PowerShell
diff --git a/‎tools/releaseBuild/packagesigning.xml‎
Lines changed: 0 additions & 6 deletions b/‎tools/releaseBuild/packagesigning.xml‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎tools/releaseBuild/signing.xml‎
Lines changed: 0 additions & 8 deletions b/‎tools/releaseBuild/signing.xml‎
Lines changed: 0 additions & 8 deletions
diff --git a/‎tools/releaseBuild/updateSigning.ps1‎
Lines changed: 0 additions & 38 deletions b/‎tools/releaseBuild/updateSigning.ps1‎
Lines changed: 0 additions & 38 deletions
diff --git a/‎tools/releaseBuild/yaml/compliance.yml‎
Lines changed: 0 additions & 54 deletions b/‎tools/releaseBuild/yaml/compliance.yml‎
Lines changed: 0 additions & 54 deletions
diff --git a/‎tools/releaseBuild/yaml/nuget.yml‎
Lines changed: 17 additions & 25 deletions b/‎tools/releaseBuild/yaml/nuget.yml‎
Lines changed: 17 additions & 25 deletions
diff --git a/‎tools/releaseBuild/yaml/releaseBuild.yml‎
Lines changed: 75 additions & 0 deletions b/‎tools/releaseBuild/yaml/releaseBuild.yml‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎tools/releaseBuild/yaml/windows-sign.yml‎
Lines changed: 26 additions & 37 deletions b/‎tools/releaseBuild/yaml/windows-sign.yml‎
Lines changed: 26 additions & 37 deletions
@@ -43,8 +43,6 @@ steps:
     Get-ChildItem -Recurse $extractedRoot -File
   displayName: 'Extract All Zips'
 
-- template: compliance.yml
-
 - template: upload.yml
   parameters:
       fileName: 'x64_arm64-symbols.zip'
@@ -116,33 +114,27 @@ steps:
 - powershell: 'Get-Childitem $(NuGetPackagePath)'
   displayName: 'Capture nuget package'
 
-- powershell: |
-   ## Get the nuget file paths
-   $files = (Get-ChildItem $(NuGetPackagePath)\*.nupkg).FullName
-
-   if($files.Count -lt 1) { throw "No packages available to publish" }
-
-   & $(Build.SourcesDirectory)\tools\releaseBuild\generatePackgeSigning.ps1 -Path "$(NuGetPackagePath)\NugetSigning.xml" -NuPkgFiles $files
-
-  displayName: 'Generate signing file'
-
-- powershell: 'Get-Content $(NuGetPackagePath)\NugetSigning.xml'
-  displayName: 'Capture package signing file'
-
-- task: PkgESCodeSign@10
-  displayName: 'Package ES - CodeSign $(NuGetPackagePath)\NugetSigning.xml'
-  env:
-      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-  inputs:
-    signConfigXml: '$(NuGetPackagePath)\NugetSigning.xml'
-    inPathRoot: ' $(NuGetPackagePath)'
-    outPathRoot: '$(System.ArtifactsDirectory)\signed'
-  condition: ne(variables['SKIP_SIGNING'], 'True')
+- template: EsrpSign.yml@ComplianceRepo
+  parameters:
+      # the folder which contains the binaries to sign
+      buildOutputPath: $(NuGetPackagePath)
+      # the location to put the signed output
+      signOutputPath: '$(System.ArtifactsDirectory)\signed'
+      # the certificate ID to use
+      certificateId: "CP-401405"
+      # The file pattern to use
+      # If not using minimatch: comma separated, with * supported
+      # If using minimatch: newline separated, with !, **, and * supported.
+      # See link in the useMinimatch comments.
+      pattern: '*.nupkg'
+      # decides if the task should use minimatch for the pattern matching.
+      # https://github.com/isaacs/minimatch#features
+      useMinimatch: false
 
 - powershell: |
     Copy-Item  $(NuGetPackagePath)\*.nupkg -DestinationPath '$(System.ArtifactsDirectory)\signed' -Force -Verbose
   displayName: Copy unsigned nuget packge as signing is disabled
-  condition: eq(variables['SKIP_SIGNING'], 'True')
+  condition: eq(variables['SkipSigning'], 'True')
 
 - powershell: |
    Import-Module $env:BUILD_SOURCESDIRECTORY\build.psm1 -Force
 
@@ -6,6 +6,13 @@ variables:
   NuGetPackagePath: '$(System.ArtifactsDirectory)/NuGetRelease'
   PackageRoot: '$(System.ArtifactsDirectory)/Packages'
 
+resources:
+  repositories:
+  - repository: ComplianceRepo
+    type: github
+    endpoint: ComplianceGHRepo
+    name: PowerShell/compliance
+
 stages:
 - stage: Build
   displayName: Build Native Binaries
@@ -31,6 +38,8 @@ stages:
   - job: SignWin
     pool: Package ES Standard Build
     displayName: Sign Windows
+    variables:
+    - group: ESRP
     dependsOn: BuildWin
     strategy:
       matrix:
@@ -75,10 +84,76 @@ stages:
     - BuildLinux
     - BuildMac
     pool: Package ES Standard Build
+    variables:
+    - group: ESRP
 
     steps:
     - template: nuget.yml
 
+- stage: compliance
+  displayName: Compliance
+  dependsOn: Build
+  jobs:
+  - job: Compliance_Job
+    pool:
+      name: Package ES Standard Build
+    steps:
+    - checkout: self
+      clean: true
+    - checkout: ComplianceRepo
+      clean: true
+
+    - download: current
+      artifact: release
+
+    - download: current
+      artifact: signed
+
+    - powershell: |
+        $null = New-Item $(PackageRoot) -ItemType Directory -Force -Verbose
+        if(-not (Test-Path '$(Pipeline.Workspace)/release' ))
+        {
+          New-Item -ItemType Directory -Path '$(Pipeline.Workspace)/release' -Force
+        }
+        Invoke-WebRequest -Uri '$(PSRPBlobUrl)' -OutFile $(Pipeline.Workspace)/release/psrp.zip -Verbose
+      displayName: 'Download PSRP package'
+
+    - powershell: 'Get-ChildItem $(Pipeline.Workspace)/release'
+      displayName: 'Capture downloaded zips'
+
+    - powershell: |
+        $extractedRoot = New-Item $(Pipeline.Workspace)/uncompressed -ItemType Directory -Force -Verbose
+        Get-ChildItem $(Pipeline.Workspace)/release/*.zip | ForEach-Object {
+            $baseName = $_.BaseName
+            if($baseName -match 'x64_arm') {
+                Write-Verbose "Skipping expanding file $_.Name" -Verbose
+            }
+            else {
+                $folderPath = Join-Path $extractedRoot $baseName
+                Expand-Archive $_.FullName -DestinationPath $folderPath -Force
+            }
+        }
+        Write-Host "Extracted files:"
+        Get-ChildItem -Recurse $extractedRoot -File
+      displayName: 'Extract All Zips'
+
+    - template: assembly-module-compliance.yml@ComplianceRepo
+      parameters:
+        # binskim
+        AnalyzeTarget: '$(Pipeline.Workspace)/uncompressed/*.dll'
+        AnalyzeSymPath: 'SRV*'
+        # component-governance
+        sourceScanPath: '$(Build.SourcesDirectory)/powershell-native'
+        # credscan
+        suppressionsFile: ''
+        # TermCheck
+        optionsRulesDBPath: ''
+        optionsFTPath: ''
+        # tsa-upload
+        codeBaseName: 'PowerShellNative'
+        # selections
+        APIScan: true # set to false when not using Windows APIs.
+
 - template: publish.yml
   parameters:
     stageName: AzArtifactsFeed
 
@@ -1,17 +1,4 @@
 steps:
-- task: PkgESSetupBuild@10
-  displayName: 'Initialize build'
-  env:
-    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-  inputs:
-    useDfs: false
-    productName: PowerShellCore
-    branchVersion: true
-    disableWorkspace: true
-    disableBuildTools: true
-    disableNugetPack: true
-  condition: and(succeeded(), eq(variables['Build.Reason'], 'Manual'))
-
 - task: DownloadBuildArtifacts@0
   inputs:
     buildType: current
@@ -28,42 +15,44 @@ steps:
     Write-Host "##$vstsCommandString"
   displayName: Expand artifact $(ARCHITECTURE)-symbols.zip
 
-- task: PowerShell@2
-  displayName: 'Update Signing Xml'
-  inputs:
-    targetType: filePath
-    filePath: $(Build.SourcesDirectory)/tools/releaseBuild/updateSigning.ps1
+- powershell: |
+    $vstsCommandString = "vso[task.setvariable variable=SignedOutput]$(System.ArtifactsDirectory)\Signed"
+    Write-Host "sending " + $vstsCommandString
+    Write-Host "##$vstsCommandString"
+  displayName: Define signedOutput variable
 
-- task: PkgESCodeSign@10
-  displayName: 'CodeSign $(ARCHITECTURE)'
-  env:
-      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-  inputs:
-    signConfigXml: '$(Build.SourcesDirectory)\tools\releaseBuild\signing.xml'
-    inPathRoot: '$(Symbols)'
-    outPathRoot: '$(Symbols)\Signed'
-  condition: ne(variables['SKIP_SIGNING'], 'True')
+- template: EsrpSign.yml@ComplianceRepo
+  parameters:
+      # the folder which contains the binaries to sign
+      buildOutputPath: $(Symbols)
+      # the location to put the signed output
+      signOutputPath: '$(SignedOutput)'
+      # the certificate ID to use
+      certificateId: "CP-230012"
+      # The file pattern to use
+      # If not using minimatch: comma separated, with * supported
+      # If using minimatch: newline separated, with !, **, and * supported.
+      # See link in the useMinimatch comments.
+      pattern: '*.dll'
+      # decides if the task should use minimatch for the pattern matching.
+      # https://github.com/isaacs/minimatch#features
+      useMinimatch: false
 
 - powershell: |
-    Compress-Archive -Path '$(Symbols)\Signed\*' -DestinationPath '$(Symbols)\Signed\win-$(ARCHITECTURE).zip'
+    Compress-Archive -Path '$(SignedOutput)\*' -DestinationPath '$(SignedOutput)\win-$(ARCHITECTURE).zip'
   displayName: Compress signed binaries
-  condition: ne(variables['SKIP_SIGNING'], 'True')
+  condition: eq(variables['SkipSigning'], 'false')
 
 - powershell: |
-    Get-ChildItem -Path '$(Symbols)\*' -Recurse | Copy-Item -Destination '$(Symbols)\Signed' -Force -Verbose
+    Get-ChildItem -Path '$(Symbols)\*' -Recurse | Copy-Item -Destination '$(SignedOutput)' -Force -Verbose
   displayName: Copy unsigned binaries as signing is skipped
-  condition: eq(variables['SKIP_SIGNING'], 'True')
+  condition: eq(variables['SkipSigning'], 'True')
 
 - template: uploadArtifact.yml
   parameters:
-    artifactPath: '$(Symbols)\Signed'
+    artifactPath: '$(SignedOutput)'
     artifactFilter: 'win-*.zip'
     artifactName: 'signed'
 
 - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
   displayName: 'Run MpCmdRun.exe'
-
-- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
-  displayName: 'Component Detection'
-  inputs:
-    sourceScanPath: '$(Build.SourcesDirectory)'