.azure-pipelines/windows-release/stage-sign.yml

parameters:
  Include: '*.exe, *.dll, *.pyd, *.cat, *.ps1'
  Exclude: 'vcruntime*, libffi*, libcrypto*, libssl*'

jobs:
- job: Sign_Python
  displayName: Sign Python binaries
  condition: and(succeeded(), variables['SigningCertificate'])

  pool:
    name: 'Windows Release'

  workspace:
    clean: all

  strategy:
    matrix:
      win32:
        Name: win32
      amd64:
        Name: amd64
      arm64:
        Name: arm64

  steps:
  - template: ./checkout.yml
  - template: ./find-sdk.yml

  - powershell: |
      Write-Host "##vso[build.addbuildtag]signed"
    displayName: 'Add build tags'

  - task: DownloadPipelineArtifact@1
    displayName: 'Download artifact: unsigned_bin_$(Name)'
    inputs:
      artifactName: unsigned_bin_$(Name)
      targetPath: $(Build.BinariesDirectory)\bin

  - powershell: |
      copy "$(Build.SourcesDirectory)\Lib\venv\scripts\common\Activate.ps1" .
    displayName: 'Copy files from source'
    workingDirectory: $(Build.BinariesDirectory)\bin

  - powershell: |
      $files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }})
      signtool sign /a /n "$(SigningCertificate)" /fd sha256 /d "$(SigningDescription)" $files
    displayName: 'Sign binaries'
    workingDirectory: $(Build.BinariesDirectory)\bin

  - powershell: |
      $files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }})
      $failed = $true
      foreach ($retry in 1..10) {
          signtool timestamp /t http://timestamp.verisign.com/scripts/timestamp.dll $files
          if ($?) {
              $failed = $false
              break
          }
          sleep 5
      }
      if ($failed) {
          Write-Host "##vso[task.logissue type=error]Failed to timestamp files"
      }
    displayName: 'Timestamp binaries'
    workingDirectory: $(Build.BinariesDirectory)\bin
    continueOnError: true

  - task: PublishPipelineArtifact@0
    displayName: 'Publish artifact: bin_$(Name)'
    inputs:
      targetPath: '$(Build.BinariesDirectory)\bin'
      artifactName: bin_$(Name)


- job: Dump_CertInfo
  displayName: Capture certificate info
  condition: and(succeeded(), variables['SigningCertificate'])

  pool:
    name: 'Windows Release'

  steps:
  - checkout: none

  - powershell: |
      $m = 'CN=$(SigningCertificate)'
      $c = ((gci Cert:\CurrentUser\My), (gci Cert:\LocalMachine\My)) | %{ $_ } | `
         ?{ $_.Subject -match $m } | `
         select -First 1
      if (-not $c) {
          Write-Host "Failed to find certificate for $(SigningCertificate)"
          exit
      }
      $d = mkdir "$(Build.BinariesDirectory)\tmp" -Force
      $cf = "$d\cert.cer"
      [IO.File]::WriteAllBytes($cf, $c.Export("Cer"))
      $csha = (certutil -dump $cf | sls "Cert Hash\(sha256\): (.+)").Matches.Groups[1].Value

      $info = @{ Subject=$c.Subject; SHA256=$csha; }

      $d = mkdir "$(Build.BinariesDirectory)\cert" -Force
      $info | ConvertTo-JSON -Compress | Out-File -Encoding utf8 "$d\certinfo.json"
    displayName: "Extract certificate info"

  - task: PublishPipelineArtifact@0
    displayName: 'Publish artifact: cert'
    inputs:
      targetPath: '$(Build.BinariesDirectory)\cert'
      artifactName: cert


- job: Mark_Unsigned
  displayName: Tag unsigned build
  condition: and(succeeded(), not(variables['SigningCertificate']))

  pool:
    vmImage: windows-2019

  steps:
  - checkout: none

  - powershell: |
      Write-Host "##vso[build.addbuildtag]unsigned"
    displayName: 'Add build tag'