PowerShell · adityapatwardhan · Mar 14, 2023 · Feb 13, 2023 · Feb 13, 2023 · Feb 16, 2023
@@ -51,6 +51,7 @@ variables:
     value: spdx:2.2
   - name: BUILDSECMON_OPT_IN
     value: true
+  - group: PoolNames
 
 stages:
   - stage: prep
@@ -68,30 +69,6 @@ stages:
         parameters:
           buildArchitecture: arm64
 
-      - template: templates/mac-file-signing.yml
-        parameters:
-          buildArchitecture: x64
-
-      - template: templates/mac-file-signing.yml
-        parameters:
-          buildArchitecture: arm64
-
-      - template: templates/mac-package-build.yml
-        parameters:
-          buildArchitecture: x64
-
-      - template: templates/mac-package-build.yml
-        parameters:
-          buildArchitecture: arm64
-
-      - template: templates/mac-package-signing.yml
-        parameters:
-          buildArchitecture: x64
-
-      - template: templates/mac-package-signing.yml
-        parameters:
-          buildArchitecture: arm64
-
   - stage: linux
     dependsOn: ['prep']
     jobs:
@@ -113,29 +90,6 @@ stages:
         parameters:
           buildName: alpine
 
-      - template: templates/linux-authenticode-sign.yml
-
-      - template: templates/linux-packaging.yml
-        parameters:
-          buildName: deb
-          parentJob: sign_linux_builds
-
-      - template: templates/linux-packaging.yml
-        parameters:
-          buildName: rpm
-          uploadDisplayName: Upload and Sign
-          parentJob: sign_linux_builds
-
-      - template: templates/linux-packaging.yml
-        parameters:
-          buildName: alpine
-          parentJob: sign_linux_builds
-
-      - template: templates/linux-packaging.yml
-        parameters:
-          buildName: fxdependent
-          parentJob: sign_linux_builds
-
   - stage: windows
     dependsOn: ['prep']
     jobs:
@@ -168,74 +122,229 @@ stages:
         parameters:
           Architecture: fxdependentWinDesktop
 
-      - template: templates/windows-packaging.yml
-        parameters:
-          Architecture: x64
-          parentJob: build_windows_x64_release
-
-      - template: templates/windows-packaging.yml
-        parameters:
-          Architecture: x64
-          BuildConfiguration: minSize
-          parentJob: build_windows_x64_minSize
-
-      - template: templates/windows-packaging.yml
-        parameters:
-          Architecture: x86
-          parentJob: build_windows_x86_release
-
-      - template: templates/windows-packaging.yml
-        parameters:
-          Architecture: arm
-          parentJob: build_windows_arm_release
-
-      - template: templates/windows-packaging.yml
-        parameters:
-          Architecture: arm64
-          parentJob: build_windows_arm64_release
-
-      - template: templates/windows-packaging.yml
-        parameters:
-          Architecture: fxdependent
-          parentJob: build_windows_fxdependent_release
+  - stage: SignFiles
+    displayName: Sign files
+    dependsOn: ['windows', 'linux', 'macos']
+    jobs:
+    - template: templates/mac-file-signing.yml
+      parameters:
+        buildArchitecture: x64
+
+    - template: templates/mac-file-signing.yml
+      parameters:
+        buildArchitecture: arm64
+
+    - job: SignFilesWinLinux
+      pool:
+        name: $(windowsPool)
+        demands:
+        - ImageOverride -equals PSMMS2019-Secure
+      displayName: Sign files
+
+      variables:
+      - group: ESRP
+      - name: runCodesignValidationInjection
+        value: false
+      - name: NugetSecurityAnalysisWarningLevel
+        value: none
+      - name: repoFolder
+        value: PowerShell
+      - name: repoRoot
+        value: $(Agent.BuildDirectory)\$(repoFolder)
+      - name: complianceRepoFolder
+        value: compliance
+
+      strategy:
+        matrix:
+          linux-x64:
+            runtime: linux-x64
+            unsignedBuildArtifactContainer: pwshLinuxBuild.tar.gz
+            unsignedBuildArtifactName: pwshLinuxBuild.tar.gz
+            signedBuildArtifactName: pwshLinuxBuild.tar.gz
+            signedArtifactContainer: authenticode-signed
+          linux-x64-Alpine:
+            runtime: linux-x64-Alpine
+            unsignedBuildArtifactContainer: pwshLinuxBuildAlpine.tar.gz
+            unsignedBuildArtifactName: pwshLinuxBuild.tar.gz
+            signedBuildArtifactName: pwshLinuxBuildAlpine.tar.gz
+            signedArtifactContainer: authenticode-signed
+          linux-arm32:
+            runtime: linux-arm32
+            unsignedBuildArtifactContainer: pwshLinuxBuildArm32.tar.gz
+            unsignedBuildArtifactName: pwshLinuxBuildArm32.tar.gz
+            signedBuildArtifactName: pwshLinuxBuildArm32.tar.gz
+            signedArtifactContainer: authenticode-signed
+          linux-arm64:
+            runtime: linux-arm64
+            unsignedBuildArtifactContainer: pwshLinuxBuildArm64.tar.gz
+            unsignedBuildArtifactName: pwshLinuxBuildArm64.tar.gz
+            signedBuildArtifactName: pwshLinuxBuildArm64.tar.gz
+            signedArtifactContainer: authenticode-signed
+          linux-fxd:
+            runtime: linux-fxd
+            unsignedBuildArtifactContainer: pwshLinuxBuildFxdependent.tar.gz
+            unsignedBuildArtifactName: pwshLinuxBuild.tar.gz
+            signedBuildArtifactName: pwshLinuxBuildFxdependent.tar.gz
+            signedArtifactContainer: authenticode-signed
+          linux-mariner:
+            runtime: linux-mariner
+            unsignedBuildArtifactContainer: pwshMarinerBuildAmd64.tar.gz
+            unsignedBuildArtifactName: pwshMarinerBuildAmd64.tar.gz
+            signedBuildArtifactName: pwshMarinerBuildAmd64.tar.gz
+            signedArtifactContainer: authenticode-signed
+          linux-minsize:
+            runtime: linux-minsize
+            unsignedBuildArtifactContainer: pwshLinuxBuildMinSize.tar.gz
+            unsignedBuildArtifactName: pwshLinuxBuildMinSize.tar.gz
+            signedBuildArtifactName: pwshLinuxBuildMinSize.tar.gz
+            signedArtifactContainer: authenticode-signed
+          win-x64:
+            runtime: win-x64
+            unsignedBuildArtifactContainer: results
+            unsignedBuildArtifactName: '**/*-symbols-win-x64.zip'
+            signedBuildArtifactName: '-symbols-win-x64-signed.zip'
+            signedArtifactContainer: results
+          win-x86:
+            runtime: win-x86
+            unsignedBuildArtifactContainer: results
+            unsignedBuildArtifactName: '**/*-symbols-win-x86.zip'
+            signedBuildArtifactName: '-symbols-win-x86-signed.zip'
+            signedArtifactContainer: results
+          win-arm32:
+            runtime: win-arm32
+            unsignedBuildArtifactContainer: results
+            unsignedBuildArtifactName: '**/*-symbols-win-arm32.zip'
+            signedBuildArtifactName: '-symbols-win-arm32-signed.zip'
+            signedArtifactContainer: results
+          win-arm64:
+            runtime: win-arm64
+            unsignedBuildArtifactContainer: results
+            unsignedBuildArtifactName: '**/*-symbols-win-arm64.zip'
+            signedBuildArtifactName: '-symbols-win-arm64-signed.zip'
+            signedArtifactContainer: results
+          win-x64-gc:
+            runtime: win-x64-gc
+            unsignedBuildArtifactContainer: results
+            unsignedBuildArtifactName: '**/*-symbols-win-x64-gc.zip'
+            signedBuildArtifactName: '-symbols-win-x64-gc-signed.zip'
+            signedArtifactContainer: results
+          win-fxdependent:
+            runtime: win-fxdependent
+            unsignedBuildArtifactContainer: results
+            unsignedBuildArtifactName: '**/*-symbols-win-fxdependent.zip'
+            signedBuildArtifactName: '-symbols-win-fxdependent-signed.zip'
+            signedArtifactContainer: results
+          win-fxdependentWinDesktop:
+            runtime: win-fxdependentWinDesktop
+            unsignedBuildArtifactContainer: results
+            unsignedBuildArtifactName: '**/*-symbols-win-fxdependentWinDesktop.zip'
+            signedBuildArtifactName: '-symbols-win-fxdependentWinDesktop-signed.zip'
+            signedArtifactContainer: results
+      steps:
+      - template: templates/sign-build-file.yml
+
+  - stage: mac_packaging
+    displayName: macOS packaging
+    dependsOn: ['SignFiles']
+    jobs:
+    - template: templates/mac-package-build.yml
+      parameters:
+        buildArchitecture: x64
 
-      - template: templates/windows-packaging.yml
-        parameters:
-          Architecture: fxdependentWinDesktop
-          parentJob: build_windows_fxdependentWinDesktop_release
+    - template: templates/mac-package-build.yml
+      parameters:
+        buildArchitecture: arm64
 
-      - template: templates/windows-package-signing.yml
-        parameters:
-          parentJobs:
-            - sign_windows_x64_release
-            - sign_windows_x64_minSize
-            - sign_windows_x86_release
-            - sign_windows_arm_release
-            - sign_windows_arm64_release
-            - sign_windows_fxdependent_release
-            - sign_windows_fxdependentWinDesktop_release
+  - stage: linux_packaging
+    displayName: Linux Packaging
+    dependsOn: ['SignFiles']
+    jobs:
+    - template: templates/linux-packaging.yml
+      parameters:
+        buildName: deb
+
+    - template: templates/linux-packaging.yml
+      parameters:
+        buildName: rpm
+        uploadDisplayName: Upload and Sign
+
+    - template: templates/linux-packaging.yml
+      parameters:
+        buildName: alpine
+
+    - template: templates/linux-packaging.yml
+      parameters:
+        buildName: fxdependent
+
+  - stage: win_packaging
+    displayName: Windows Packaging
+    dependsOn: ['SignFiles']
+    jobs:
+    - template: templates/windows-packaging.yml
+      parameters:
+        Architecture: x64
+        parentJob: build_windows_x64_release
+
+    - template: templates/windows-packaging.yml
+      parameters:
+        Architecture: x64
+        BuildConfiguration: minSize
+        parentJob: build_windows_x64_minSize
+
+    - template: templates/windows-packaging.yml
+      parameters:
+        Architecture: x86
+        parentJob: build_windows_x86_release
+
+    - template: templates/windows-packaging.yml
+      parameters:
+        Architecture: arm
+        parentJob: build_windows_arm_release
+
+    - template: templates/windows-packaging.yml
+      parameters:
+        Architecture: arm64
+        parentJob: build_windows_arm64_release
+
+    - template: templates/windows-packaging.yml
+      parameters:
+        Architecture: fxdependent
+        parentJob: build_windows_fxdependent_release
+
+    - template: templates/windows-packaging.yml
+      parameters:
+        Architecture: fxdependentWinDesktop
+        parentJob: build_windows_fxdependentWinDesktop_release
+
+  - stage: package_signing
+    displayName: Package Signing
+    dependsOn: ['mac_packaging', 'linux_packaging', 'win_packaging']
+    jobs:
+    - template: templates/windows-package-signing.yml
 
+  # This is done late so that we dont use resources before the big signing and packaging tasks.
   - stage: compliance
-    dependsOn: ['windows']
+    dependsOn: ['package_signing']
     jobs:
       - template: templates/compliance.yml
 
   - stage: nuget_and_json
-    dependsOn: ['windows','linux','macOS']
+    displayName: NuGet Packaging and Build Json
+    dependsOn: [package_signing]
     jobs:
       - template: templates/nuget.yml
-
       - template: templates/json.yml
 
   - stage: test_and_release_artifacts
+    displayName: Test and Release Artifacts
     dependsOn: ['prep']
     jobs:
       - template: templates/testartifacts.yml
 
       - job: release_json
         displayName: Create and Upload release.json
         pool:
-          name: PowerShell1ES
+          name: $(windowsPool)
           demands:
           - ImageOverride -equals PSMMS2019-Secure
         steps:

@@ -17,7 +17,7 @@ jobs:
   dependsOn:
     ${{ parameters.parentJobs }}
   pool:
-    name: PowerShell1ES
+    name: $(windowsPool)
     demands:
     - ImageOverride -equals PSMMS2019-Secure
 

@@ -13,7 +13,7 @@ jobs:
     ${{ parameters.parentJobs }}
   condition: succeeded()
   pool:
-    name: PowerShell1ES
+    name: $(windowsPool)
     demands:
     - ImageOverride -equals PSMMS2019-Secure
 

@@ -1,7 +1,6 @@
 parameters:
   buildName: ''
   uploadDisplayName: 'Upload'
-  parentJob: ''
 
 jobs:
 - job: pkg_${{ parameters.buildName }}
@@ -11,7 +10,6 @@ jobs:
     name: PowerShell1ES
     demands:
     - ImageOverride -equals PSMMSUbuntu20.04-Secure
-  dependsOn: sign_linux_builds
   variables:
     - name: runCodesignValidationInjection
       value: false

@@ -4,7 +4,6 @@ parameters:
 jobs:
   - job: MacFileSigningJob_${{ parameters.buildArchitecture }}
     displayName: macOS File signing ${{ parameters.buildArchitecture }}
-    dependsOn: build_macOS_${{ parameters.buildArchitecture }
ACE5
}
     condition: succeeded()
     pool:
       name: PowerShell1ES

@@ -5,7 +5,6 @@ parameters:
 jobs:
 - job: package_macOS_${{ parameters.buildArchitecture }}
   displayName: Package macOS ${{ parameters.buildArchitecture }}
-  dependsOn: MacFileSigningJob_${{ parameters.buildArchitecture }}
   condition: succeeded()
   pool:
     vmImage: macos-latest