters.buildPlatforms }}: - - task: DownloadBuildArtifacts@0 + - task: DownloadBuildArtifacts@1 displayName: Download ${{ platform }} ConPTY binaries inputs: artifactName: conpty-dll-${{ platform }}-$(BuildConfiguration) @@ -522,7 +544,7 @@ jobs: inputs: disableOutputRedirect: true - ${{ each platform in parameters.buildPlatforms }}: - - task: DownloadBuildArtifacts@0 + - task: DownloadBuildArtifacts@1 displayName: Download ${{ platform }} PublicTerminalCore inputs: artifactName: wpf-dll-${{ platform }}-$(BuildConfiguration) @@ -621,12 +643,13 @@ jobs: - template: .\templates\restore-nuget-steps.yml - # Download the appx-PLATFORM-CONFIG-VERSION artifact for every platform/version combo + # Download the terminal-PLATFORM-CONFIG-VERSION artifact for every platform/version combo - ${{ each platform in parameters.buildPlatforms }}: - - task: DownloadBuildArtifacts@0 + - task: DownloadBuildArtifacts@1 displayName: Download Symbols ${{ platform }} inputs: - artifactName: appx-${{ platform }}-Release + artifactName: terminal-${{ platform }}-Release + itemPattern: '**/*.appxsym' # It seems easier to do this -- download every appxsym -- then enumerate all the PDBs in the build directory for the # public symbol push. Otherwise, we would have to list all of the PDB files one by one. @@ -683,7 +706,7 @@ jobs: submodules: true - task: PkgESSetupBuild@12 displayName: Package ES - Setup Build - - task: DownloadBuildArtifacts@0 + - task: DownloadBuildArtifacts@1 displayName: Download Build Artifacts inputs: artifactName: appxbundle-signed