Re-support in-build signing (#14165)
Add back in support for in-build signing. This is actually even simpler than it was before, because arcade added support for signing wixpacks. So there is no need to do the iterative sign->pack->sign->pack process that was previously common in any repo that creates an installer. Instead, the normal sign target in the arcade SDK build process will simply process all of the files to sign. Post-build signing remains the default, but will be flipped once verification is complete
This commit is contained in:
Matt Mitchell
GitHub
parent
2ac91997cb
commit
a9d6b28f1e
5 changed files with 14 additions and 236 deletions
|
|
@ -1,12 +1,19 @@
|
|||
<Project>
|
||||
|
||||
<ItemGroup>
|
||||
<!-- Do not sign non-shipping packages when doing in-build signing -->
|
||||
<ItemsToSign Remove="$(ArtifactsNonShippingPackagesDir)**\*.nupkg" Condition="'$(PostBuildSign)' != 'true'" />
|
||||
<!-- Remove the wixpacks from items to sign post build. These will be added explicitly by the
|
||||
custom publishing target. And should not be picked up by arcade's default publishing logic. -->
|
||||
<ItemsToSignPostBuild Remove="*.wixpack.zip" />
|
||||
</ItemGroup>
|
||||
<ItemGroup Condition="'$(PostBuildSign)' != 'true'">
|
||||
<ItemsToSign Remove="@(ItemsToSign)" />
|
||||
<ItemsToSign Include="$(ArtifactsShippingPackagesDir)*.zip" Condition=" '$(PublishBinariesAndBadge)' == 'true' " />
|
||||
<ItemsToSign Include="$(ArtifactsShippingPackagesDir)*.exe" />
|
||||
<ItemsToSign Include="$(ArtifactsShippingPackagesDir)*.msi" />
|
||||
<ItemsToSign Include="$(ArtifactsNonShippingPackagesDir)*.msi" />
|
||||
<ItemsToSign Include="$(ArtifactsNonShippingPackagesDir)*.zip" Condition=" '$(PublishBinariesAndBadge)' == 'true' " />
|
||||
<ItemsToSign Include="$(ArtifactsPackagesDir)**\*.wixpack.zip" />
|
||||
</ItemGroup>
|
||||
|
||||
<PropertyGroup>
|
||||
<ExternalCertificateId Condition="'$(ExternalCertificateId)' == ''">3PartySHA2</ExternalCertificateId>
|
||||
|
|
|
|||
|
|
@ -48,6 +48,4 @@
|
|||
<Import Project="targets\GenerateInstallers.targets" />
|
||||
<Import Project="targets\Badge.targets" />
|
||||
<Import Project="targets\Checksum.targets" />
|
||||
|
||||
<Import Project="targets\Signing.targets" />
|
||||
</Project>
|
||||
|
|
|
|||
|
|
@ -572,8 +572,7 @@
|
|||
RetargetTools;
|
||||
CrossgenLayout;
|
||||
LayoutAppHostTemplate;
|
||||
GeneratePrecomputedRarCache;
|
||||
SignLayout"
|
||||
GeneratePrecomputedRarCache"
|
||||
BeforeTargets="AfterBuild">
|
||||
|
||||
</Target>
|
||||
|
|
|
|||
|
|
@ -307,7 +307,7 @@
|
|||
</Target>
|
||||
|
||||
<Target Name="GenerateSdkBundle"
|
||||
DependsOnTargets="GenerateLayout;AcquireWix;MsiTargetsSetupInputOutputs;GenerateSdkMsi;SignSdkMsi;GenerateTemplatesMsis;GenerateWorkloadManifestsWxs;SignTemplatesMsis"
|
||||
DependsOnTargets="GenerateLayout;AcquireWix;MsiTargetsSetupInputOutputs;GenerateSdkMsi;GenerateTemplatesMsis;GenerateWorkloadManifestsWxs"
|
||||
Condition=" '$(OS)' == 'Windows_NT' "
|
||||
Inputs="$(SdkMSIInstallerFile);
|
||||
$(DownloadedSharedFrameworkInstallerFile);
|
||||
|
|
@ -376,7 +376,7 @@
|
|||
</Target>
|
||||
|
||||
<Target Name="GenerateToolsetNupkg"
|
||||
DependsOnTargets="GenerateLayout;MsiTargetsSetupInputOutputs;GenerateSdkMsi;SignSdkMsi"
|
||||
DependsOnTargets="GenerateLayout;MsiTargetsSetupInputOutputs;GenerateSdkMsi"
|
||||
Condition=" '$(OS)' == 'Windows_NT' "
|
||||
Inputs="$(SdkMSIInstallerFile);
|
||||
$(ToolsetInstallerNuspecFile);
|
||||
|
|
@ -394,7 +394,7 @@
|
|||
</Target>
|
||||
|
||||
<Target Name="GenerateSdkPlaceholderNupkg"
|
||||
DependsOnTargets="MsiTargetsSetupInputOutputs;GenerateSdkPlaceholderMsi;SignSdkPlaceholderMsi"
|
||||
DependsOnTargets="MsiTargetsSetupInputOutputs;GenerateSdkPlaceholderMsi"
|
||||
Condition=" '$(OS)' == 'Windows_NT' "
|
||||
Inputs="$(SdkPlaceholderMSIInstallerFile);
|
||||
$(SdkPlaceholderInstallerNuspecFile);
|
||||
|
|
@ -412,7 +412,7 @@
|
|||
</Target>
|
||||
|
||||
<Target Name="GenerateTemplatesNupkgs"
|
||||
DependsOnTargets="GenerateLayout;MsiTargetsSetupInputOutputs;GenerateTemplatesMsis;SignTemplatesMsis;SetupTemplatesNupkgs"
|
||||
DependsOnTargets="GenerateLayout;MsiTargetsSetupInputOutputs;GenerateTemplatesMsis;SetupTemplatesNupkgs"
|
||||
Condition="$(ProductMonikerRid.StartsWith('win')) And '$(Architecture)' != 'arm' "
|
||||
Inputs="@(TemplatesNupkgComponent->'%(MSIInstallerFile)');
|
||||
$(TemplatesInstallerNuspecFile);
|
||||
|
|
@ -518,13 +518,9 @@
|
|||
MsiTargetsSetupInputOutputs;
|
||||
AcquireWix;
|
||||
GenerateSdkMsi;
|
||||
SignSdkMsi;
|
||||
GenerateTemplatesMsis;
|
||||
SignTemplatesMsis;
|
||||
GenerateSdkBundle;
|
||||
SignSdkBundle;
|
||||
GenerateSdkPlaceholderMsi;
|
||||
SignSdkPlaceholderMsi;
|
||||
GenerateToolsetNupkg;
|
||||
GenerateTemplatesNupkgs;
|
||||
GenerateSdkPlaceholderNupkg;
|
||||
|
|
|
|||
|
|
@ -1,222 +0,0 @@
|
|||
<Project>
|
||||
<ItemGroup>
|
||||
<PackageReference Include="Microsoft.DotNet.SignTool" Version="$(MicrosoftDotNetSignToolVersion)" PrivateAssets="All" />
|
||||
</ItemGroup>
|
||||
|
||||
<!-- Import Arcade's Sign.props, when then imports the eng/Signing.props for this repo -->
|
||||
<Import Project="../tools/Sign.props" Sdk="Microsoft.DotNet.Arcade.Sdk" />
|
||||
|
||||
<Target Name="SetSignProps"
|
||||
Condition="'$(SignCoreSdk)' == 'true'">
|
||||
|
||||
<MakeDir Directories="$(ArtifactsTmpDir)" Condition="!Exists('$(ArtifactsTmpDir)')" />
|
||||
|
||||
<!-- Logic copied from https://github.com/dotnet/arcade/blob/main/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj -->
|
||||
<Error Text="The value of DotNetSignType is invalid: '$(DotNetSignType)'"
|
||||
Condition="'$(DotNetSignType)' != 'real' and '$(DotNetSignType)' != 'test' and '$(DotNetSignType)' != ''" />
|
||||
|
||||
<PropertyGroup>
|
||||
<_DryRun>true</_DryRun>
|
||||
<_DryRun Condition="'$(OfficialBuild)' == 'true'">false</_DryRun>
|
||||
|
||||
<_TestSign>false</_TestSign>
|
||||
<_TestSign Condition="'$(DotNetSignType)' == 'test'">true</_TestSign>
|
||||
|
||||
<_DesktopMSBuildRequired>false</_DesktopMSBuildRequired>
|
||||
<_DesktopMSBuildRequired Condition="'$(_DryRun)' != 'true' and '$(MSBuildRuntimeType)' == 'Core'">true</_DesktopMSBuildRequired>
|
||||
</PropertyGroup>
|
||||
|
||||
<!-- We only need this if we are going to use the executable version. -->
|
||||
<Exec Command='"$(NuGetPackageRoot)vswhere\$(VSWhereVersion)\tools\vswhere.exe" -latest -prerelease -property installationPath -requires Microsoft.Component.MSBuild'
|
||||
ConsoleToMsBuild="true"
|
||||
StandardErrorImportance="high"
|
||||
Condition="$(_DesktopMSBuildRequired)">
|
||||
<Output TaskParameter="ConsoleOutput" PropertyName="_VSInstallDir" />
|
||||
</Exec>
|
||||
|
||||
<PropertyGroup>
|
||||
<_DesktopMSBuildPath Condition="$(_DesktopMSBuildRequired)">$(_VSInstallDir)\MSBuild\15.0\Bin\msbuild.exe</_DesktopMSBuildPath>
|
||||
</PropertyGroup>
|
||||
</Target>
|
||||
|
||||
<Target Name="SignLayout"
|
||||
Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
|
||||
DependsOnTargets="SetSignProps">
|
||||
|
||||
<ItemGroup>
|
||||
<LayoutFilesToSign Include="$(SdkOutputDirectory)**/csc.exe;
|
||||
$(SdkOutputDirectory)**/csc.dll;
|
||||
$(SdkOutputDirectory)**/VBCSCompiler.dll;
|
||||
$(SdkOutputDirectory)**/vbc.exe;
|
||||
$(SdkOutputDirectory)**/vbc.dll;
|
||||
$(SdkOutputDirectory)**/fsc.dll;
|
||||
$(SdkOutputDirectory)**/fsi.dll;
|
||||
$(SdkOutputDirectory)**/FSharp.*.dll;
|
||||
$(SdkOutputDirectory)**/Interactive.DependencyManager.dll;
|
||||
$(SdkOutputDirectory)**/dotnet.dll;
|
||||
$(SdkOutputDirectory)**/dotnet.resources.dll;
|
||||
$(SdkOutputDirectory)**/System.*.dll;
|
||||
$(SdkOutputDirectory)**/Microsoft.*.dll;
|
||||
$(SdkOutputDirectory)**/NuGet*.dll;
|
||||
$(SdkOutputDirectory)**/datacollector.dll;
|
||||
$(SdkOutputDirectory)**/datacollector.exe;
|
||||
$(SdkOutputDirectory)**/MSBuild.dll;
|
||||
$(SdkOutputDirectory)**/MSBuild.resources.dll;
|
||||
$(SdkOutputDirectory)**/PresentationBuildTasks.dll;
|
||||
$(SdkOutputDirectory)**/redist.dll;
|
||||
$(SdkOutputDirectory)**/rzc.dll;
|
||||
$(SdkOutputDirectory)**/testhost.dll;
|
||||
$(SdkOutputDirectory)**/testhost.exe;
|
||||
$(SdkOutputDirectory)**/testhost.x86.exe;
|
||||
$(SdkOutputDirectory)**/vstest.console.dll;
|
||||
$(SdkOutputDirectory)**/vstest.console.resources.dll;
|
||||
$(SdkOutputDirectory)**/Newtonsoft.Json.dll;
|
||||
$(SdkOutputDirectory)**/MessagePack.Annotations.dll;
|
||||
$(SdkOutputDirectory)**/MessagePack.dll;
|
||||
$(SdkOutputDirectory)**/Nerdbank.Streams.dll;
|
||||
$(SdkOutputDirectory)**/StreamJsonRpc.dll;
|
||||
$(SdkOutputDirectory)**/dotnet-watch*.dll;
|
||||
$(SdkOutputDirectory)**/DotNetWatchTasks.dll;" />
|
||||
</ItemGroup>
|
||||
|
||||
<Error Condition="'$(AllowEmptySignList)' != 'true' AND '@(LayoutFilesToSign)' == ''"
|
||||
Text="List of files to sign is empty. Make sure that LayoutFilesToSign is configured correctly." />
|
||||
|
||||
<Microsoft.DotNet.SignTool.SignToolTask
|
||||
DryRun="$(_DryRun)"
|
||||
TestSign="$(_TestSign)"
|
||||
CertificatesSignInfo="@(CertificatesSignInfo)"
|
||||
ItemsToSign="@(LayoutFilesToSign)"
|
||||
StrongNameSignInfo="@(StrongNameSignInfo)"
|
||||
FileSignInfo="@(FileSignInfo)"
|
||||
FileExtensionSignInfo="@(FileExtensionSignInfo)"
|
||||
TempDir="$(ArtifactsTmpDir)"
|
||||
LogDir="$(ArtifactsLogDir)"
|
||||
MSBuildPath="$(_DesktopMSBuildPath)"
|
||||
SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
|
||||
MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
|
||||
|
||||
</Target>
|
||||
|
||||
<Target Name="SignSdkMsi"
|
||||
Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
|
||||
DependsOnTargets="SetSignProps">
|
||||
|
||||
<ItemGroup>
|
||||
<SdkMsiFilesToSign Include="$(SdkMSIInstallerFile)" />
|
||||
</ItemGroup>
|
||||
|
||||
<Microsoft.DotNet.SignTool.SignToolTask
|
||||
DryRun="$(_DryRun)"
|
||||
TestSign="$(_TestSign)"
|
||||
CertificatesSignInfo="@(CertificatesSignInfo)"
|
||||
ItemsToSign="@(SdkMsiFilesToSign)"
|
||||
StrongNameSignInfo="@(StrongNameSignInfo)"
|
||||
FileSignInfo="@(FileSignInfo)"
|
||||
FileExtensionSignInfo="@(FileExtensionSignInfo)"
|
||||
TempDir="$(ArtifactsTmpDir)"
|
||||
LogDir="$(ArtifactsLogDir)"
|
||||
MSBuildPath="$(_DesktopMSBuildPath)"
|
||||
SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
|
||||
MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
|
||||
|
||||
</Target>
|
||||
|
||||
<Target Name="SignTemplatesMsis"
|
||||
Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
|
||||
DependsOnTargets="SetSignProps;SetupTemplatesMsis">
|
||||
|
||||
<ItemGroup>
|
||||
<TemplatesMsiFilesToSign Include="@(TemplatesMsiComponent->'%(MSIInstallerFile)')" />
|
||||
</ItemGroup>
|
||||
|
||||
<Microsoft.DotNet.SignTool.SignToolTask
|
||||
DryRun="$(_DryRun)"
|
||||
TestSign="$(_TestSign)"
|
||||
CertificatesSignInfo="@(CertificatesSignInfo)"
|
||||
ItemsToSign="@(TemplatesMsiFilesToSign)"
|
||||
StrongNameSignInfo="@(StrongNameSignInfo)"
|
||||
FileSignInfo="@(FileSignInfo)"
|
||||
FileExtensionSignInfo="@(FileExtensionSignInfo)"
|
||||
TempDir="$(ArtifactsTmpDir)"
|
||||
LogDir="$(ArtifactsLogDir)"
|
||||
MSBuildPath="$(_DesktopMSBuildPath)"
|
||||
SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
|
||||
MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
|
||||
|
||||
</Target>
|
||||
|
||||
<Target Name="SignSdkBundle"
|
||||
Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
|
||||
DependsOnTargets="SetSignProps">
|
||||
|
||||
<!-- Extract engine from bundle -->
|
||||
<Exec Command="$(WixRoot)/insignia.exe -ib $(CombinedFrameworkSdkHostMSIInstallerFile) -o $(CombinedFrameworkSdkHostBundleEngineName)" />
|
||||
|
||||
<!-- Sign engine-->
|
||||
<ItemGroup>
|
||||
<EngineFileToSign Include="$(CombinedFrameworkSdkHostBundleEngineName)" />
|
||||
</ItemGroup>
|
||||
<Microsoft.DotNet.SignTool.SignToolTask
|
||||
DryRun="$(_DryRun)"
|
||||
TestSign="$(_TestSign)"
|
||||
CertificatesSignInfo="@(CertificatesSignInfo)"
|
||||
ItemsToSign="@(EngineFileToSign)"
|
||||
StrongNameSignInfo="@(StrongNameSignInfo)"
|
||||
FileSignInfo="@(FileSignInfo)"
|
||||
FileExtensionSignInfo="@(FileExtensionSignInfo)"
|
||||
TempDir="$(ArtifactsTmpDir)"
|
||||
LogDir="$(ArtifactsLogDir)"
|
||||
MSBuildPath="$(_DesktopMSBuildPath)"
|
||||
SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
|
||||
MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
|
||||
|
||||
<!-- Reattach engine to bundle -->
|
||||
<Exec Command="$(WixRoot)/insignia.exe -ab $(CombinedFrameworkSdkHostBundleEngineName) $(CombinedFrameworkSdkHostMSIInstallerFile) -o $(CombinedFrameworkSdkHostMSIInstallerFile)" />
|
||||
|
||||
<!-- Sign bundle -->
|
||||
<ItemGroup>
|
||||
<BundleFileToSign Include="$(CombinedFrameworkSdkHostMSIInstallerFile)" />
|
||||
</ItemGroup>
|
||||
|
||||
<Microsoft.DotNet.SignTool.SignToolTask
|
||||
DryRun="$(_DryRun)"
|
||||
TestSign="$(_TestSign)"
|
||||
CertificatesSignInfo="@(CertificatesSignInfo)"
|
||||
ItemsToSign="@(BundleFileToSign)"
|
||||
StrongNameSignInfo="@(StrongNameSignInfo)"
|
||||
FileSignInfo="@(FileSignInfo)"
|
||||
FileExtensionSignInfo="@(FileExtensionSignInfo)"
|
||||
TempDir="$(ArtifactsTmpDir)"
|
||||
LogDir="$(ArtifactsLogDir)"
|
||||
MSBuildPath="$(_DesktopMSBuildPath)"
|
||||
SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
|
||||
MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
|
||||
|
||||
</Target>
|
||||
|
||||
<Target Name="SignSdkPlaceholderMsi"
|
||||
Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
|
||||
DependsOnTargets="SetSignProps">
|
||||
|
||||
<ItemGroup>
|
||||
<SdkPlaceholderMsiFilesToSign Include="$(SdkPlaceholderMSIInstallerFile)" />
|
||||
</ItemGroup>
|
||||
|
||||
<Microsoft.DotNet.SignTool.SignToolTask
|
||||
DryRun="$(_DryRun)"
|
||||
TestSign="$(_TestSign)"
|
||||
CertificatesSignInfo="@(CertificatesSignInfo)"
|
||||
ItemsToSign="@(SdkPlaceholderMsiFilesToSign)"
|
||||
StrongNameSignInfo="@(StrongNameSignInfo)"
|
||||
FileSignInfo="@(FileSignInfo)"
|
||||
FileExtensionSignInfo="@(FileExtensionSignInfo)"
|
||||
TempDir="$(ArtifactsTmpDir)"
|
||||
LogDir="$(ArtifactsLogDir)"
|
||||
MSBuildPath="$(_DesktopMSBuildPath)"
|
||||
SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
|
||||
MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
|
||||
|
||||
</Target>
|
||||
|
||||
</Project>
|
||||
Loading…
Reference in a new issue