Verify that workload manifest MSIs are signed

2021-11-03 23:14:42 -07:00 · 2021-11-03 23:14:42 -07:00 · 2f331cfbc4
commit 2f331cfbc4
parent 590cbca7ea
2 changed files with 35 additions and 2 deletions
--- a/src/redist/targets/BundledManifests.targets
+++ b/src/redist/targets/BundledManifests.targets
@ -22,7 +22,7 @@
      <MsiNupkgId>%(Identity).Manifest-%(FeatureBand).Msi.$(MsiArchitectureForWorkloadManifests)</MsiNupkgId>
      <RestoredNupkgContentPath>$(NuGetPackageRoot)$([MSBuild]::ValueOrDefault('%(NupkgId)', '').ToLower())/$([MSBuild]::ValueOrDefault('%(Version)', '').ToLower())</RestoredNupkgContentPath>
      <RestoredMsiNupkgContentPath>$(NuGetPackageRoot)$([MSBuild]::ValueOrDefault('%(MsiNupkgId)', '').ToLower())/$([MSBuild]::ValueOrDefault('%(Version)', '').ToLower())</RestoredMsiNupkgContentPath>
-      <RestoredMsiPathInNupkg>%(RestoredMsiNupkgContentPath)/data/%(NupkgId).%(Version)-$(MsiArchitectureForWorkloadManifests).msi</RestoredMsiPathInNupkg>
+      <RestoredMsiPathInNupkg>$([MSBuild]::NormalizePath('%(RestoredMsiNupkgContentPath)/data/%(NupkgId).%(Version)-$(MsiArchitectureForWorkloadManifests).msi'))</RestoredMsiPathInNupkg>
    </BundledManifests>
  </ItemGroup>

@ -37,8 +37,40 @@
    <PackageDownload Include="@(BundledManifests->'%(MsiNupkgId)')" >
      <Version>[%(Version)]</Version>
    </PackageDownload>
+
+    <PackageReference Include="Microsoft.DotNet.SignCheck" Version="$(ArcadeSdkVersion)" />
  </ItemGroup>

+  <Target Name="ValidateBundledManifestSigning"
+          Condition=" '$(OS)' == 'Windows_NT' and '$(Architecture)' != 'arm' ">
+
+    <PropertyGroup>
+      <SignCheckExe>$(PkgMicrosoft_DotNet_SignCheck)\tools\Microsoft.DotNet.SignCheck.exe</SignCheckExe>
+      <SignCheckLog Condition="'$(SignCheckLog)' == ''">$(ArtifactsLogDir)\workloadmanifestsigncheck.log</SignCheckLog>
+      <SignCheckErrorLog Condition="'$(SignCheckErrorLog)' == ''">$(ArtifactsLogDir)\workloadmanifestsigncheck.errors.log</SignCheckErrorLog>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <SignCheckWorkloadManifestMsiInputFiles Include="@(BundledManifests->'%(RestoredMsiPathInNupkg)')" />
+    </ItemGroup>
+
+    <Exec Command="$(SignCheckExe) ^
+                   --recursive ^
+                   -f UnsignedFiles ^
+                   -i @(SignCheckWorkloadManifestMsiInputFiles, ' ') ^
+                   -l $(SignCheckLog) ^
+                   -e $(SignCheckErrorLog)" />
+
+    <Error
+      Text="Signing validation failed for workload manifest MSI. Check $(SignCheckErrorLog) for more information."
+      Condition="Exists($(SignCheckErrorLog)) and '$([System.IO.File]::ReadAllText($(SignCheckErrorLog)))' != ''" />
+
+    <Message
+      Text="##vso[artifact.upload containerfolder=LogFiles;artifactname=LogFiles]{SignCheckErrorLog}"
+      Condition="Exists($(SignCheckErrorLog)) and '$([System.IO.File]::ReadAllText($(SignCheckErrorLog)))' != ''" />
+    
+  </Target>
+
  <Target Name="LayoutManifests"
          DependsOnTargets="SetupBundledComponents">

--- a/src/redist/targets/GenerateMSIs.targets
+++ b/src/redist/targets/GenerateMSIs.targets
@ -280,7 +280,8 @@
    </ItemGroup>
  </Target>

-  <Target Name="GenerateWorkloadManifestsWxs">
+  <Target Name="GenerateWorkloadManifestsWxs"
+          DependsOnTargets="ValidateBundledManifestSigning">
    <PropertyGroup>
      <WorkloadManifestsWxsPath>$(IntermediateOutputPath)WorkloadManifests.wxs</WorkloadManifestsWxsPath>
      <WorkloadManifestsWxsContent>