fix: Sign APK during release build using ESRP CodeSign (#17)

Currently, no part of our build or release pipeline signs the APK. This PR introduces the ESRP CodeSign task to release-build.yaml to sign our APK. This will allow us to download the APK from the build artifact for testing purposes and to consume said APK in the release pipeline. You can find a signed apk in the artifacts here. I verified that the cert of the newly published APK matches the cert of our previously published APK using keytool -list -printcert -jarfile <apk>.

Author: jalkire

pipeline/release-build.yaml

@@ -32,6 +32,31 @@ jobs:
               testResultsFiles: '**/TEST-*.xml'
               tasks: 'build'
 
+          - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+            displayName: 'sign release apk with ESRP CodeSigning'
+            inputs:
+              ConnectedServiceName: 'Accessibility Insights for Android Service AAD APP Id'
+              FolderPath: '$(system.defaultWorkingDirectory)/AccessibilityInsightsForAndroidService/app/build/outputs/apk/release'
+              Pattern: '*.apk'
+              signConfigType: inlineSignParams
+              inlineOperation: |
+                [
+                        {
+                            "KeyCode" : "CP-458288-Java",
+                            "OperationCode" : "AndroidSign",
+                            "Parameters" : {},
+                            "ToolName" : "sign",
+                            "ToolVersion" : "1.0"
+                        },
+                        {
+                            "KeyCode" : "CP-458288-Java", 
+                            "OperationCode" : "JavaVerify",
+                            "Parameters" : {},
+                            "ToolName" : "sign",
+                            "ToolVersion" : "1.0"
+                        }
+                ]
+
           - task: PublishPipelineArtifact@1
             displayName: publish apk folder as artifact
             inputs: