diff --git a/.pipelines/typescript-build-and-publish.yaml b/.pipelines/typescript-build-and-publish.yaml index 556aec5b..058abc53 100644 --- a/.pipelines/typescript-build-and-publish.yaml +++ b/.pipelines/typescript-build-and-publish.yaml @@ -15,22 +15,40 @@ pr: none variables: Codeql.Enabled: true + # ESRP Code Signing + # ESRP Registration: https://portal.esrp.microsoft.com/Onboarding/AccountDetails?clientId=142047f4-eda8-4853-8776-c2e81803ea13 + # Service connection in devdiv Azure DevOps: Devtunnels-esrp-ame-msi (https://devdiv.visualstudio.com/OnlineServices/_settings/adminservices?resourceId=702454c9-77bd-4750-820e-5ce2e483f9f5) + # Managed identity that this service connection has federated access to: tunnels-ppe-esrp-id (client id 01ee3ff5-3b24-4b62-996e-6217f7cf3487) in AME tenant (33e01921-4d64-4f8c-a055-5bdaffd5e33d). + # Signing certificate: esrp-sign in tunnels-ppe-esrp-kv + # ESRP used to use a cert to authenticate as app in Microsoft tenant, but now it uses a managed identity in AME tenant. + # The migration was done following these TSGs: + # https://eng.ms/docs/microsoft-security/identity/trust-and-security-services/tss-high-security-environments/tss-esrp-fabric-and-platform-services/esrp-documentation/tsgs/sfi/tsg501-eliminate-access-to-codesigning-from-corp-tenants + # https://eng.ms/docs/microsoft-security/identity/trust-and-security-services/tss-high-security-environments/tss-esrp-fabric-and-platform-services/esrp-documentation/tsgs/sfi/tsg506-integrating-esrp-release-ado-extension + + EsrpConnectedServiceName: 'Devtunnels-esrp-ame-msi' # Service connection with ESRP MSI based authentication + EsrpAppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' # Managed identity tenant id for ESRP + EsrpAppRegistrationClientId: '01ee3ff5-3b24-4b62-996e-6217f7cf3487' # Managed identity client id for ESRP + EsrpClientId: '142047f4-eda8-4853-8776-c2e81803ea13' # ESRP Client Id, the Old App Registration Id to which we mapped our Managed Identity Id to + EsrpAuthAKVName: 'tunnels-ppe-esrp-kv' # Key Vault name where the signing certificate is stored + EsrpAuthSignCertName: 'esrp-sign' # Code signing certificate name in the Key Vault + steps: - template: typescript-build-steps.yaml -- task: EsrpRelease@7 +- task: EsrpRelease@9 inputs: - connectedservicename: 'Devtunnels-esrp-cert-based' - keyvaultname: 'tunnels-dev-kv' - authcertname: 'esrp-cert' - signcertname: 'esrp-sign' - clientid: '142047f4-eda8-4853-8776-c2e81803ea13' - intent: 'PackageDistribution' - contenttype: 'npm' - folderlocation: '$(System.DefaultWorkingDirectory)/ts/out/pkg' - waitforreleasecompletion: true - owners: 'jfullerton@microsoft.com' - approvers: 'jasongin@microsoft.com, debekoe@microsoft.com, ilbiryuk@microsoft.com' - serviceendpointurl: 'https://api.esrp.microsoft.com' - mainpublisher: 'ESRPRELPACMAN' - domaintenantid: '72f988bf-86f1-41af-91ab-2d7cd011db47' + ConnectedServiceName: '$(EsrpConnectedServiceName)' + UseManagedIdentity: true + AppRegistrationTenantId: '$(EsrpAppRegistrationTenantId)' + AppRegistrationClientId: '$(EsrpAppRegistrationClientId)' + DomainTenantId: '$(EsrpAppRegistrationTenantId)' + KeyVaultName: '$(EsrpAuthAKVName)' + SignCertName: '$(EsrpAuthSignCertName)' + ClientId: '$(EsrpClientId)' + Intent: 'PackageDistribution' + ContentType: 'npm' + FolderLocation: '$(System.DefaultWorkingDirectory)/ts/out/pkg' + WaitForReleaseCompletion: true + Owners: 'plequere@microsoft.com' + Approvers: 'jasongin@microsoft.com, jroberts@microsoft.com, nkotchar@microsoft.com' + MainPublisher: 'ESRPRELPACMAN'