ESRP Cert (#108366)

* update ESRP

* update to new ESRP cert

* make gulp fail when inno setup fails

* fix esrp

* debug

* update esrp client version

* 🤦

* argh

* update esrpclient

* argh

build/azure-pipelines/win32/ESRPClient/packages.config

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
-  <package id="Microsoft.ESRPClient" version="1.2.25" />
+  <package id="Microsoft.ESRPClient" version="1.2.47" />
 </packages>

build/azure-pipelines/win32/import-esrp-auth-cert.ps1

@@ -1,14 +1,17 @@
-Param(
-  [string]$AuthCertificateBase64,
-  [string]$AuthCertificateKey
-)
-
-# Import auth certificate
-$AuthCertificateFileName = [System.IO.Path]::GetTempFileName()
-$AuthCertificateBytes = [Convert]::FromBase64String($AuthCertificateBase64)
-[IO.File]::WriteAllBytes($AuthCertificateFileName, $AuthCertificateBytes)
-$AuthCertificate = Import-PfxCertificate -FilePath $AuthCertificateFileName -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString $AuthCertificateKey -AsPlainText -Force)
-rm $AuthCertificateFileName
-$ESRPAuthCertificateSubjectName = $AuthCertificate.Subject
-
-Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName")
+param ($CertBase64)
+$ErrorActionPreference = "Stop"
+
+$CertBytes = [System.Convert]::FromBase64String($CertBase64)
+$CertCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
+$CertCollection.Import($CertBytes, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
+
+$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+$CertStore.Open("ReadWrite")
+$CertStore.AddRange($CertCollection)
+$CertStore.Close()
+
+echo $CertCollection[0].HasPrivateKey
+echo $CertCollection[0].PrivateKey
+
+$ESRPAuthCertificateSubjectName = $CertCollection[0].Subject
+Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName")

build/azure-pipelines/win32/product-build-win32-arm64.yml

@@ -171,9 +171,11 @@ steps:
   inputs:
     ESRP: 'ESRP CodeSign'
 
-- powershell: |
-    $ErrorActionPreference = "Stop"
-    .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1 -AuthCertificateBase64 $(esrp-auth-certificate) -AuthCertificateKey $(esrp-auth-certificate-key)
+- task: PowerShell@2
+  inputs:
+    targetType: filePath
+    filePath: .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1
+    arguments: "$(ESRP-SSL-AADAuth)"
   displayName: Import ESRP Auth Certificate
 
 - powershell: |

build/azure-pipelines/win32/product-build-win32.yml

@@ -233,9 +233,11 @@ steps:
   inputs:
     ESRP: 'ESRP CodeSign'
 
-- powershell: |
-    $ErrorActionPreference = "Stop"
-    .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1 -AuthCertificateBase64 $(esrp-auth-certificate) -AuthCertificateKey $(esrp-auth-certificate-key)
+- task: PowerShell@2
+  inputs:
+    targetType: filePath
+    filePath: .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1
+    arguments: "$(ESRP-SSL-AADAuth)"
   displayName: Import ESRP Auth Certificate
 
 - powershell: |

build/azure-pipelines/win32/sign.ps1

@@ -12,6 +12,7 @@ $Auth = Create-TmpJson @{
 		SubjectName = $env:ESRPAuthCertificateSubjectName
 		StoreLocation = "LocalMachine"
 		StoreName = "My"
+		SendX5c = "true"
 	}
 	RequestSigningCert = @{
 		SubjectName = $env:ESRPCertificateSubjectName
@@ -67,4 +68,4 @@ $Input = Create-TmpJson @{
 
 $Output = [System.IO.Path]::GetTempFileName()
 $ScriptPath = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
-& "$ScriptPath\ESRPClient\packages\Microsoft.ESRPClient.1.2.25\tools\ESRPClient.exe" Sign -a $Auth -p $Policy -i $Input -o $Output
+& "$ScriptPath\ESRPClient\packages\Microsoft.ESRPClient.*\tools\ESRPClient.exe" Sign -a $Auth -p $Policy -i $Input -o $Output

build/gulpfile.vscode.win32.js

@@ -54,7 +54,13 @@ function packageInnoSetup(iss, options, cb) {
 
 	cp.spawn(innoSetupPath, args, { stdio: ['ignore', 'inherit', 'inherit'] })
 		.on('error', cb)
-		.on('exit', () => cb(null));
+		.on('exit', code => {
+			if (code === 0) {
+				cb(null);
+			} else {
+				cb(new Error(`InnoSetup returned exit code: ${code}`));
+			}
+		});
 }
 
 function buildWin32Setup(arch, target) {