test codesign hardened

build/azure-pipelines/darwin/codesign-darwin.yml

+steps:
+- task: AzureKeyVault@1
+  displayName: 'Azure Key Vault: Get Secrets'
+  inputs:
+    azureSubscription: 'vscode-builds-subscription'
+    KeyVaultName: vscode
+
+- script: |
+    cat << EOF > $(agent.tempdirectory)/cert.p12
+    $(macos-developer-certificate)
+    EOF
+    security import $(agent.tempdirectory)/cert.p12 -P "$(macos-developer-certificate-key)"
+    curl -o $(agent.tempdirectory)/VSCode-darwin.zip https://vscode.blob.core.windows.net/public/VSCode-darwin.zip
+    unzip $(agent.tempdirectory)/VSCode-darwin.zip -d $(agent.tempdirectory)
+    codesign -s 99FM488X57 --deep --force --options runtime --entitlements build/azure-pipelines/darwin/entitlements.plist $(agent.tempdirectory)/Visual\ Studio\ Code\ -\ Insiders.app
+    zip -r -X -y $(agent.stagingdirectory)/VSCode-darwin.zip $(agent.tempdirectory)/Visual\ Studio\ Code\ -\ Insiders.app
+
+- task: PublishPipelineArtifact@0
+  displayName: 'Publish Pipeline Artifact'
+  inputs:
+    artifactName: darwin-hardened
+    targetPath: $(agent.stagingdirectory)/VSCode-darwin.zip
+

build/azure-pipelines/darwin/entitlements.plist

+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.device.camera</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+    <key>com.apple.security.personal-information.location</key>
+    <true/>
+    <key>com.apple.security.automation.apple-events</key>
+    <true/>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+</dict>
+</plist>

build/azure-pipelines/product-build.yml

@@ -7,140 +7,150 @@ resources:
     image: snapcore/snapcraft:stable
 
 jobs:
-- job: Compile
-  pool:
-    vmImage: 'Ubuntu-16.04'
-  container: vscode-x64
-  steps:
-  - template: product-compile.yml
+# - job: Compile
+#   pool:
+#     vmImage: 'Ubuntu-16.04'
+#   container: vscode-x64
+#   steps:
+#   - template: product-compile.yml
 
-- job: Windows
-  condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WIN32'], 'true'))
-  pool:
-    vmImage: VS2017-Win2016
-  variables:
-    VSCODE_ARCH: x64
-  dependsOn:
-  - Compile
-  steps:
-  - template: win32/product-build-win32.yml
+# - job: Windows
+#   condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WIN32'], 'true'))
+#   pool:
+#     vmImage: VS2017-Win2016
+#   variables:
+#     VSCODE_ARCH: x64
+#   dependsOn:
+#   - Compile
+#   steps:
+#   - template: win32/product-build-win32.yml
 
-- job: Windows32
-  condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WIN32_32BIT'], 'true'))
-  pool:
-    vmImage: VS2017-Win2016
-  variables:
-    VSCODE_ARCH: ia32
-  dependsOn:
-  - Compile
-  steps:
-  - template: win32/product-build-win32.yml
+# - job: Windows32
+#   condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WIN32_32BIT'], 'true'))
+#   pool:
+#     vmImage: VS2017-Win2016
+#   variables:
+#     VSCODE_ARCH: ia32
+#   dependsOn:
+#   - Compile
+#   steps:
+#   - template: win32/product-build-win32.yml
 
-- job: Linux
-  condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX'], 'true'))
-  pool:
-    vmImage: 'Ubuntu-16.04'
-  container: vscode-x64
-  dependsOn:
-  - Compile
-  steps:
-  - template: linux/product-build-linux.yml
+# - job: Linux
+#   condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX'], 'true'))
+#   pool:
+#     vmImage: 'Ubuntu-16.04'
+#   container: vscode-x64
+#   dependsOn:
+#   - Compile
+#   steps:
+#   - template: linux/product-build-linux.yml
 
-- job: LinuxSnap
-  condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX'], 'true'))
-  pool:
-    vmImage: 'Ubuntu-16.04'
-  container: snapcraft
-  dependsOn: Linux
-  steps:
-  - template: linux/snap-build-linux.yml
+# - job: LinuxSnap
+#   condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX'], 'true'))
+#   pool:
+#     vmImage: 'Ubuntu-16.04'
+#   container: snapcraft
+#   dependsOn: Linux
+#   steps:
+#   - template: linux/snap-build-linux.yml
 
-- job: LinuxArmhf
-  condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ARMHF'], 'true'))
-  pool:
-    vmImage: 'Ubuntu-16.04'
-  variables:
-    VSCODE_ARCH: armhf
-  dependsOn:
-  - Compile
-  steps:
-  - template: linux/product-build-linux-multiarch.yml
+# - job: LinuxArmhf
+#   condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ARMHF'], 'true'))
+#   pool:
+#     vmImage: 'Ubuntu-16.04'
+#   variables:
+#     VSCODE_ARCH: armhf
+#   dependsOn:
+#   - Compile
+#   steps:
+#   - template: linux/product-build-linux-multiarch.yml
 
-- job: LinuxArm64
-  condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ARM64'], 'true'))
-  pool:
-    vmImage: 'Ubuntu-16.04'
-  variables:
-    VSCODE_ARCH: arm64
-  dependsOn:
-  - Compile
-  steps:
-  - template: linux/product-build-linux-multiarch.yml
+# - job: LinuxArm64
+#   condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ARM64'], 'true'))
+#   pool:
+#     vmImage: 'Ubuntu-16.04'
+#   variables:
+#     VSCODE_ARCH: arm64
+#   dependsOn:
+#   - Compile
+#   steps:
+#   - template: linux/product-build-linux-multiarch.yml
 
-- job: LinuxAlpine
-  condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ALPINE'], 'true'))
-  pool:
-    vmImage: 'Ubuntu-16.04'
-  variables:
-    VSCODE_ARCH: alpine
-  dependsOn:
-  - Compile
-  steps:
-  - template: linux/product-build-linux-multiarch.yml
+# - job: LinuxAlpine
+#   condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_LINUX_ALPINE'], 'true'))
+#   pool:
+#     vmImage: 'Ubuntu-16.04'
+#   variables:
+#     VSCODE_ARCH: alpine
+#   dependsOn:
+#   - Compile
+#   steps:
+#   - template: linux/product-build-linux-multiarch.yml
 
-- job: LinuxWeb
-  condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WEB'], 'true'))
-  pool:
-    vmImage: 'Ubuntu-16.04'
-  variables:
-    VSCODE_ARCH: x64
-  dependsOn:
-  - Compile
-  steps:
-  - template: web/product-build-web.yml
+# - job: LinuxWeb
+#   condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_WEB'], 'true'))
+#   pool:
+#     vmImage: 'Ubuntu-16.04'
+#   variables:
+#     VSCODE_ARCH: x64
+#   dependsOn:
+#   - Compile
+#   steps:
+#   - template: web/product-build-web.yml
+
+# - job: macOS
+#   condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_MACOS'], 'true'))
+#   timeoutInMinutes: 180
+#   pool:
+#     vmImage: macOS-latest
+#   dependsOn:
+#   - Compile
+#   steps:
+#   - template: darwin/product-build-darwin.yml
+
+# - job: Release
+#   condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), or(eq(variables['VSCODE_RELEASE'], 'true'), and(or(eq(variables['VSCODE_QUALITY'], 'insider'), eq(variables['VSCODE_QUALITY'], 'exploration')), eq(variables['Build.Reason'], 'Schedule'))))
+#   pool:
+#     vmImage: 'Ubuntu-16.04'
+#   dependsOn:
+#   - Windows
+#   - Windows32
+#   - Linux
+#   - LinuxSnap
+#   - LinuxArmhf
+#   - LinuxArm64
+#   - LinuxAlpine
+#   - macOS
+#   steps:
+#   - template: release.yml
+
+# - job: Mooncake
+#   pool:
+#     vmImage: 'Ubuntu-16.04'
+#   condition: and(succeededOrFailed(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'))
+#   dependsOn:
+#   - Windows
+#   - Windows32
+#   - Linux
+#   - LinuxSnap
+#   - LinuxArmhf
+#   - LinuxArm64
+#   - LinuxAlpine
+#   - LinuxWeb
+#   - macOS
+#   steps:
+#   - template: sync-mooncake.yml
 
 - job: macOS
-  condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), eq(variables['VSCODE_BUILD_MACOS'], 'true'))
+  condition: and(succeeded())
   timeoutInMinutes: 180
   pool:
     vmImage: macOS-latest
   dependsOn:
   - Compile
   steps:
-  - template: darwin/product-build-darwin.yml
-
-- job: Release
-  condition: and(succeeded(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'), or(eq(variables['VSCODE_RELEASE'], 'true'), and(or(eq(variables['VSCODE_QUALITY'], 'insider'), eq(variables['VSCODE_QUALITY'], 'exploration')), eq(variables['Build.Reason'], 'Schedule'))))
-  pool:
-    vmImage: 'Ubuntu-16.04'
-  dependsOn:
-  - Windows
-  - Windows32
-  - Linux
-  - LinuxSnap
-  - LinuxArmhf
-  - LinuxArm64
-  - LinuxAlpine
-  - macOS
-  steps:
-  - template: release.yml
-
-- job: Mooncake
-  pool:
-    vmImage: 'Ubuntu-16.04'
-  condition: and(succeededOrFailed(), eq(variables['VSCODE_COMPILE_ONLY'], 'false'))
-  dependsOn:
-  - Windows
-  - Windows32
-  - Linux
-  - LinuxSnap
-  - LinuxArmhf
-  - LinuxArm64
-  - LinuxAlpine
-  - LinuxWeb
-  - macOS
-  steps:
-  - template: sync-mooncake.yml
+  - template: darwin/codesign-darwin.yml
 
 trigger: none
 pr: none

build/gulpfile.hygiene.js

@@ -82,7 +82,7 @@ const indentationFilter = [
 	'!src/vs/*/**/*.d.ts',
 	'!src/typings/**/*.d.ts',
 	'!extensions/**/*.d.ts',
-	'!**/*.{svg,exe,png,bmp,scpt,bat,cmd,cur,ttf,woff,eot,md,ps1,template,yaml,yml,d.ts.recipe,ico,icns}',
+	'!**/*.{svg,exe,png,bmp,scpt,bat,cmd,cur,ttf,woff,eot,md,ps1,template,yaml,yml,d.ts.recipe,ico,icns,plist}',
 	'!build/{lib,download}/**/*.js',
 	'!build/**/*.sh',
 	'!build/azure-pipelines/**/*.js',