move signing to separate stage

Ix.NET/Source/build/Sign-Package.ps1

@@ -1,30 +0,0 @@
-
-$currentDirectory = split-path $MyInvocation.MyCommand.Definition
-
-# See if we have the ClientSecret available
-if([string]::IsNullOrEmpty($Env:SignClientSecret)){
-	Write-Host "Client Secret not found, not signing packages"
-	return;
-}
-
-dotnet tool install --tool-path . SignClient
-
-# Setup Variables we need to pass into the sign client tool
-
-$appSettings = "$currentDirectory\appsettings.json"
-
-$nupkgs = gci $Env:ArtifactDirectory\*.nupkg -recurse | Select -ExpandProperty FullName
-
-foreach ($nupkg in $nupkgs){
-	Write-Host "Submitting $nupkg for signing"
-
-	.\SignClient 'sign' -c $appSettings -i $nupkg -r $Env:SignClientUser -s $Env:SignClientSecret -n 'Ix.NET' -d 'Ix.NET' -u 'https://github.com/dotnet/reactive' 
-
-  if ($LASTEXITCODE -ne 0) {
-    exit 1
-  }
-  
-	Write-Host "Finished signing $nupkg"
-}
-
-Write-Host "Sign-package complete"

azure-pipelines.ix.yml

@@ -27,80 +27,111 @@ variables:
   BuildConfiguration: Release
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
 
-steps:
-- task: UseDotNet@2
-  displayName: 'Use .NET Core SDK 3.x'
-  inputs:
-    version: 3.0.x
-    includePreviewVersions: true
-    performMultiLevelLookup: true
-
-- task: DotNetCoreCLI@2
-  inputs:
-    command: custom
-    custom: tool
-    arguments: install --tool-path . nbgv
-  displayName: Install NBGV tool
-
-- script: nbgv cloud -p Ix.NET\Source
-  displayName: Set Version
-
-- task: DotNetCoreCLI@2
-  inputs:
-    command: restore
-    projects: Ix.NET/Source/**/*.csproj
-  displayName: Restore
-
-- task: DotNetCoreCLI@2
-  inputs:
-    command: pack
-    packagesToPack: Ix.NET/Source/**/System.Interactive*.csproj;Ix.NET/Source/**/System.Linq.*.csproj;!Ix.NET/Source/**/*.Tests*.csproj;!Ix.NET/Source/refs/**
-    configuration: $(BuildConfiguration)
-    packDirectory: $(Build.ArtifactStagingDirectory)\artifacts
-    verbosityPack: Minimal
-  displayName: Pack
-
-- task: DotNetCoreCLI@2
-  inputs:
-    command: custom
-    custom: tool
-    arguments: install --tool-path . dotnet-reportgenerator-globaltool
-  displayName: Install ReportGenerator tool
-
-- task: DotNetCoreCLI@2
-  inputs:
-    command: test
-    projects: Ix.NET/Source/**/*.Tests.csproj
-    arguments: -c $(BuildConfiguration) --settings Ix.NET/Source/CodeCoverage.runsettings --collect:"XPlat Code Coverage" -- RunConfiguration.DisableAppDomain=true
-  displayName: Run Tests
-
-- script: reportgenerator -reports:$(Agent.TempDirectory)/**/coverage.cobertura.xml -targetdir:$(Build.SourcesDirectory)/Ix.NET/Source/coverlet/reports -reporttypes:"Cobertura"
-  displayName: Create reports
-
-- task: PublishCodeCoverageResults@1
-  displayName: 'Publish code coverage'
-  inputs:
-    codeCoverageTool: Cobertura
-    summaryFileLocation: $(Build.SourcesDirectory)/Ix.NET/Source/coverlet/reports/Cobertura.xml
-
-- task: PowerShell@2
-  displayName: Authenticode Sign Packages
-  inputs:
-    filePath: Ix.NET/Source/build/Sign-Package.ps1
-  env:
-    SignClientUser: $(SignClientUser)
-    SignClientSecret: $(SignClientSecret)
-    ArtifactDirectory: $(Build.ArtifactStagingDirectory)\artifacts
-  condition: and(succeeded(), not(eq(variables['build.reason'], 'PullRequest')), not(eq(variables['SignClientSecret'], '')), not(eq(variables['SignClientUser'], '')))
-
-- task: PublishPipelineArtifact@0
-  displayName: Publish packages
-  inputs:
-    targetPath: $(Build.ArtifactStagingDirectory)\artifacts
-    artifactName: artifacts
-
-- task: PublishPipelineArtifact@0
-  displayName: Publish Code Coverage XML
-  inputs:
-    artifactName: Coverage Report XML
-    targetPath: $(Build.SourcesDirectory)/Ix.NET/Source/coverlet/reports/Cobertura.xml
+stages:
+- stage: Build
+  jobs:
+  - job: Build
+    steps:
+    - task: UseDotNet@2
+      displayName: 'Use .NET Core SDK 3.x'
+      inputs:
+        version: 3.0.x
+        performMultiLevelLookup: true
+
+    - task: DotNetCoreCLI@2
+      inputs:
+        command: custom
+        custom: tool
+        arguments: install --tool-path . nbgv
+      displayName: Install NBGV tool
+
+    - script: nbgv cloud -p Ix.NET\Source
+      displayName: Set Version
+
+    - task: DotNetCoreCLI@2
+      inputs:
+        command: restore
+        projects: Ix.NET/Source/**/*.csproj
+      displayName: Restore
+
+    - task: DotNetCoreCLI@2
+      inputs:
+        command: pack
+        packagesToPack: Ix.NET/Source/**/System.Interactive*.csproj;Ix.NET/Source/**/System.Linq.*.csproj;!Ix.NET/Source/**/*.Tests*.csproj;!Ix.NET/Source/refs/**
+        configuration: $(BuildConfiguration)
+        packDirectory: $(Build.ArtifactStagingDirectory)\artifacts
+        verbosityPack: Minimal
+      displayName: Pack
+
+    - task: DotNetCoreCLI@2
+      inputs:
+        command: custom
+        custom: tool
+        arguments: install --tool-path . dotnet-reportgenerator-globaltool
+      displayName: Install ReportGenerator tool
+
+    - task: DotNetCoreCLI@2
+      inputs:
+        command: test
+        projects: Ix.NET/Source/**/*.Tests.csproj
+        arguments: -c $(BuildConfiguration) --settings Ix.NET/Source/CodeCoverage.runsettings --collect:"XPlat Code Coverage" -- RunConfiguration.DisableAppDomain=true
+      displayName: Run Tests
+
+    - script: reportgenerator -reports:$(Agent.TempDirectory)/**/coverage.cobertura.xml -targetdir:$(Build.SourcesDirectory)/Ix.NET/Source/coverlet/reports -reporttypes:"Cobertura"
+      displayName: Create reports
+
+    - task: PublishCodeCoverageResults@1
+      displayName: 'Publish code coverage'
+      inputs:
+        codeCoverageTool: Cobertura
+        summaryFileLocation: $(Build.SourcesDirectory)/Ix.NET/Source/coverlet/reports/Cobertura.xml
+
+    - publish:  Ix.NET/Source/build
+      artifact: config
+      displayName: Publish signing config
+
+    - publish: $(Build.ArtifactStagingDirectory)\artifacts
+      displayName: Publish artifacts
+      artifact: BuildPackages
+
+    - task: PublishPipelineArtifact@0
+      displayName: Publish Code Coverage XML
+      inputs:
+        artifactName: Coverage Report XML
+        targetPath: $(Build.SourcesDirectory)/Ix.NET/Source/coverlet/reports/Cobertura.xml
+
+- stage: CodeSign
+  condition: and(succeeded('Build'), not(eq(variables['build.reason'], 'PullRequest')))
+  jobs:
+  - deployment: CodeSign
+    displayName: Code Signing
+    pool:
+      vmImage: windows-latest
+    environment: Code Sign
+    variables:
+    - group: SignClient Credentials
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - task: DotNetCoreCLI@2
+            inputs:
+              command: custom
+              custom: tool
+              arguments: install --tool-path . SignClient
+            displayName: Install SignTool tool
+
+          - pwsh: |
+              .\SignClient "Sign" `
+              --baseDirectory "$(Pipeline.Workspace)\BuildPackages" `
+              --input "**/*.nupkg" `
+              --config "$(Pipeline.Workspace)\config\signclient.json" `
+              --user "$(SignClientUser)" `
+              --secret "$(SignClientSecret)" `
+              --name "Ix.NET" `
+              --description "Ix.NET" `
+              --descriptionUrl "https://github.com/dotnet/reactive"
+            displayName: Sign packages
+          - publish: $(Pipeline.Workspace)/BuildPackages
+            displayName: Publish Signed Packages
+            artifact: SignedPackages