Merge pull request #446 from dotnet/codesign

Code sign in CI builds

azure-pipelines.yml

@@ -28,6 +28,8 @@ resources:
 jobs:
 - job: Windows
   pool: Hosted Windows 2019 with VS2019
+  variables:
+  - group: dotnetfoundation code signing
   steps:
   - checkout: self
     clean: true
@@ -118,6 +120,22 @@ jobs:
       TargetFolder: $(Build.ArtifactStagingDirectory)/deployables
       flattenFolders: true
     displayName: Collecting deployable artifacts
+
+  - pwsh: >
+      dotnet tool install --tool-path obj SignClient
+
+      obj/SignClient sign
+      --baseDirectory '$(Build.ArtifactStagingDirectory)/deployables'
+      --input '**/*'
+      --config '$(System.DefaultWorkingDirectory)/azure-pipelines/SignClient.json'
+      --filelist '$(System.DefaultWorkingDirectory)/azure-pipelines/signfiles.txt'
+      --user '$(codesign_username)'
+      --secret '$(codesign_secret)'
+      --name 'Nerdbank.GitVersioning'
+      --descriptionUrl 'https://github.com/dotnet/Nerdbank.GitVersioning'
+    displayName: Code sign
+    condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'))
+
   - task: PublishBuildArtifacts@1
     inputs:
       PathtoPublish: $(Build.ArtifactStagingDirectory)/deployables

azure-pipelines/SignClient.json

@@ -0,0 +1,13 @@
+{
+    "SignClient": {
+      "AzureAd": {
+        "AADInstance": "https://login.microsoftonline.com/",
+        "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8",
+        "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e"
+      },
+      "Service": {
+        "Url": "https://codesign.dotnetfoundation.org/",
+        "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001"
+      }
+    }
+  }

azure-pipelines/signfiles.txt

@@ -0,0 +1,4 @@
+**/Cake.GitVersioning.dll
+**/Nerdbank*.dll
+**/nbgv.dll
+**/*.ps1