Skip to content

Commit c7f2b4c

Browse files
joaomorenojoaomoreno
committed
test codesign hardened
1 parent 8c21088 commit c7f2b4c

4 files changed

Lines changed: 174 additions & 119 deletions

File tree

build/azure-pipelines/darwin/codesign-darwin.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
steps:
2+
- task: AzureKeyVault@1
3+
displayName: 'Azure Key Vault: Get Secrets'
4+
inputs:
5+
azureSubscription: 'vscode-builds-subscription'
6+
KeyVaultName: vscode
7+
8+
- script: |
9+
cat << EOF > $(agent.tempdirectory)/cert.p12
10+
$(macos-developer-certificate)
11+
EOF
12+
security import $(agent.tempdirectory)/cert.p12 -P "$(macos-developer-certificate-key)"
13+
curl -o $(agent.tempdirectory)/VSCode-darwin.zip https://vscode.blob.core.windows.net/public/VSCode-darwin.zip
14+
unzip $(agent.tempdirectory)/VSCode-darwin.zip -d $(agent.tempdirectory)
15+
codesign -s 99FM488X57 --deep --force --options runtime --entitlements build/azure-pipelines/darwin/entitlements.plist $(agent.tempdirectory)/Visual\ Studio\ Code\ -\ Insiders.app
16+
zip -r -X -y $(agent.stagingdirectory)/VSCode-darwin.zip $(agent.tempdirectory)/Visual\ Studio\ Code\ -\ Insiders.app
17+
18+
- task: PublishPipelineArtifact@0
19+
displayName: 'Publish Pipeline Artifact'
20+
inputs:
21+
artifactName: darwin-hardened
22+
targetPath: $(agent.stagingdirectory)/VSCode-darwin.zip
23+

build/azure-pipelines/darwin/entitlements.plist

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3+
<plist version="1.0">
4+
<dict>
5+
<key>com.apple.security.device.camera</key>
6+
<true/>
7+
<key>com.apple.security.device.audio-input</key>
8+
<true/>
9+
<key>com.apple.security.personal-information.location</key>
10+
<true/>
11+
<key>com.apple.security.automation.apple-events</key>
12+
<true/>
13+
<key>com.apple.security.cs.allow-jit</key>
14+
<true/>
15+
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
16+
<true/>
17+
<key>com.apple.security.cs.disable-library-validation</key>
18+
<true/>
19+
<key>com.apple.security.cs.disable-executable-page-protection</key>
20+
<true/>
21+
</dict>
22+
</plist>

build/azure-pipelines/product-build.yml

Lines changed: 128 additions & 118 deletions
Original file line numberDiff line numberDiff line change
@@ -7,140 +7,150 @@ resources:
77
image: snapcore/snapcraft:stable
88

99
jobs:
10-
- job: Compile
11-
pool:
12-
vmImage: 'Ubuntu-16.04'
13-
container: vscode-x64
14-
steps:
15-
- template: product-compile.yml
10+
# - job: Compile
11+
# pool:
12+
# vmImage: 'Ubuntu-16.04'
13+
# container: vscode-x64
14+
# steps:
15+
# - template: product-compile.yml
1616

17-
- job: Windows
18-
condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WIN32'], 'true'))
19-
pool:
20-
vmImage: VS2017-Win2016
21-
variables:
22-
VSCODE_ARCH: x64
23-
dependsOn:
24-
- Compile
25-
steps:
26-
- template: win32/product-build-win32.yml
17+
# - job: Windows
18+
# condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WIN32'], 'true'))
19+
# pool:
20+
# vmImage: VS2017-Win2016
21+
# variables:
22+
# VSCODE_ARCH: x64
23+
# dependsOn:
24+
# - Compile
25+
# steps:
26+
# - template: win32/product-build-win32.yml
2727

28-
- job: Windows32
29-
condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WIN32_32BIT'], 'true'))
30-
pool:
31-
vmImage: VS2017-Win2016
32-
variables:
33-
VSCODE_ARCH: ia32
34-
dependsOn:
35-
- Compile
36-
steps:
37-
- template: win32/product-build-win32.yml
28+
# - job: Windows32
29+
# condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WIN32_32BIT'], 'true'))
30+
# pool:
31+
# vmImage: VS2017-Win2016
32+
# variables:
33+
# VSCODE_ARCH: ia32
34+
# dependsOn:
35+
# - Compile
36+
# steps:
37+
# - template: win32/product-build-win32.yml
3838

39-
- job: Linux
40-
condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX'], 'true'))
41-
pool:
42-
vmImage: 'Ubuntu-16.04'
43-
container: vscode-x64
44-
dependsOn:
45-
- Compile
46-
steps:
47-
- template: linux/product-build-linux.yml
39+
# - job: Linux
40+
# condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX'], 'true'))
41+
# pool:
42+
# vmImage: 'Ubuntu-16.04'
43+
# container: vscode-x64
44+
# dependsOn:
45+
# - Compile
46+
# steps:
47+
# - template: linux/product-build-linux.yml
4848

49-
- job: LinuxSnap
50-
condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX'], 'true'))
51-
pool:
52-
vmImage: 'Ubuntu-16.04'
53-
container: snapcraft
54-
dependsOn: Linux
55-
steps:
56-
- template: linux/snap-build-linux.yml
49+
# - job: LinuxSnap
50+
# condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX'], 'true'))
51+
# pool:
52+
# vmImage: 'Ubuntu-16.04'
53+
# container: snapcraft
54+
# dependsOn: Linux
55+
# steps:
56+
# - template: linux/snap-build-linux.yml
5757

58-
- job: LinuxArmhf
59-
condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ARMHF'], 'true'))
60-
pool:
61-
vmImage: 'Ubuntu-16.04'
62-
variables:
63-
VSCODE_ARCH: armhf
64-
dependsOn:
65-
- Compile
66-
steps:
67-
- template: linux/product-build-linux-multiarch.yml
58+
# - job: LinuxArmhf
59+
# condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ARMHF'], 'true'))
60+
# pool:
61+
# vmImage: 'Ubuntu-16.04'
62+
# variables:
63+
# VSCODE_ARCH: armhf
64+
# dependsOn:
65+
# - Compile
66+
# steps:
67+
# - template: linux/product-build-linux-multiarch.yml
6868

69-
- job: LinuxArm64
70-
condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ARM64'], 'true'))
71-
pool:
72-
vmImage: 'Ubuntu-16.04'
73-
variables:
74-
VSCODE_ARCH: arm64
75-
dependsOn:
76-
- Compile
77-
steps:
78-
- template: linux/product-build-linux-multiarch.yml
69+
# - job: LinuxArm64
70+
# condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ARM64'], 'true'))
71+
# pool:
72+
# vmImage: 'Ubuntu-16.04'
73+
# variables:
74+
# VSCODE_ARCH: arm64
75+
# dependsOn:
76+
# - Compile
77+
# steps:
78+
# - template: linux/product-build-linux-multiarch.yml
7979

80-
- job: LinuxAlpine
81-
condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ALPINE'], 'true'))
82-
pool:
83-
vmImage: 'Ubuntu-16.04'
84-
variables:
85-
VSCODE_ARCH: alpine
86-
dependsOn:
87-
- Compile
88-
steps:
89-
- template: linux/product-build-linux-multiarch.yml
80+
# - job: LinuxAlpine
81+
# condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ALPINE'], 'true'))
82+
# pool:
83+
# vmImage: 'Ubuntu-16.04'
84+
# variables:
85+
# VSCODE_ARCH: alpine
86+
# dependsOn:
87+
# - Compile
88+
# steps:
89+
# - template: linux/product-build-linux-multiarch.yml
9090

91-
- job: LinuxWeb
92-
condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WEB'], 'true'))
93-
pool:
94-
vmImage: 'Ubuntu-16.04'
95-
variables:
96-
VSCODE_ARCH: x64
97-
dependsOn:
98-
- Compile
99-
steps:
100-
- template: web/product-build-web.yml
91+
# - job: LinuxWeb
92+
# condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WEB'], 'true'))
93+
# pool:
94+
# vmImage: 'Ubuntu-16.04'
95+
# variables:
96+
# VSCODE_ARCH: x64
97+
# dependsOn:
98+
# - Compile
99+
# steps:
100+
# - template: web/product-build-web.yml
101+
102+
# - job: macOS
103+
# condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_MACOS'], 'true'))
104+
# timeoutInMinutes: 180
105+
# pool:
106+
# vmImage: macOS-latest
107+
# dependsOn:
108+
# - Compile
109+
# steps:
110+
# - template: darwin/product-build-darwin.yml
111+
112+
# - job: Release
113+
# condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), or(eq(variables['VSCODE_RELEASE'], 'true'), and(or(eq(variables['VSCODE_QUALITY'], 'insider'), eq(variables['VSCODE_QUALITY'], 'exploration')), eq(variables['Build.Reason'], 'Schedule'))))
114+
# pool:
115+
# vmImage: 'Ubuntu-16.04'
116+
# dependsOn:
117+
# - Windows
118+
# - Windows32
119+
# - Linux
120+
# - LinuxSnap
121+
# - LinuxArmhf
122+
# - LinuxArm64
123+
# - LinuxAlpine
124+
# - macOS
125+
# steps:
126+
# - template: release.yml
127+
128+
# - job: Mooncake
129+
# pool:
130+
# vmImage: 'Ubuntu-16.04'
131+
# condition: and(succeededOrFailed(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'))
132+
# dependsOn:
133+
# - Windows
134+
# - Windows32
135+
# - Linux
136+
# - LinuxSnap
137+
# - LinuxArmhf
138+
# - LinuxArm64
139+
# - LinuxAlpine
140+
# - LinuxWeb
141+
# - macOS
142+
# steps:
143+
# - template: sync-mooncake.yml
101144

102145
- job: macOS
103-
condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_MACOS'], 'true'))
146+
condition: and(succeeded())
104147
timeoutInMinutes: 180
105148
pool:
106149
vmImage: macOS-latest
107150
dependsOn:
108151
- Compile
109152
steps:
110-
- template: darwin/product-build-darwin.yml
111-
112-
- job: Release
113-
condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), or(eq(variables['VSCODE_RELEASE'], 'true'), and(or(eq(variables['VSCODE_QUALITY'], 'insider'), eq(variables['VSCODE_QUALITY'], 'exploration')), eq(variables['Build.Reason'], 'Schedule'))))
114-
pool:
115-
vmImage: 'Ubuntu-16.04'
116-
dependsOn:
117-
- Windows
118-
- Windows32
119-
- Linux
120-
- LinuxSnap
121-
- LinuxArmhf
122-
- LinuxArm64
123-
- LinuxAlpine
124-
- macOS
125-
steps:
126-
- template: release.yml
127-
128-
- job: Mooncake
129-
pool:
130-
vmImage: 'Ubuntu-16.04'
131-
condition: and(succeededOrFailed(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'))
132-
dependsOn:
133-
- Windows
134-
- Windows32
135-
- Linux
136-
- LinuxSnap
137-
- LinuxArmhf
138-
- LinuxArm64
139-
- LinuxAlpine
140-
- LinuxWeb
141-
- macOS
142-
steps:
143-
- template: sync-mooncake.yml
153+
- template: darwin/codesign-darwin.yml
144154

145155
trigger: none
146156
pr: none

build/gulpfile.hygiene.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ const indentationFilter = [
8282
'!src/vs/*/**/*.d.ts',
8383
'!src/typings/**/*.d.ts',
8484
'!extensions/**/*.d.ts',
85-
'!**/*.{svg,exe,png,bmp,scpt,bat,cmd,cur,ttf,woff,eot,md,ps1,template,yaml,yml,d.ts.recipe,ico,icns}',
85+
'!**/*.{svg,exe,png,bmp,scpt,bat,cmd,cur,ttf,woff,eot,md,ps1,template,yaml,yml,d.ts.recipe,ico,icns,plist}',
8686
'!build/{lib,download}/**/*.js',
8787
'!build/**/*.sh',
8888
'!build/azure-pipelines/**/*.js',

0 commit comments

Comments
 (0)