Sign official builds of the vscode extensions (#4007)

* Sign official builds of the vscode extensions

* Add msbuild-sdk NoTargets to global.json

* Fix ordering of steps

* Workaround Arcade error

* Update vsce call

* Update vsce to 3.6.0

* Update to a newer version of node compatible with vsce

* Update TypeScript to work with latest NodeJs

* Fix yml

* Switch to LTS NodeJs 22

* Support node type stripping by using as for type casts

* Update typescript and syntax of polygot-notebooks folder

* Update typescript and syntax of polygot-notebooks-browser folder

* Use as

* Update typescript of polyglot-notebook-ui-components

* Downgrade npm on windows builds

* Update package publishing

* Move to @vscode/vsce 3.6.1-3

* Workaround packaging failure

* Workaround 2

* Add tests/** to vscodeignore file

* Fix vscodeignore

Author: JoeRobich

.devcontainer/devcontainer.json

@@ -9,7 +9,7 @@
       // Append -bullseye or -focal to pin to an OS version.
       "VARIANT": "9.0",
       // Options
-      "NODE_VERSION": "16"
+      "NODE_VERSION": "22"
     }
   },
   // Set *default* container specific settings.json values on container create.
@@ -73,4 +73,4 @@
   "features": {
     "powershell": "latest"
   }
-}
+}

azure-pipelines-official.yml

@@ -51,7 +51,7 @@ extends:
   template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
   parameters:
     sdl:
-      sourceAnalysisPool: 
+      sourceAnalysisPool:
         name: $(DncEngInternalBuildPool)
         image: 1es-windows-2022
         os: windows
@@ -152,6 +152,7 @@ extends:
             - template: /eng/templates/build-and-test-tasks.yml@self
               parameters:
                 platform: windows
+                signType: $(_SignType)
 
       - template: /eng/common/templates-official/jobs/jobs.yml@self
         parameters:
@@ -212,7 +213,7 @@ extends:
             -TsaCodebaseName "Interactive-GitHub"
             -TsaPublish $True
             -PoliCheckAdditionalRunConfigParams @("UserExclusionPath < $(Build.SourcesDirectory)/eng/policheck_exclusions.xml")
-  
+
     #---------------------------------------------------------------------------------------------------------------------#
     #                                                    NPM Publish                                                      #
     #---------------------------------------------------------------------------------------------------------------------#

eng/msbuild/Directory.Build.props

@@ -0,0 +1,14 @@
+<Project>
+    <PropertyGroup>
+        <RepoRoot>$(MSBuildThisFileDirectory)../../</RepoRoot>
+    </PropertyGroup>
+
+    <PropertyGroup Condition="'$(SignType)' == ''">
+        <SignType>test</SignType>
+    </PropertyGroup>
+
+    <!-- The Arcade.SDK will error if this is unset. This is fixed in more recent Arcade builds. -->
+    <PropertyGroup Condition="'$(_SuppressSdkImports)' == ''">
+        <_SuppressSdkImports>true</_SuppressSdkImports>
+    </PropertyGroup>
+</Project>

eng/msbuild/Directory.Packages.props

@@ -0,0 +1,10 @@
+<Project>
+  <!-- https://learn.microsoft.com/nuget/consume-packages/central-package-management -->
+  <PropertyGroup>
+    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
+  </PropertyGroup>
+  <ItemGroup>
+    <GlobalPackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0" />
+  </ItemGroup>
+</Project>

eng/msbuild/signJs/signJs.proj

@@ -0,0 +1,17 @@
+<Project Sdk="Microsoft.Build.NoTargets">
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <GenerateAssemblyVersionInfo>false</GenerateAssemblyVersionInfo>
+    <EnableDefaultSignFiles>false</EnableDefaultSignFiles>
+    <MicroBuild_DoNotStrongNameSign>true</MicroBuild_DoNotStrongNameSign>
+    <IsPackable>false</IsPackable>
+    <OutDir>$(MSBuildProjectDirectory)\$(JSOutputPath)\</OutDir>
+    <MicroBuild_SigningEnabled>true</MicroBuild_SigningEnabled>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <FilesToSign Include="$(OutDir)*.js">
+      <Authenticode>MicrosoftSHA2</Authenticode>
+    </FilesToSign>
+  </ItemGroup>
+</Project>

eng/msbuild/signVsix/signVsix.proj

@@ -0,0 +1,21 @@
+<Project Sdk="Microsoft.Build.NoTargets">
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <GenerateAssemblyVersionInfo>false</GenerateAssemblyVersionInfo>
+    <EnableDefaultSignFiles>false</EnableDefaultSignFiles>
+    <MicroBuild_DoNotStrongNameSign>true</MicroBuild_DoNotStrongNameSign>
+    <IsPackable>false</IsPackable>
+    <OutDir>$(RepoRoot)artifacts\vscode\</OutDir>
+  </PropertyGroup>
+  <ItemGroup>
+    <FilesToSign Include="$(OutDir)stable-locked\*.vsix">
+      <Authenticode>VSCodePublisher</Authenticode>
+    </FilesToSign>
+    <FilesToSign Include="$(OutDir)stable\*.vsix">
+      <Authenticode>VSCodePublisher</Authenticode>
+    </FilesToSign>
+    <FilesToSign Include="$(OutDir)insiders\*.vsix">
+      <Authenticode>VSCodePublisher</Authenticode>
+    </FilesToSign>
+  </ItemGroup>
+</Project>

eng/package/PackVSCodeExtension.ps1

@@ -30,7 +30,13 @@ function Build-VsCodeExtension([string] $packageDirectory, [string] $outputSubDi
 
     # pack
     Write-Host "Packing extension"
-    npm run package -- --out "$outDir\$outputSubDirectory\dotnet-interactive-vscode-$packageVersionNumber.vsix"
+    npx @vscode/vsce package -o "$outDir\$outputSubDirectory\dotnet-interactive-vscode-$packageVersionNumber.vsix"
+
+    Write-Host "Generating extension manifest"
+    npx @vscode/vsce generate-manifest -i "$outDir\$outputSubDirectory\dotnet-interactive-vscode-$packageVersionNumber.vsix" -o "$outDir\$outputSubDirectory\dotnet-interactive-vscode-$packageVersionNumber.manifest"
+
+    Write-Host "Preparing manifest for signing"
+    Copy-Item -Path "$outDir\$outputSubDirectory\dotnet-interactive-vscode-$packageVersionNumber.manifest" -Destination "$outDir\$outputSubDirectory\dotnet-interactive-vscode-$packageVersionNumber.signature.p7s"
 
     Pop-Location
 }

eng/publish/PublishPolyglotNotebooksHelper.psm1

@@ -10,6 +10,14 @@ function PublishInsidersExtension {
     $extension = Get-ChildItem "$artifactsPath\vscode\insiders\dotnet-interactive-vscode-*.vsix" | Select-Object -First 1
     Write-Host "Found extension: $extension"
 
+    Write-Host "Find extension manifest..."
+    $manifest = Get-ChildItem "$artifactsPath\vscode\insiders\dotnet-interactive-vscode-*.manifest" | Select-Object -First 1
+    Write-Host "Found extension: $manifest"
+
+    Write-Host "Find extension signature..."
+    $signature = Get-ChildItem "$artifactsPath\vscode\insiders\dotnet-interactive-vscode-*.signature.p7s" | Select-Object -First 1
+    Write-Host "Found extension: $signature"
+
     Write-Host "Verify the extension..."
     if ($simulate) {
         Write-Host "Simulated command: . '$PSScriptRoot\VerifyVSCodeExtension.ps1' -extensionPath $extension"
@@ -22,9 +30,9 @@ function PublishInsidersExtension {
 
     Write-Host "Publishing extension $extension to VS Code Marketplace using Managed Identity..."
     if ($simulate) {
-        Write-Host "Simulated command: vsce publish --pre-release --packagePath $extension --noVerify --azure-credential"
+        Write-Host "Simulated command: vsce publish --pre-release --packagePath $extension --manifestPath $manifest --signaturePath $signature --noVerify --azure-credential"
     } else {
-        vsce publish --pre-release --packagePath $extension --noVerify --azure-credential
+        vsce publish --pre-release --packagePath $extension --manifestPath $manifest --signaturePath $signature --noVerify --azure-credential
     }
 }
 
@@ -41,6 +49,14 @@ function PublishStableExtensionAndNuGetPackages {
     $extension = Get-ChildItem "$artifactsPath\vscode\stable\dotnet-interactive-vscode-*.vsix" | Select-Object -First 1
     Write-Host "Found extension: $extension"
 
+    Write-Host "Find extension manifest..."
+    $manifest = Get-ChildItem "$artifactsPath\vscode\stable\dotnet-interactive-vscode-*.manifest" | Select-Object -First 1
+    Write-Host "Found extension: $manifest"
+
+    Write-Host "Find extension signature..."
+    $signature = Get-ChildItem "$artifactsPath\vscode\stable\dotnet-interactive-vscode-*.signature.p7s" | Select-Object -First 1
+    Write-Host "Found extension: $signature"
+
     Write-Host "Verify the extension..."
     if ($simulate) {
         Write-Host "Simulated command: . '$PSScriptRoot\VerifyVSCodeExtension.ps1' -extensionPath $extension"
@@ -102,8 +118,8 @@ function PublishStableExtensionAndNuGetPackages {
 
     Write-Host "Publishing extension $extension to VS Code Marketplace using Managed Identity..."
     if ($simulate) {
-        Write-Host "Simulated command: vsce publish --packagePath $extension --noVerify --azure-credential"
+        Write-Host "Simulated command: vsce publish --packagePath $extension --manifestPath $manifest --signaturePath $signature --noVerify --azure-credential"
     } else {
-        vsce publish --packagePath $extension --noVerify --azure-credential
+        vsce publish --packagePath $extension --manifestPath $manifest --signaturePath $signature --noVerify --azure-credential
     }
 }

eng/publish/PublishVSCodeExtension.ps1

@@ -21,6 +21,8 @@ try {
 
         # find extension vsix
         $extension = Get-ChildItem "$artifactsPath\vscode\$vscodeTarget\dotnet-interactive-vscode-*.vsix" | Select-Object -First 1
+        $manifest = Get-ChildItem "$artifactsPath\vscode\$vscodeTarget\dotnet-interactive-vscode-*.manifest" | Select-Object -First 1
+        $signature = Get-ChildItem "$artifactsPath\vscode\$vscodeTarget\dotnet-interactive-vscode-*.signature.p7s" | Select-Object -First 1
 
         # verify
         if (-Not $simulate) {
@@ -35,7 +37,7 @@ try {
             $packagestoPublish = @(
                 "Microsoft.dotnet-interactive",
                 "Microsoft.DotNet.Interactive",
-                "Microsoft.DotNet.Interactive.AspNetCore",                
+                "Microsoft.DotNet.Interactive.AspNetCore",
                 "Microsoft.DotNet.Interactive.Browser",
                 "Microsoft.DotNet.Interactive.CSharp",
                 "Microsoft.DotNet.Interactive.Documents",
@@ -80,12 +82,12 @@ try {
         Write-Host "Publishing $extension"
         if (-Not $simulate) {
             if ($vscodeTarget -eq "insiders") {
-                vsce publish --pre-release --packagePath $extension --pat $vscodeToken --noVerify
+                vsce publish --pre-release --packagePath $extension --manifestPath $manifest --signaturePath $signature --pat $vscodeToken --noVerify
             }
             else{
-                vsce publish --packagePath $extension --pat $vscodeToken --noVerify
+                vsce publish --packagePath $extension --manifestPath $manifest --signaturePath $signature --pat $vscodeToken --noVerify
             }
-           
+
         }
     }
 }

eng/publish/publish-npm.yml

@@ -18,7 +18,7 @@ stages:
     variables:
     - group: AzureDevOps-Artifact-Feeds-Pats
     - name: NodeJSVersion
-      value: '12.16.1'
+      value: '22.18.0'
     steps:
     - task: NodeTool@0
       displayName: Add NodeJS/npm