diff options
author | Steve Dower <steve.dower@python.org> | 2020-11-03 22:31:49 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-11-03 22:31:49 +0000 |
commit | db6434c474f7389a98b8118ca87fca988416bf33 (patch) | |
tree | 5842bda4239a513998f9184abd3e1035110ba54c /.azure-pipelines | |
parent | Fix incorrect links in ast docs (GH-23017) (diff) | |
download | cpython-db6434c474f7389a98b8118ca87fca988416bf33.tar.gz cpython-db6434c474f7389a98b8118ca87fca988416bf33.tar.bz2 cpython-db6434c474f7389a98b8118ca87fca988416bf33.zip |
Enable signing of nuget.org packages and update to supported timestamp server (GH-23132)
Diffstat (limited to '.azure-pipelines')
-rw-r--r-- | .azure-pipelines/windows-release/stage-pack-msix.yml | 3 | ||||
-rw-r--r-- | .azure-pipelines/windows-release/stage-pack-nuget.yml | 10 | ||||
-rw-r--r-- | .azure-pipelines/windows-release/stage-sign.yml | 2 |
3 files changed, 12 insertions, 3 deletions
diff --git a/.azure-pipelines/windows-release/stage-pack-msix.yml b/.azure-pipelines/windows-release/stage-pack-msix.yml index 26a5712e845..f967cfdbe32 100644 --- a/.azure-pipelines/windows-release/stage-pack-msix.yml +++ b/.azure-pipelines/windows-release/stage-pack-msix.yml @@ -120,10 +120,11 @@ jobs: artifactName: unsigned_msix downloadPath: $(Build.BinariesDirectory) + # MSIX must be signed and timestamped simultaneously - powershell: | $failed = $true foreach ($retry in 1..3) { - signtool sign /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "$(SigningDescription)" (gi *.msix) + signtool sign /a /n "$(SigningCertificate)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "$(SigningDescription)" (gi *.msix) if ($?) { $failed = $false break diff --git a/.azure-pipelines/windows-release/stage-pack-nuget.yml b/.azure-pipelines/windows-release/stage-pack-nuget.yml index b100364820d..8dfea382c35 100644 --- a/.azure-pipelines/windows-release/stage-pack-nuget.yml +++ b/.azure-pipelines/windows-release/stage-pack-nuget.yml @@ -4,7 +4,7 @@ jobs: condition: and(succeeded(), eq(variables['DoNuget'], 'true')) pool: - vmImage: windows-2019 + name: 'Windows Release' workspace: clean: all @@ -36,6 +36,14 @@ jobs: nuget pack "$(Build.BinariesDirectory)\layout\python.nuspec" -OutputDirectory $(Build.ArtifactStagingDirectory) -NoPackageAnalysis -NonInteractive displayName: 'Create nuget package' + - powershell: | + gci *.nupkg | %{ + nuget sign "$_" -CertificateSubjectName "$(SigningCertificate)" -Timestamper http://timestamp.digicert.com/ -Overwrite + } + displayName: 'Sign nuget package' + workingDirectory: $(Build.ArtifactStagingDirectory) + condition: and(succeeded(), variables['SigningCertificate']) + - task: PublishBuildArtifacts@1 displayName: 'Publish Artifact: nuget' inputs: diff --git a/.azure-pipelines/windows-release/stage-sign.yml b/.azure-pipelines/windows-release/stage-sign.yml index 584772af8b4..c21e1c9f2b0 100644 --- a/.azure-pipelines/windows-release/stage-sign.yml +++ b/.azure-pipelines/windows-release/stage-sign.yml @@ -57,7 +57,7 @@ jobs: $files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }}) $failed = $true foreach ($retry in 1..10) { - signtool timestamp /t http://timestamp.verisign.com/scripts/timestamp.dll $files + signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 $files if ($?) { $failed = $false break |