ESRP sign the packages to be compliant for release

YunchuWang · YunchuWang · commit 850820f714f6 · 2025-03-27T11:00:02.000-07:00
diff --git a/azurefunctions/build.gradle b/azurefunctions/build.gradle
@@ -77,10 +77,9 @@ publishing {
     }
 }
 
-// TODO: manual signing temporarily disabled, in favor of 1ES signing utils
-//signing {
-//    sign publishing.publications.mavenJava
-//}
+signing {
+   sign publishing.publications.mavenJava
+}
 
 java {
     withSourcesJar()
diff --git a/azuremanaged/build.gradle b/azuremanaged/build.gradle
@@ -110,6 +110,10 @@ publishing {
     }
 }
 
+signing {
+   sign publishing.publications.mavenJava
+}
+
 java {
     withSourcesJar()
     withJavadocJar()
diff --git a/client/build.gradle b/client/build.gradle
@@ -173,10 +173,9 @@ publishing {
     }
 }
 
-// TODO: manual signing temporarily disabled, in favor of 1ES signing
-//signing {
-//    sign publishing.publications.mavenJava
-//}
+signing {
+   sign publishing.publications.mavenJava
+}
 
 java {
     withSourcesJar()
diff --git a/eng/templates/build.yml b/eng/templates/build.yml
@@ -8,7 +8,6 @@ jobs:
                 artifact: drop
                 sbomBuildDropPath: $(System.DefaultWorkingDirectory)
                 sbomPackageName: 'Durable Task / Durable Functions Java SBOM'
-
       steps:
         - checkout: self
 
@@ -25,9 +24,15 @@ jobs:
             jdkArchitectureOption: 'x64'
             publishJUnitResults: false
             tasks: clean assemble
-          displayName: Assemble durabletask-client and durabletask-azure-functions
+          displayName: Assemble durabletask-client and durabletask-azure-functions and durabletask-azuremanaged
+
+        # the secring.gpg file is required to sign the artifacts, it's generated from GnuPG, and it's stored in the library of the durabletaskframework ADO
+        - task: DownloadSecureFile@1
+          name: gpgSecretFile
+          displayName: 'Download GPG secret file'
+          inputs:
+            secureFile: 'secring.gpg'
 
-        # TODO: add 1ES-level signing
         - task: Gradle@3
           inputs:
             workingDirectory: ''
@@ -37,7 +42,8 @@ jobs:
             jdkVersionOption: 1.11
             jdkArchitectureOption: 'x64'
             tasks: publish
-          displayName: Publish durabletask-client and durabletask-azure-functions
+            options: '-Psigning.keyId=$(gpgSignKey) -Psigning.password=$(gpgSignPassword) -Psigning.secretKeyRingFile=$(gpgSecretFile.secureFilePath)'
+          displayName: Publish durabletask-client and durabletask-azure-functions and durabletask-azuremanaged
 
         - task: CopyFiles@2
           displayName: 'Copy publish file to Artifact Staging Directory'

Original file line number	Diff line number	Diff line change
`@@ -77,10 +77,9 @@ publishing {`
`77`	`77`	`}`
`78`	`78`	`}`
`79`	`79`
`80`		`-// TODO: manual signing temporarily disabled, in favor of 1ES signing utils`
`81`		`-//signing {`
`82`		`-// sign publishing.publications.mavenJava`
`83`		`-//}`
	`80`	`+signing {`
	`81`	`+ sign publishing.publications.mavenJava`
	`82`	`+}`
`84`	`83`
`85`	`84`	`java {`
`86`	`85`	`withSourcesJar()`
Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,10 @@ publishing {`
`110`	`110`	`}`
`111`	`111`	`}`
`112`	`112`
	`113`	`+signing {`
	`114`	`+ sign publishing.publications.mavenJava`
	`115`	`+}`
	`116`	`+`
`113`	`117`	`java {`
`114`	`118`	`withSourcesJar()`
`115`	`119`	`withJavadocJar()`
Original file line number	Diff line number	Diff line change
`@@ -173,10 +173,9 @@ publishing {`
`173`	`173`	`}`
`174`	`174`	`}`
`175`	`175`
`176`		`-// TODO: manual signing temporarily disabled, in favor of 1ES signing`
`177`		`-//signing {`
`178`		`-// sign publishing.publications.mavenJava`
`179`		`-//}`
	`176`	`+signing {`
	`177`	`+ sign publishing.publications.mavenJava`
	`178`	`+}`
`180`	`179`
`181`	`180`	`java {`
`182`	`181`	`withSourcesJar()`