From 3ae14ab618e157e91d92cb68eb86e4274bdadbd5 Mon Sep 17 00:00:00 2001
From: Nate Amundson <naamunds@microsoft.com>
Date: Wed, 12 Oct 2016 14:25:06 -0500
Subject: [PATCH] Upload checksums for installation artifacts (#4191)

The checksums are SHA-512 hashes, which users can use to verify file
integrity and authenticity.
---
 build/Microsoft.DotNet.Cli.Publish.targets    |  38 ++--
 build/Microsoft.DotNet.Cli.tasks              |   7 +-
 build/publish/FinishBuild.targets             |  34 ++++
 .../Microsoft.DotNet.Cli.Checksum.targets     |  21 +++
 build/publish/PublishContent.targets          |  43 +++--
 .../CheckIfAllBuildsHavePublished.cs          |  86 +++++++++
 .../dotnet-cli-build/CopyBlobsToLatest.cs     | 108 ++++++++++++
 .../dotnet-cli-build/FinalizeBuildTask.cs     | 163 ------------------
 .../dotnet-cli-build/GenerateChecksums.cs     |  66 +++++++
 .../dotnet-cli-build/UpdateVersionsRepo.cs    |  27 +++
 scripts/dockerrun.sh                          |   9 +-
 11 files changed, 402 insertions(+), 200 deletions(-)
 create mode 100644 build/publish/FinishBuild.targets
 create mode 100644 build/publish/Microsoft.DotNet.Cli.Checksum.targets
 create mode 100644 build_projects/dotnet-cli-build/CheckIfAllBuildsHavePublished.cs
 create mode 100644 build_projects/dotnet-cli-build/CopyBlobsToLatest.cs
 delete mode 100644 build_projects/dotnet-cli-build/FinalizeBuildTask.cs
 create mode 100644 build_projects/dotnet-cli-build/GenerateChecksums.cs
 create mode 100644 build_projects/dotnet-cli-build/UpdateVersionsRepo.cs

diff --git a/build/Microsoft.DotNet.Cli.Publish.targets b/build/Microsoft.DotNet.Cli.Publish.targets
index 2a3feae93..a05512cf4 100644
--- a/build/Microsoft.DotNet.Cli.Publish.targets
+++ b/build/Microsoft.DotNet.Cli.Publish.targets
@@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildThisFileDirectory)/publish/FinishBuild.targets" />
   <Import Project="$(MSBuildThisFileDirectory)/publish/PublishContent.targets" />
   <Import Project="$(MSBuildThisFileDirectory)/publish/Microsoft.DotNet.Cli.Badge.targets" />
+  <Import Project="$(MSBuildThisFileDirectory)/publish/Microsoft.DotNet.Cli.Checksum.targets" />
 
   <!-- PUBLISH_TO_AZURE_BLOB env variable set by CI -->
   <Target Name="Publish"
@@ -16,26 +18,22 @@
           DependsOnTargets="SetupAzureBlobInformation;
                             GenerateVersionBadge;
                             GatherItemsForPattern;
-                            UploadToAzure;
+                            GenerateChecksums;
+                            UploadArtifactsToAzure;
+                            UploadChecksumsToAzure;
                             PublishDebFilesToDebianRepo;
                             PublishCliVersionBadge" />
 
-  <Target Name="FinishBuild">
-    <FinalizeBuild AccountName="$(CloudDropAccountName)"
-                   AccountKey="$(CloudDropAccessToken)"
-                   NugetVersion="$(NugetVersion)"
-                   Channel="$(Channel)"
-                   CommitHash="$(CommitHash)"
-                   BranchName="$(BranchName)" />
-  </Target>
-
   <Target Name="SetupAzureBlobInformation">
     <PropertyGroup>
       <Product>Sdk</Product>
-      <ContainerName>$(STORAGE_CONTAINER)</ContainerName>
-      <CloudDropAccessToken>$(STORAGE_KEY)</CloudDropAccessToken>
-      <CloudDropAccountName>$(STORAGE_ACCOUNT)</CloudDropAccountName>
-      <DotnetBlobRootUrl>https://$(CloudDropAccountName).blob.core.windows.net/$(ContainerName)</DotnetBlobRootUrl>
+      <ArtifactContainerName>$(ARTIFACT_STORAGE_CONTAINER)</ArtifactContainerName>
+      <ArtifactCloudDropAccessToken>$(ARTIFACT_STORAGE_KEY)</ArtifactCloudDropAccessToken>
+      <ArtifactCloudDropAccountName>$(ARTIFACT_STORAGE_ACCOUNT)</ArtifactCloudDropAccountName>
+      <DotnetBlobRootUrl>https://$(ArtifactCloudDropAccountName).blob.core.windows.net/$(ArtifactContainerName)</DotnetBlobRootUrl>
+      <ChecksumContainerName>$(CHECKSUM_STORAGE_CONTAINER)</ChecksumContainerName>
+      <ChecksumCloudDropAccessToken>$(CHECKSUM_STORAGE_KEY)</ChecksumCloudDropAccessToken>
+      <ChecksumCloudDropAccountName>$(CHECKSUM_STORAGE_ACCOUNT)</ChecksumCloudDropAccountName>
     </PropertyGroup>
   </Target>
 
@@ -94,16 +92,16 @@
     </ItemGroup>
 
     <UploadToAzure
-      AccountKey="$(CloudDropAccessToken)"
-      AccountName="$(CloudDropAccountName)"
-      ContainerName="$(ContainerName)"
+      AccountKey="$(ArtifactCloudDropAccessToken)"
+      AccountName="$(ArtifactCloudDropAccountName)"
+      ContainerName="$(ArtifactContainerName)"
       Items="@(CliVersionBadgeToUpload)"
       Overwrite="$(OverwriteOnPublish)" />
 
     <SetBlobPropertiesBasedOnFileType
-      AccountKey="$(CloudDropAccessToken)"
-      AccountName="$(CloudDropAccountName)"
-      ContainerName="$(ContainerName)"
+      AccountKey="$(ArtifactCloudDropAccessToken)"
+      AccountName="$(ArtifactCloudDropAccountName)"
+      ContainerName="$(ArtifactContainerName)"
       Items="@(CliVersionBadgeToUpload)" />
   </Target>
 </Project>
\ No newline at end of file
diff --git a/build/Microsoft.DotNet.Cli.tasks b/build/Microsoft.DotNet.Cli.tasks
index c4e97c612..7de1a9a70 100644
--- a/build/Microsoft.DotNet.Cli.tasks
+++ b/build/Microsoft.DotNet.Cli.tasks
@@ -2,7 +2,10 @@
 <Project ToolsVersion="14.0" DefaultTargets="Test" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <UsingTask TaskName="AddMetadataIsPE" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="ChangeEntryPointLibraryName" AssemblyFile="$(CLIBuildDll)" />
+  <UsingTask TaskName="CheckIfAllBuildsHavePublished" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="ChMod" AssemblyFile="$(CLIBuildDll)" />
+  <UsingTask TaskName="CopyBlobsToLatest" AssemblyFile="$(CLIBuildDll)" />
+  <UsingTask TaskName="CreateAzureContainer" AssemblyFile="$(CLIBuildDll)"/>
   <UsingTask TaskName="Crossgen" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="DotNetBuild" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="DotNetNew" AssemblyFile="$(CLIBuildDll)" />
@@ -11,8 +14,8 @@
   <UsingTask TaskName="DotNetRestore" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="DotNetTest" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="DownloadFile" AssemblyFile="$(CLIBuildDll)" />
-  <UsingTask TaskName="FinalizeBuild" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="GenerateBuildVersionInfo" AssemblyFile="$(CLIBuildDll)" />
+  <UsingTask TaskName="GenerateChecksums" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="GenerateGuidFromName" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="GetCommitHash" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="GetCurrentRuntimeInformation" AssemblyFile="$(CLIBuildDll)" />
@@ -23,7 +26,7 @@
   <UsingTask TaskName="SetEnvVar" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="TarGzFileCreateFromDirectory" AssemblyFile="$(CLIBuildDll)" />
   <UsingTask TaskName="TarGzFileExtractToDirectory" AssemblyFile="$(CLIBuildDll)" />
-  <UsingTask TaskName="CreateAzureContainer" AssemblyFile="$(CLIBuildDll)"/>
+  <UsingTask TaskName="UpdateVersionsRepo" AssemblyFile="$(CLIBuildDll)"/>
   <UsingTask TaskName="UploadToAzure" AssemblyFile="$(CLIBuildDll)"/>
   <UsingTask TaskName="ZipFileCreateFromDirectory" AssemblyFile="$(CLIBuildDll)"/>
   <UsingTask TaskName="ZipFileExtractToDirectory" AssemblyFile="$(CLIBuildDll)"/>
diff --git a/build/publish/FinishBuild.targets b/build/publish/FinishBuild.targets
new file mode 100644
index 000000000..307e23d30
--- /dev/null
+++ b/build/publish/FinishBuild.targets
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Target Name="FinishBuild"
+          DependsOnTargets="CheckIfAllBuildsHavePublished;
+                            FinalizeBuild" />
+
+  <Target Name="CheckIfAllBuildsHavePublished">
+    <CheckIfAllBuildsHavePublished AccountKey="$(ArtifactCloudDropAccessToken)"
+                                   AccountName="$(ArtifactCloudDropAccountName)"
+                                   ContainerName="$(ArtifactContainerName)"
+                                   NugetVersion="$(NugetVersion)">
+      <Output TaskParameter="HaveAllBuildsPublished" PropertyName="HaveAllBuildsPublished" />
+    </CheckIfAllBuildsHavePublished>
+  </Target>
+
+  <Target Name="FinalizeBuild"
+          Condition=" '$(HaveAllBuildsPublished)' == 'True' ">
+    <CopyBlobsToLatest AccountName="$(ArtifactCloudDropAccountName)"
+                       AccountKey="$(ArtifactCloudDropAccessToken)"
+                       ContainerName="$(ArtifactContainerName)"
+                       NugetVersion="$(NugetVersion)"
+                       Channel="$(Channel)"
+                       CommitHash="$(CommitHash)" />
+
+    <CopyBlobsToLatest AccountName="$(ChecksumCloudDropAccountName)"
+                       AccountKey="$(ChecksumCloudDropAccessToken)"
+                       ContainerName="$(ChecksumContainerName)"
+                       NugetVersion="$(NugetVersion)"
+                       Channel="$(Channel)"
+                       CommitHash="$(CommitHash)" />
+
+    <UpdateVersionsRepo BranchName="$(BranchName)" />
+  </Target>
+</Project>
diff --git a/build/publish/Microsoft.DotNet.Cli.Checksum.targets b/build/publish/Microsoft.DotNet.Cli.Checksum.targets
new file mode 100644
index 000000000..57e27b2a0
--- /dev/null
+++ b/build/publish/Microsoft.DotNet.Cli.Checksum.targets
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Target Name="GenerateChecksums"
+          DependsOnTargets="Init;
+                            InitializeChecksumItemGroup;"
+          Inputs="@(ArtifactsForGeneratingChecksums)"
+          Outputs="%(ArtifactsForGeneratingChecksums.DestinationPath)">
+    <GenerateChecksums Items="@(ArtifactsForGeneratingChecksums)" />
+  </Target>
+
+  <Target Name="InitializeChecksumItemGroup"
+          DependsOnTargets="Init;
+                            GatherItemsForPattern">
+    <ItemGroup>
+      <ArtifactsForGeneratingChecksums Include="@(ForPublishing)">
+        <DestinationPath>%(ForPublishing.FullPath).sha</DestinationPath>
+        <RelativeBlobPath>%(ForPublishing.RelativeBlobPath).sha</RelativeBlobPath>
+      </ArtifactsForGeneratingChecksums>
+    </ItemGroup>
+  </Target>
+</Project>
diff --git a/build/publish/PublishContent.targets b/build/publish/PublishContent.targets
index 63427baba..d186a9db4 100644
--- a/build/publish/PublishContent.targets
+++ b/build/publish/PublishContent.targets
@@ -13,29 +13,48 @@
     <!-- add relative blob path metadata -->
     <ItemGroup>
       <ForPublishing>
-        <RelativeBlobPath>$([System.String]::Copy('%(RecursiveDir)%(Filename)%(Extension)').Replace('\' ,'/'))</RelativeBlobPath> 
+        <RelativeBlobPath>$([System.String]::Copy('%(RecursiveDir)%(Filename)%(Extension)').Replace('\' ,'/'))</RelativeBlobPath>
       </ForPublishing>
     </ItemGroup>
     <Error Condition="'@(ForPublishing)' == ''" Text="No items were found matching pattern '$(PublishPattern)'." />
   </Target>
 
-  <!-- publishes items to blob storage in Azure -->
-  <Target Name="UploadToAzure" DependsOnTargets="GatherItemsForPattern">
-    <Error Condition="'$(ContainerName)' == ''" Text="Missing property ContainerName." />
-    <Error Condition="'$(CloudDropAccountName)' == ''" Text="Missing property CloudDropAccountName." />
-    <Error Condition="'$(CloudDropAccessToken)' == ''" Text="Missing property CloudDropAccessToken." />
+  <!-- publishes artifacts to blob storage in Azure -->
+  <Target Name="UploadArtifactsToAzure" DependsOnTargets="GatherItemsForPattern">
+    <Error Condition="'$(ArtifactContainerName)' == ''" Text="Missing property ArtifactContainerName." />
+    <Error Condition="'$(ArtifactCloudDropAccountName)' == ''" Text="Missing property ArtifactCloudDropAccountName." />
+    <Error Condition="'$(ArtifactCloudDropAccessToken)' == ''" Text="Missing property ArtifactCloudDropAccessToken." />
     <!-- create the container if it doesn't exist -->
     <CreateAzureContainer
-      AccountKey="$(CloudDropAccessToken)"
-      AccountName="$(CloudDropAccountName)"
-      ContainerName="$(ContainerName)" />
+      AccountKey="$(ArtifactCloudDropAccessToken)"
+      AccountName="$(ArtifactCloudDropAccountName)"
+      ContainerName="$(ArtifactContainerName)" />
     <!-- now upload the items -->
     <UploadToAzure
-      AccountKey="$(CloudDropAccessToken)"
-      AccountName="$(CloudDropAccountName)"
-      ContainerName="$(ContainerName)"
+      AccountKey="$(ArtifactCloudDropAccessToken)"
+      AccountName="$(ArtifactCloudDropAccountName)"
+      ContainerName="$(ArtifactContainerName)"
       Items="@(ForPublishing)"
       Overwrite="$(OverwriteOnPublish)" />
   </Target>
 
+  <!-- publishes checksums for the artifacts to blob storage in Azure -->
+  <Target Name="UploadChecksumsToAzure" DependsOnTargets="GenerateChecksums">
+    <Error Condition="'$(ChecksumContainerName)' == ''" Text="Missing property ChecksumContainerName." />
+    <Error Condition="'$(ChecksumCloudDropAccountName)' == ''" Text="Missing property ChecksumCloudDropAccountName." />
+    <Error Condition="'$(ChecksumCloudDropAccessToken)' == ''" Text="Missing property ChecksumCloudDropAccessToken." />
+    <!-- create the container if it doesn't exist -->
+    <CreateAzureContainer
+      AccountKey="$(ChecksumCloudDropAccessToken)"
+      AccountName="$(ChecksumCloudDropAccountName)"
+      ContainerName="$(ChecksumContainerName)" />
+    <!-- now upload the items -->
+    <UploadToAzure
+      AccountKey="$(ChecksumCloudDropAccessToken)"
+      AccountName="$(ChecksumCloudDropAccountName)"
+      ContainerName="$(ChecksumContainerName)"
+      Items="@(ArtifactsForGeneratingChecksums->'%(DestinationPath)')"
+      Overwrite="$(OverwriteOnPublish)" />
+  </Target>
+
 </Project>
\ No newline at end of file
diff --git a/build_projects/dotnet-cli-build/CheckIfAllBuildsHavePublished.cs b/build_projects/dotnet-cli-build/CheckIfAllBuildsHavePublished.cs
new file mode 100644
index 000000000..cfeb125a1
--- /dev/null
+++ b/build_projects/dotnet-cli-build/CheckIfAllBuildsHavePublished.cs
@@ -0,0 +1,86 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using Microsoft.Build.Framework;
+using Microsoft.Build.Utilities;
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+
+namespace Microsoft.DotNet.Cli.Build
+{
+    public class CheckIfAllBuildsHavePublished : Task
+    {
+        private AzurePublisher _azurePublisher;
+
+        [Required]
+        public string AccountName { get; set; }
+
+        [Required]
+        public string AccountKey { get; set; }
+
+        [Required]
+        public string ContainerName { get; set; }
+
+        [Required]
+        public string NugetVersion { get; set; }
+
+        [Output]
+        public string HaveAllBuildsPublished { get; set; }
+
+        private AzurePublisher AzurePublisherTool
+        {
+            get
+            {
+                if (_azurePublisher == null)
+                {
+                    _azurePublisher = new AzurePublisher(AccountName, AccountKey, ContainerName);
+                }
+
+                return _azurePublisher;
+            }
+        }
+
+        public override bool Execute()
+        {
+            var badges = new Dictionary<string, bool>()
+            {
+                { "Windows_x86", false },
+                { "Windows_x64", false },
+                { "Ubuntu_x64", false },
+                { "Ubuntu_16_04_x64", false },
+                { "RHEL_x64", false },
+                { "OSX_x64", false },
+                { "Debian_x64", false },
+                { "CentOS_x64", false },
+                { "Fedora_23_x64", false },
+                { "openSUSE_13_2_x64", false }
+            };
+
+            var versionBadgeName = $"{Monikers.GetBadgeMoniker()}";
+            if (!badges.ContainsKey(versionBadgeName))
+            {
+                throw new ArgumentException($"A new OS build '{versionBadgeName}' was added without adding the moniker to the {nameof(badges)} lookup");
+            }
+
+            IEnumerable<string> blobs = AzurePublisherTool.ListBlobs(AzurePublisher.Product.Sdk, NugetVersion);
+            foreach (string file in blobs)
+            {
+                string name = Path.GetFileName(file);
+                foreach (string img in badges.Keys)
+                {
+                    if ((name.StartsWith($"{img}")) && (name.EndsWith(".svg")))
+                    {
+                        badges[img] = true;
+                        break;
+                    }
+                }
+            }
+
+            HaveAllBuildsPublished = badges.Values.All(v => v).ToString();
+
+            return true;
+        }
+    }
+}
diff --git a/build_projects/dotnet-cli-build/CopyBlobsToLatest.cs b/build_projects/dotnet-cli-build/CopyBlobsToLatest.cs
new file mode 100644
index 000000000..54b8aefb8
--- /dev/null
+++ b/build_projects/dotnet-cli-build/CopyBlobsToLatest.cs
@@ -0,0 +1,108 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using Microsoft.Build.Framework;
+using Microsoft.Build.Utilities;
+using System.IO;
+using System.Linq;
+using System.Text.RegularExpressions;
+
+namespace Microsoft.DotNet.Cli.Build
+{
+    public class CopyBlobsToLatest : Task
+    {
+        private AzurePublisher _azurePublisher;
+
+        [Required]
+        public string AccountName { get; set; }
+
+        [Required]
+        public string AccountKey { get; set; }
+
+        [Required]
+        public string Channel { get; set; }
+
+        [Required]
+        public string CommitHash { get; set; }
+
+        [Required]
+        public string ContainerName { get; set; }
+
+        [Required]
+        public string NugetVersion { get; set; }
+
+        private AzurePublisher AzurePublisherTool
+        {
+            get
+            {
+                if (_azurePublisher == null)
+                {
+                    _azurePublisher = new AzurePublisher(AccountName, AccountKey, ContainerName);
+                }
+
+                return _azurePublisher;
+            }
+        }
+
+        public override bool Execute()
+        {
+            string targetFolder = $"{AzurePublisher.Product.Sdk}/{Channel}";
+
+            string targetVersionFile = $"{targetFolder}/{CommitHash}";
+            string semaphoreBlob = $"{targetFolder}/publishSemaphore";
+            AzurePublisherTool.CreateBlobIfNotExists(semaphoreBlob);
+            string leaseId = AzurePublisherTool.AcquireLeaseOnBlob(semaphoreBlob);
+
+            // Prevent race conditions by dropping a version hint of what version this is. If we see this file
+            // and it is the same as our version then we know that a race happened where two+ builds finished 
+            // at the same time and someone already took care of publishing and we have no work to do.
+            if (AzurePublisherTool.IsLatestSpecifiedVersion(targetVersionFile))
+            {
+                AzurePublisherTool.ReleaseLeaseOnBlob(semaphoreBlob, leaseId);
+                return true;
+            }
+            else
+            {
+                Regex versionFileRegex = new Regex(@"(?<CommitHash>[\w\d]{40})");
+
+                // Delete old version files
+                AzurePublisherTool.ListBlobs(targetFolder)
+                    .Where(s => versionFileRegex.IsMatch(s))
+                    .ToList()
+                    .ForEach(f => AzurePublisherTool.TryDeleteBlob(f));
+
+                // Drop the version file signaling such for any race-condition builds (see above comment).
+                AzurePublisherTool.DropLatestSpecifiedVersion(targetVersionFile);
+            }
+
+            try
+            {
+                CopyBlobs(targetFolder);
+
+                string cliVersion = Utils.GetVersionFileContent(CommitHash, NugetVersion);
+                AzurePublisherTool.PublishStringToBlob($"{targetFolder}/latest.version", cliVersion);
+            }
+            finally
+            {
+                AzurePublisherTool.ReleaseLeaseOnBlob(semaphoreBlob, leaseId);
+            }
+
+            return true;
+        }
+
+        private void CopyBlobs(string destinationFolder)
+        {
+            Log.LogMessage("Copying blobs to {0}/{1}", ContainerName, destinationFolder);
+
+            foreach (string blob in AzurePublisherTool.ListBlobs(AzurePublisher.Product.Sdk, NugetVersion))
+            {
+                string targetName = Path.GetFileName(blob)
+                                        .Replace(NugetVersion, "latest");
+
+                string target = $"{destinationFolder}/{targetName}";
+
+                AzurePublisherTool.CopyBlob(blob, target);
+            }
+        }
+    }
+}
diff --git a/build_projects/dotnet-cli-build/FinalizeBuildTask.cs b/build_projects/dotnet-cli-build/FinalizeBuildTask.cs
deleted file mode 100644
index 7c143415c..000000000
--- a/build_projects/dotnet-cli-build/FinalizeBuildTask.cs
+++ /dev/null
@@ -1,163 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Linq;
-using System.Text.RegularExpressions;
-using Microsoft.Build.Framework;
-using Microsoft.Build.Utilities;
-
-namespace Microsoft.DotNet.Cli.Build
-{
-    public class FinalizeBuild : Task
-    {
-        private AzurePublisher _azurePublisher;
-
-        [Required]
-        public string AccountName { get; set; }
-
-        [Required]
-        public string AccountKey { get; set; }
-
-        [Required]
-        public string NugetVersion { get; set; }
-
-        [Required]
-        public string Channel { get; set; }
-
-        [Required]
-        public string CommitHash { get; set; }
-
-        [Required]
-        public string BranchName { get; set; }
-
-        private AzurePublisher AzurePublisherTool
-        {
-            get
-            {
-                if(_azurePublisher == null)
-                {
-                    _azurePublisher = new AzurePublisher(AccountName, AccountKey);
-                }
-
-                return _azurePublisher;
-            }
-        }
-
-        public override bool Execute()
-        {
-            DoFinalizeBuild();
-
-            return true;
-        }
-
-        private void DoFinalizeBuild()
-        {
-            if (CheckIfAllBuildsHavePublished())
-            {
-                string targetContainer = $"{AzurePublisher.Product.Sdk}/{Channel}";
-                string targetVersionFile = $"{targetContainer}/{CommitHash}";
-                string semaphoreBlob = $"{targetContainer}/publishSemaphore";
-                AzurePublisherTool.CreateBlobIfNotExists(semaphoreBlob);
-                string leaseId = AzurePublisherTool.AcquireLeaseOnBlob(semaphoreBlob);
-
-                // Prevent race conditions by dropping a version hint of what version this is. If we see this file
-                // and it is the same as our version then we know that a race happened where two+ builds finished 
-                // at the same time and someone already took care of publishing and we have no work to do.
-                if (AzurePublisherTool.IsLatestSpecifiedVersion(targetVersionFile))
-                {
-                    AzurePublisherTool.ReleaseLeaseOnBlob(semaphoreBlob, leaseId);
-                    return;
-                }
-                else
-                {
-                    Regex versionFileRegex = new Regex(@"(?<CommitHash>[\w\d]{40})");
-
-                    // Delete old version files
-                    AzurePublisherTool.ListBlobs(targetContainer)
-                        .Where(s => versionFileRegex.IsMatch(s))
-                        .ToList()
-                        .ForEach(f => AzurePublisherTool.TryDeleteBlob(f));
-
-                    // Drop the version file signaling such for any race-condition builds (see above comment).
-                    AzurePublisherTool.DropLatestSpecifiedVersion(targetVersionFile);
-                }
-
-                try
-                {
-                    CopyBlobsToLatest(targetContainer);
-
-                    string cliVersion = Utils.GetVersionFileContent(CommitHash, NugetVersion);
-                    AzurePublisherTool.PublishStringToBlob($"{targetContainer}/latest.version", cliVersion);
-
-                    UpdateVersionsRepo();
-                }
-                finally
-                {
-                    AzurePublisherTool.ReleaseLeaseOnBlob(semaphoreBlob, leaseId);
-                }
-            }
-        }
-
-        private bool CheckIfAllBuildsHavePublished()
-        {
-            var badges = new Dictionary<string, bool>()
-            {
-                { "Windows_x86", false },
-                { "Windows_x64", false },
-                { "Ubuntu_x64", false },
-                { "Ubuntu_16_04_x64", false },
-                { "RHEL_x64", false },
-                { "OSX_x64", false },
-                { "Debian_x64", false },
-                { "CentOS_x64", false },
-                { "Fedora_23_x64", false },
-                { "openSUSE_13_2_x64", false }
-            };
-
-            var versionBadgeName = $"{Monikers.GetBadgeMoniker()}";
-            if (!badges.ContainsKey(versionBadgeName))
-            {
-                throw new ArgumentException($"A new OS build '{versionBadgeName}' was added without adding the moniker to the {nameof(badges)} lookup");
-            }
-
-            IEnumerable<string> blobs = AzurePublisherTool.ListBlobs(AzurePublisher.Product.Sdk, NugetVersion);
-            foreach (string file in blobs)
-            {
-                string name = Path.GetFileName(file);
-                foreach (string img in badges.Keys)
-                {
-                    if ((name.StartsWith($"{img}")) && (name.EndsWith(".svg")))
-                    {
-                        badges[img] = true;
-                        break;
-                    }
-                }
-            }
-
-            return badges.Values.All(v => v);
-        }
-
-        private void CopyBlobsToLatest(string destinationFolder)
-        {
-            foreach (string blob in AzurePublisherTool.ListBlobs(AzurePublisher.Product.Sdk, NugetVersion))
-            {
-                string targetName = Path.GetFileName(blob)
-                                        .Replace(NugetVersion, "latest");
-
-                string target = $"{destinationFolder}/{targetName}";
-                AzurePublisherTool.CopyBlob(blob, target);
-            }
-        }
-
-        private void UpdateVersionsRepo()
-        {
-            string githubAuthToken = EnvVars.EnsureVariable("GITHUB_PASSWORD");
-            string nupkgFilePath = Dirs.Packages;
-            string branchName = BranchName;
-            string versionsRepoPath = $"build-info/dotnet/cli/{branchName}/Latest";
-
-            VersionRepoUpdater repoUpdater = new VersionRepoUpdater(githubAuthToken);
-            repoUpdater.UpdatePublishedVersions(nupkgFilePath, versionsRepoPath).Wait();
-        }
-    }
-}
\ No newline at end of file
diff --git a/build_projects/dotnet-cli-build/GenerateChecksums.cs b/build_projects/dotnet-cli-build/GenerateChecksums.cs
new file mode 100644
index 000000000..4bd1ef7c0
--- /dev/null
+++ b/build_projects/dotnet-cli-build/GenerateChecksums.cs
@@ -0,0 +1,66 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using Microsoft.Build.Framework;
+using Microsoft.Build.Utilities;
+using System;
+using System.IO;
+using System.Security.Cryptography;
+
+namespace Microsoft.DotNet.Build.Tasks
+{
+    public class GenerateChecksums : Task
+    {
+        /// <summary>
+        /// An item collection of files for which to generate checksums.  Each item must have metadata
+        /// 'DestinationPath' that specifies the path of the checksum file to create.
+        /// </summary>
+        [Required]
+        public ITaskItem[] Items { get; set; }
+
+        public override bool Execute()
+        {
+            foreach (ITaskItem item in Items)
+            {
+                try
+                {
+                    string destinationPath = item.GetMetadata("DestinationPath");
+                    if (string.IsNullOrEmpty(destinationPath))
+                    {
+                        throw new Exception($"Metadata 'DestinationPath' is missing for item '{item.ItemSpec}'.");
+                    }
+
+                    if (!File.Exists(item.ItemSpec))
+                    {
+                        throw new Exception($"The file '{item.ItemSpec}' does not exist.");
+                    }
+
+                    Log.LogMessage(
+                        MessageImportance.High,
+                        "Generating checksum for '{0}' into '{1}'...",
+                        item.ItemSpec,
+                        destinationPath);
+
+                    using (FileStream stream = File.OpenRead(item.ItemSpec))
+                    {
+                        HashAlgorithm hashAlgorithm = SHA512.Create();
+                        byte[] hash = hashAlgorithm.ComputeHash(stream);
+                        string checksum = BitConverter.ToString(hash).Replace("-", string.Empty);
+                        File.WriteAllText(destinationPath, checksum);
+                    }
+                }
+                catch (Exception e)
+                {
+                    // We have 2 log calls because we want a nice error message but we also want to capture the
+                    // callstack in the log.
+                    Log.LogError("An exception occurred while trying to generate a checksum for '{0}'.", item.ItemSpec);
+                    Log.LogMessage(MessageImportance.Low, e.ToString());
+                    return false;
+                }
+            }
+
+            return true;
+        }
+    }
+}
diff --git a/build_projects/dotnet-cli-build/UpdateVersionsRepo.cs b/build_projects/dotnet-cli-build/UpdateVersionsRepo.cs
new file mode 100644
index 000000000..b17b9bee7
--- /dev/null
+++ b/build_projects/dotnet-cli-build/UpdateVersionsRepo.cs
@@ -0,0 +1,27 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using Microsoft.Build.Framework;
+using Microsoft.Build.Utilities;
+
+namespace Microsoft.DotNet.Cli.Build
+{
+    public class UpdateVersionsRepo : Task
+    {
+        [Required]
+        public string BranchName { get; set; }
+
+        public override bool Execute()
+        {
+            string githubAuthToken = EnvVars.EnsureVariable("GITHUB_PASSWORD");
+            string nupkgFilePath = Dirs.Packages;
+            string branchName = BranchName;
+            string versionsRepoPath = $"build-info/dotnet/cli/{branchName}/Latest";
+
+            VersionRepoUpdater repoUpdater = new VersionRepoUpdater(githubAuthToken);
+            repoUpdater.UpdatePublishedVersions(nupkgFilePath, versionsRepoPath).Wait();
+
+            return true;
+        }
+    }
+}
diff --git a/scripts/dockerrun.sh b/scripts/dockerrun.sh
index 3d4ccf21c..4c289cc94 100755
--- a/scripts/dockerrun.sh
+++ b/scripts/dockerrun.sh
@@ -126,8 +126,11 @@ docker run $INTERACTIVE -t --rm --sig-proxy=true \
     -e NUGET_FEED_URL \
     -e NUGET_API_KEY \
     -e GITHUB_PASSWORD \
-    -e STORAGE_KEY \
-    -e STORAGE_ACCOUNT \
-    -e STORAGE_CONTAINER \
+    -e ARTIFACT_STORAGE_KEY \
+    -e ARTIFACT_STORAGE_ACCOUNT \
+    -e ARTIFACT_STORAGE_CONTAINER \
+    -e CHECKSUM_STORAGE_KEY \
+    -e CHECKSUM_STORAGE_ACCOUNT \
+    -e CHECKSUM_STORAGE_CONTAINER \
     $DOTNET_BUILD_CONTAINER_TAG \
     $BUILD_COMMAND "$@"