From 174c548c7a399dcb302339428985030bac06a985 Mon Sep 17 00:00:00 2001
From: Andrew Arnott <andrewarnott@gmail.com>
Date: Mon, 9 Mar 2020 10:01:06 -0600
Subject: [PATCH] Code sign in CI builds

---
 azure-pipelines.yml             | 18 ++++++++++++++++++
 azure-pipelines/SignClient.json | 13 +++++++++++++
 azure-pipelines/signfiles.txt   |  4 ++++
 3 files changed, 35 insertions(+)
 create mode 100644 azure-pipelines/SignClient.json
 create mode 100644 azure-pipelines/signfiles.txt

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index d04a2c94..29f5a9bd 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -28,6 +28,8 @@ resources:
 jobs:
 - job: Windows
   pool: Hosted Windows 2019 with VS2019
+  variables:
+  - group: dotnetfoundation code signing
   steps:
   - checkout: self
     clean: true
@@ -118,6 +120,22 @@ jobs:
       TargetFolder: $(Build.ArtifactStagingDirectory)/deployables
       flattenFolders: true
     displayName: Collecting deployable artifacts
+
+  - pwsh: >
+      dotnet tool install --tool-path obj SignClient
+
+      obj/SignClient sign
+      --baseDirectory '$(Build.ArtifactStagingDirectory)/deployables'
+      --input '**/*'
+      --config '$(System.DefaultWorkingDirectory)/azure-pipelines/SignClient.json'
+      --filelist '$(System.DefaultWorkingDirectory)/azure-pipelines/signfiles.txt'
+      --user '$(codesign_username)'
+      --secret '$(codesign_secret)'
+      --name 'Nerdbank.GitVersioning'
+      --descriptionUrl 'https://github.com/dotnet/Nerdbank.GitVersioning'
+    displayName: Code sign
+    condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'))
+
   - task: PublishBuildArtifacts@1
     inputs:
       PathtoPublish: $(Build.ArtifactStagingDirectory)/deployables
diff --git a/azure-pipelines/SignClient.json b/azure-pipelines/SignClient.json
new file mode 100644
index 00000000..e940588c
--- /dev/null
+++ b/azure-pipelines/SignClient.json
@@ -0,0 +1,13 @@
+{
+    "SignClient": {
+      "AzureAd": {
+        "AADInstance": "https://login.microsoftonline.com/",
+        "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8",
+        "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e"
+      },
+      "Service": {
+        "Url": "https://codesign.dotnetfoundation.org/",
+        "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001"
+      }
+    }
+  }
diff --git a/azure-pipelines/signfiles.txt b/azure-pipelines/signfiles.txt
new file mode 100644
index 00000000..687c3f0e
--- /dev/null
+++ b/azure-pipelines/signfiles.txt
@@ -0,0 +1,4 @@
+**/Cake.GitVersioning.dll
+**/Nerdbank*.dll
+**/nbgv.dll
+**/*.ps1