DRI | Fix AKV Official Build; Sign Less DLLs

eng/pipelines/common/templates/steps/esrp-code-signing-step.yml

@@ -52,7 +52,7 @@ steps:
       EsrpClientId: '${{parameters.EsrpClientId }}'
       UseMSIAuthentication: true
       FolderPath: '${{parameters.sourceRoot }}'
-      Pattern: '*.dll'
+      Pattern: 'Microsoft.Data.SqlClient*.dll'
       CleanupTempStorage: 1
       VerboseLogin: 1
   - task: EsrpCodeSigning@5
@@ -66,7 +66,7 @@ steps:
       AuthAKVName: '${{parameters.AuthAKVName }}'
       AuthSignCertName: '${{parameters.AuthSignCertName }}'
       FolderPath: '${{parameters.sourceRoot }}'
-      Pattern: '*.dll'
+      Pattern: 'Microsoft.Data.SqlClient*.dll'
       signConfigType: inlineSignParams
       inlineOperation: |
           [ 

eng/pipelines/jobs/build-akv-official-job.yml

@@ -109,15 +109,15 @@ jobs:
                 buildConfiguration: '${{ parameters.buildConfiguration }}'
                 mdsPackageVersion: '${{ parameters.mdsPackageVersion }}'
 
-          - template: ../steps/compound-esrp-code-signing-step.yml@self
+          - template: /eng/pipelines/steps/compound-esrp-dll-signing-step.yml@self
             parameters:
                 appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}'
                 appRegistrationTenantId: '${{ parameters.signingAppRegistrationTenantId }}'
-                artifactType: 'dll'
                 authAkvName: '${{ parameters.signingAuthAkvName }}'
                 authSignCertName: '${{ parameters.signingAuthSignCertName }}'
                 esrpClientId: '${{ parameters.signingEsrpClientId }}'
                 esrpConnectedServiceName: '${{ parameters.signingEsrpConnectedServiceName }}'
+                pattern: 'Microsoft.Data.SqlClient.AlwaysEncrypted.*.dll'
 
           - template: ../steps/compound-nuget-pack-step.yml@self
             parameters:
@@ -128,11 +128,10 @@ jobs:
                 outputDirectory: '$(ARTIFACT_PATH)'
                 referenceType: 'Package'
 
-          - template: ../steps/compound-esrp-code-signing-step.yml@self
+          - template: /eng/pipelines/steps/compound-esrp-nuget-signing-step.yml@self
             parameters:
                 appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}'
                 appRegistrationTenantId: '${{ parameters.signingAppRegistrationTenantId }}'
-                artifactType: 'pkg'
                 authAkvName: '${{ parameters.signingAuthAkvName }}'
                 authSignCertName: '${{ parameters.signingAuthSignCertName }}'
                 esrpClientId: '${{ parameters.signingEsrpClientId }}'

eng/pipelines/steps/compound-esrp-dll-signing-step.yml

@@ -0,0 +1,98 @@
+#################################################################################
+# Licensed to the .NET Foundation under one or more agreements.                 #
+# The .NET Foundation licenses this file to you under the MIT license.          #
+# See the LICENSE file in the project root for more information.                #
+#################################################################################
+
+parameters:
+  - name: appRegistrationClientId
+    type: string
+
+  - name: appRegistrationTenantId
+    type: string
+
+  - # Name of the Azure Key Vault to retrieve certificates from.
+    # note: This has nothing to do with the AKV provider package.
+    name: authAkvName
+    type: string
+
+  - name: authSignCertName
+    type: string
+
+  - name: esrpConnectedServiceName
+    type: string
+
+  - name: esrpClientId
+    type: string
+
+  - # Globbing pattern for the files to sign. All files in $(BUILD_OUTPUT) and all subdirectories
+    # that match this pattern will be scanned and signed. This should end with ".dll". 
+    name: pattern
+    type: string
+
+steps:
+  - task: EsrpMalwareScanning@5
+    displayName: 'ESRP DLL Malware Scanning'
+    inputs:
+      AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
+      AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
+      CleanupTempStorage: 1
+      ConnectedServiceName: '${{ parameters.esrpConnectedServiceName }}'
+      EsrpClientId: '${{ parameters.esrpClientId }}'
+      FolderPath: '$(BUILD_OUTPUT)'
+      Pattern: '${{ parameters.pattern }}'
+      UseMSIAuthentication: true
+      VerboseLogin: 1
+
+  - task: EsrpCodeSigning@5
+    displayName: 'ESRP DLL Signing'
+    inputs:
+      AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
+      AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
+      AuthAKVName: '${{ parameters.authAkvName }}'
+      AuthSignCertName: '${{ parameters.authSignCertName }}'
+      ConnectedServiceName: '${{ parameters.esrpConnectedServiceName }}'
+      EsrpClientId: '${{ parameters.esrpClientId }}'
+      FolderPath: '$(BUILD_OUTPUT)'
+      Pattern: '${{ parameters.pattern }}'
+      signConfigType: 'inlineSignParams'
+      UseMSIAuthentication: true
+      inlineOperation: |
+        [ 
+            {
+                "keyCode": "CP-230012",
+                "operationSetCode": "SigntoolSign",
+                "parameters": 
+                    [
+                        {
+                            "parameterName": "OpusName",
+                            "parameterValue": "Microsoft Data SqlClient Data Provider for SQL Server"
+                        },
+                        {
+                            "parameterName": "OpusInfo",
+                            "parameterValue": "http://www.microsoft.com"
+                        },
+                        {
+                            "parameterName": "FileDigest",
+                            "parameterValue": "/fd \"SHA256\""
+                        },
+                        {
+                            "parameterName": "PageHash",
+                            "parameterValue": "/NPH"
+                        },
+                        {
+                            "parameterName": "TimeStamp",
+                            "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+                        }
+                    ],
+                "toolName": "sign",
+                "toolVersion": "1.0"
+            },
+            {
+                "keyCode": "CP-230012",
+                "operationSetCode": "SigntoolVerify",
+                "parameters": [ ],
+                "toolName": "sign",
+                "toolVersion": "1.0"
+            }
+        ]

eng/pipelines/steps/compound-esrp-nuget-signing-step.yml

@@ -0,0 +1,71 @@
+#################################################################################
+# Licensed to the .NET Foundation under one or more agreements.                 #
+# The .NET Foundation licenses this file to you under the MIT license.          #
+# See the LICENSE file in the project root for more information.                #
+#################################################################################
+
+parameters:
+  - name: appRegistrationClientId
+    type: string
+
+  - name: appRegistrationTenantId
+    type: string
+
+  - # Name of the Azure Key Vault to retrieve certificates from.
+    # note: This has nothing to do with the AKV provider package.
+    name: authAkvName
+    type: string
+
+  - name: authSignCertName
+    type: string
+
+  - name: esrpConnectedServiceName
+    type: string
+
+  - name: esrpClientId
+    type: string
+
+steps:
+  - task: EsrpMalwareScanning@5
+    displayName: 'ESRP Nuget Malware Scanning'
+    inputs:
+      AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
+      AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
+      CleanupTempStorage: 1
+      ConnectedServiceName: '${{ parameters.esrpConnectedServiceName }}'
+      EsrpClientId: '${{ parameters.esrpClientId }}'
+      FolderPath: '$(ARTIFACT_PATH)'
+      Pattern: '*.*nupkg'
+      UseMSIAuthentication: true
+      VerboseLogin: 1
+
+  - task: EsrpCodeSigning@5
+    displayName: 'ESRP Signing NuGet Package'
+    inputs:
+      AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
+      AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
+      ConnectedServiceName: '${{ parameters.esrpConnectedServiceName }}'
+      EsrpClientId: '${{ parameters.esrpClientId }}'
+      AuthAKVName: '${{ parameters.authAkvName }}'
+      AuthSignCertName: '${{ parameters.authSignCertName }}'
+      FolderPath: '$(ARTIFACT_PATH)'
+      Pattern: '*.*nupkg'
+      signConfigType: 'inlineSignParams'
+      UseMSIAuthentication: true
+      inlineOperation: |
+        [ 
+            { 
+                "keyCode": "CP-401405", 
+                "operationSetCode": "NuGetSign", 
+                "parameters": [ ], 
+                "toolName": "sign", 
+                "toolVersion": "1.0" 
+            },
+            { 
+                "keyCode": "CP-401405", 
+                "operationSetCode": "NuGetVerify", 
+                "parameters": [ ], 
+                "toolName": "sign", 
+                "toolVersion": "1.0" 
+            } 
+        ]

eng/pipelines/variables/akv-official-variables.yml

@@ -22,17 +22,17 @@ variables:
 
     # Base Variables -------------------------------------------------------
     - name: mdsPackageVersion
-      value: '6.1.1'
+      value: '7.0.0-preview3.25342.7'
 
     # @TODO: Version should ideally be pulled from one location (versions.props?)
     - name: versionMajor
-      value: '6'
+      value: '7'
     - name: versionMinor
-      value: '1'
+      value: '0'
     - name: versionPatch
-      value: '1'
+      value: '0'
     - name: versionPreview
-      value: '-preview1'
+      value: '-preview3'
 
     # Compound Variables ---------------------------------------------------
     - name: assemblyFileVersion