From a9d6b28f1eb87782ab44e646449f786c8a45ecd6 Mon Sep 17 00:00:00 2001
From: Matt Mitchell <mmitche@microsoft.com>
Date: Wed, 20 Jul 2022 10:41:49 -0700
Subject: [PATCH] Re-support in-build signing (#14165)

Add back in support for in-build signing. This is actually even simpler than it was before, because arcade added support for signing wixpacks. So there is no need to do the iterative sign->pack->sign->pack process that was previously common in any repo that creates an installer. Instead, the normal sign target in the arcade SDK build process will simply process all of the files to sign.
Post-build signing remains the default, but will be flipped once verification is complete
---
 eng/Signing.props                         |  11 +-
 src/redist/redist.csproj                  |   2 -
 src/redist/targets/GenerateLayout.targets |   3 +-
 src/redist/targets/GenerateMSIs.targets   |  12 +-
 src/redist/targets/Signing.targets        | 222 ----------------------
 5 files changed, 14 insertions(+), 236 deletions(-)
 delete mode 100644 src/redist/targets/Signing.targets

diff --git a/eng/Signing.props b/eng/Signing.props
index 5372bc186..cf6e0c8a7 100644
--- a/eng/Signing.props
+++ b/eng/Signing.props
@@ -1,12 +1,19 @@
 <Project>
 
   <ItemGroup>
-    <!-- Do not sign non-shipping packages when doing in-build signing -->
-    <ItemsToSign Remove="$(ArtifactsNonShippingPackagesDir)**\*.nupkg" Condition="'$(PostBuildSign)' != 'true'" />
     <!-- Remove the wixpacks from items to sign post build. These will be added explicitly by the
          custom publishing target. And should not be picked up by arcade's default publishing logic. -->
     <ItemsToSignPostBuild Remove="*.wixpack.zip" />
   </ItemGroup>
+  <ItemGroup Condition="'$(PostBuildSign)' != 'true'">
+    <ItemsToSign Remove="@(ItemsToSign)" />
+    <ItemsToSign Include="$(ArtifactsShippingPackagesDir)*.zip" Condition=" '$(PublishBinariesAndBadge)' == 'true' " />
+    <ItemsToSign Include="$(ArtifactsShippingPackagesDir)*.exe" />
+    <ItemsToSign Include="$(ArtifactsShippingPackagesDir)*.msi" />
+    <ItemsToSign Include="$(ArtifactsNonShippingPackagesDir)*.msi" />
+    <ItemsToSign Include="$(ArtifactsNonShippingPackagesDir)*.zip" Condition=" '$(PublishBinariesAndBadge)' == 'true' " />
+    <ItemsToSign Include="$(ArtifactsPackagesDir)**\*.wixpack.zip" />
+  </ItemGroup>
 
   <PropertyGroup>
     <ExternalCertificateId Condition="'$(ExternalCertificateId)' == ''">3PartySHA2</ExternalCertificateId>
diff --git a/src/redist/redist.csproj b/src/redist/redist.csproj
index c735a1fb8..d9b868ecc 100644
--- a/src/redist/redist.csproj
+++ b/src/redist/redist.csproj
@@ -48,6 +48,4 @@
   <Import Project="targets\GenerateInstallers.targets" />
   <Import Project="targets\Badge.targets" />
   <Import Project="targets\Checksum.targets" />
-
-  <Import Project="targets\Signing.targets" />
 </Project>
diff --git a/src/redist/targets/GenerateLayout.targets b/src/redist/targets/GenerateLayout.targets
index c6df06096..5cd571953 100644
--- a/src/redist/targets/GenerateLayout.targets
+++ b/src/redist/targets/GenerateLayout.targets
@@ -572,8 +572,7 @@
                             RetargetTools;
                             CrossgenLayout;
                             LayoutAppHostTemplate;
-                            GeneratePrecomputedRarCache;
-                            SignLayout"
+                            GeneratePrecomputedRarCache"
           BeforeTargets="AfterBuild">
 
   </Target>
diff --git a/src/redist/targets/GenerateMSIs.targets b/src/redist/targets/GenerateMSIs.targets
index 5ab1cbfb5..527bc988c 100644
--- a/src/redist/targets/GenerateMSIs.targets
+++ b/src/redist/targets/GenerateMSIs.targets
@@ -307,7 +307,7 @@
   </Target>
 
   <Target Name="GenerateSdkBundle"
-          DependsOnTargets="GenerateLayout;AcquireWix;MsiTargetsSetupInputOutputs;GenerateSdkMsi;SignSdkMsi;GenerateTemplatesMsis;GenerateWorkloadManifestsWxs;SignTemplatesMsis"
+          DependsOnTargets="GenerateLayout;AcquireWix;MsiTargetsSetupInputOutputs;GenerateSdkMsi;GenerateTemplatesMsis;GenerateWorkloadManifestsWxs"
           Condition=" '$(OS)' == 'Windows_NT' "
           Inputs="$(SdkMSIInstallerFile);
                     $(DownloadedSharedFrameworkInstallerFile);
@@ -376,7 +376,7 @@
   </Target>
 
   <Target Name="GenerateToolsetNupkg"
-          DependsOnTargets="GenerateLayout;MsiTargetsSetupInputOutputs;GenerateSdkMsi;SignSdkMsi"
+          DependsOnTargets="GenerateLayout;MsiTargetsSetupInputOutputs;GenerateSdkMsi"
           Condition=" '$(OS)' == 'Windows_NT' "
           Inputs="$(SdkMSIInstallerFile);
                     $(ToolsetInstallerNuspecFile);
@@ -394,7 +394,7 @@
   </Target>
 
   <Target Name="GenerateSdkPlaceholderNupkg"
-          DependsOnTargets="MsiTargetsSetupInputOutputs;GenerateSdkPlaceholderMsi;SignSdkPlaceholderMsi"
+          DependsOnTargets="MsiTargetsSetupInputOutputs;GenerateSdkPlaceholderMsi"
           Condition=" '$(OS)' == 'Windows_NT' "
           Inputs="$(SdkPlaceholderMSIInstallerFile);
                     $(SdkPlaceholderInstallerNuspecFile);
@@ -412,7 +412,7 @@
   </Target>
 
   <Target Name="GenerateTemplatesNupkgs"
-          DependsOnTargets="GenerateLayout;MsiTargetsSetupInputOutputs;GenerateTemplatesMsis;SignTemplatesMsis;SetupTemplatesNupkgs"
+          DependsOnTargets="GenerateLayout;MsiTargetsSetupInputOutputs;GenerateTemplatesMsis;SetupTemplatesNupkgs"
           Condition="$(ProductMonikerRid.StartsWith('win')) And '$(Architecture)' != 'arm' "
           Inputs="@(TemplatesNupkgComponent->'%(MSIInstallerFile)');
                     $(TemplatesInstallerNuspecFile);
@@ -518,13 +518,9 @@
                             MsiTargetsSetupInputOutputs;
                             AcquireWix;
                             GenerateSdkMsi;
-                            SignSdkMsi;
                             GenerateTemplatesMsis;
-                            SignTemplatesMsis;
                             GenerateSdkBundle;
-                            SignSdkBundle;
                             GenerateSdkPlaceholderMsi;
-                            SignSdkPlaceholderMsi;
                             GenerateToolsetNupkg;
                             GenerateTemplatesNupkgs;
                             GenerateSdkPlaceholderNupkg;
diff --git a/src/redist/targets/Signing.targets b/src/redist/targets/Signing.targets
deleted file mode 100644
index a4a2e29bb..000000000
--- a/src/redist/targets/Signing.targets
+++ /dev/null
@@ -1,222 +0,0 @@
-<Project>
-  <ItemGroup>
-     <PackageReference Include="Microsoft.DotNet.SignTool" Version="$(MicrosoftDotNetSignToolVersion)" PrivateAssets="All"  />
-  </ItemGroup>
-
-  <!-- Import Arcade's Sign.props, when then imports the eng/Signing.props for this repo -->
-  <Import Project="../tools/Sign.props" Sdk="Microsoft.DotNet.Arcade.Sdk" />
-
-  <Target Name="SetSignProps"
-          Condition="'$(SignCoreSdk)' == 'true'">
-
-    <MakeDir Directories="$(ArtifactsTmpDir)" Condition="!Exists('$(ArtifactsTmpDir)')" />
-
-    <!-- Logic copied from https://github.com/dotnet/arcade/blob/main/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj -->
-    <Error Text="The value of DotNetSignType is invalid: '$(DotNetSignType)'"
-       Condition="'$(DotNetSignType)' != 'real' and '$(DotNetSignType)' != 'test' and '$(DotNetSignType)' != ''" />
-
-    <PropertyGroup>
-      <_DryRun>true</_DryRun>
-      <_DryRun Condition="'$(OfficialBuild)' == 'true'">false</_DryRun>
-
-      <_TestSign>false</_TestSign>
-      <_TestSign Condition="'$(DotNetSignType)' == 'test'">true</_TestSign>
-
-      <_DesktopMSBuildRequired>false</_DesktopMSBuildRequired>
-      <_DesktopMSBuildRequired Condition="'$(_DryRun)' != 'true' and '$(MSBuildRuntimeType)' == 'Core'">true</_DesktopMSBuildRequired>
-    </PropertyGroup>
-
-    <!-- We only need this if we are going to use the executable version. -->
-    <Exec Command='"$(NuGetPackageRoot)vswhere\$(VSWhereVersion)\tools\vswhere.exe" -latest -prerelease -property installationPath -requires Microsoft.Component.MSBuild'
-          ConsoleToMsBuild="true"
-          StandardErrorImportance="high"
-          Condition="$(_DesktopMSBuildRequired)">
-      <Output TaskParameter="ConsoleOutput" PropertyName="_VSInstallDir" />
-    </Exec>
-
-    <PropertyGroup>
-      <_DesktopMSBuildPath Condition="$(_DesktopMSBuildRequired)">$(_VSInstallDir)\MSBuild\15.0\Bin\msbuild.exe</_DesktopMSBuildPath>
-    </PropertyGroup>
-  </Target>
-
-  <Target Name="SignLayout"
-          Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
-          DependsOnTargets="SetSignProps">
-
-    <ItemGroup>
-      <LayoutFilesToSign Include="$(SdkOutputDirectory)**/csc.exe;
-                                  $(SdkOutputDirectory)**/csc.dll;
-                                  $(SdkOutputDirectory)**/VBCSCompiler.dll;
-                                  $(SdkOutputDirectory)**/vbc.exe;
-                                  $(SdkOutputDirectory)**/vbc.dll;
-                                  $(SdkOutputDirectory)**/fsc.dll;
-                                  $(SdkOutputDirectory)**/fsi.dll;
-                                  $(SdkOutputDirectory)**/FSharp.*.dll;
-                                  $(SdkOutputDirectory)**/Interactive.DependencyManager.dll;
-                                  $(SdkOutputDirectory)**/dotnet.dll;
-                                  $(SdkOutputDirectory)**/dotnet.resources.dll;
-                                  $(SdkOutputDirectory)**/System.*.dll;
-                                  $(SdkOutputDirectory)**/Microsoft.*.dll;
-                                  $(SdkOutputDirectory)**/NuGet*.dll;
-                                  $(SdkOutputDirectory)**/datacollector.dll;
-                                  $(SdkOutputDirectory)**/datacollector.exe;
-                                  $(SdkOutputDirectory)**/MSBuild.dll;
-                                  $(SdkOutputDirectory)**/MSBuild.resources.dll;
-                                  $(SdkOutputDirectory)**/PresentationBuildTasks.dll;
-                                  $(SdkOutputDirectory)**/redist.dll;
-                                  $(SdkOutputDirectory)**/rzc.dll;
-                                  $(SdkOutputDirectory)**/testhost.dll;
-                                  $(SdkOutputDirectory)**/testhost.exe;
-                                  $(SdkOutputDirectory)**/testhost.x86.exe;
-                                  $(SdkOutputDirectory)**/vstest.console.dll;
-                                  $(SdkOutputDirectory)**/vstest.console.resources.dll;
-                                  $(SdkOutputDirectory)**/Newtonsoft.Json.dll;
-                                  $(SdkOutputDirectory)**/MessagePack.Annotations.dll;
-                                  $(SdkOutputDirectory)**/MessagePack.dll;
-                                  $(SdkOutputDirectory)**/Nerdbank.Streams.dll;
-                                  $(SdkOutputDirectory)**/StreamJsonRpc.dll;
-                                  $(SdkOutputDirectory)**/dotnet-watch*.dll;
-                                  $(SdkOutputDirectory)**/DotNetWatchTasks.dll;" />
-    </ItemGroup>
-
-    <Error Condition="'$(AllowEmptySignList)' != 'true' AND '@(LayoutFilesToSign)' == ''"
-           Text="List of files to sign is empty. Make sure that LayoutFilesToSign is configured correctly." />
-
-    <Microsoft.DotNet.SignTool.SignToolTask
-      DryRun="$(_DryRun)"
-      TestSign="$(_TestSign)"
-      CertificatesSignInfo="@(CertificatesSignInfo)"
-      ItemsToSign="@(LayoutFilesToSign)"
-      StrongNameSignInfo="@(StrongNameSignInfo)"
-      FileSignInfo="@(FileSignInfo)"
-      FileExtensionSignInfo="@(FileExtensionSignInfo)"
-      TempDir="$(ArtifactsTmpDir)"
-      LogDir="$(ArtifactsLogDir)"
-      MSBuildPath="$(_DesktopMSBuildPath)"
-      SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
-      MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
-
-  </Target>
-
-  <Target Name="SignSdkMsi"
-        Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
-        DependsOnTargets="SetSignProps">
-
-    <ItemGroup>
-      <SdkMsiFilesToSign Include="$(SdkMSIInstallerFile)" />
-    </ItemGroup>
-
-    <Microsoft.DotNet.SignTool.SignToolTask
-        DryRun="$(_DryRun)"
-        TestSign="$(_TestSign)"
-        CertificatesSignInfo="@(CertificatesSignInfo)"
-        ItemsToSign="@(SdkMsiFilesToSign)"
-        StrongNameSignInfo="@(StrongNameSignInfo)"
-        FileSignInfo="@(FileSignInfo)"
-        FileExtensionSignInfo="@(FileExtensionSignInfo)"
-        TempDir="$(ArtifactsTmpDir)"
-        LogDir="$(ArtifactsLogDir)"
-        MSBuildPath="$(_DesktopMSBuildPath)"
-        SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
-        MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
-
-  </Target>
-
-  <Target Name="SignTemplatesMsis"
-      Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
-      DependsOnTargets="SetSignProps;SetupTemplatesMsis">
-
-    <ItemGroup>
-      <TemplatesMsiFilesToSign Include="@(TemplatesMsiComponent->'%(MSIInstallerFile)')" />
-    </ItemGroup>
-
-    <Microsoft.DotNet.SignTool.SignToolTask
-        DryRun="$(_DryRun)"
-        TestSign="$(_TestSign)"
-        CertificatesSignInfo="@(CertificatesSignInfo)"
-        ItemsToSign="@(TemplatesMsiFilesToSign)"
-        StrongNameSignInfo="@(StrongNameSignInfo)"
-        FileSignInfo="@(FileSignInfo)"
-        FileExtensionSignInfo="@(FileExtensionSignInfo)"
-        TempDir="$(ArtifactsTmpDir)"
-        LogDir="$(ArtifactsLogDir)"
-        MSBuildPath="$(_DesktopMSBuildPath)"
-        SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
-        MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
-
-  </Target>
-
-  <Target Name="SignSdkBundle"
-      Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
-      DependsOnTargets="SetSignProps">
-
-    <!-- Extract engine from bundle -->
-    <Exec Command="$(WixRoot)/insignia.exe -ib $(CombinedFrameworkSdkHostMSIInstallerFile) -o $(CombinedFrameworkSdkHostBundleEngineName)" />
-
-    <!-- Sign engine-->
-    <ItemGroup>
-      <EngineFileToSign Include="$(CombinedFrameworkSdkHostBundleEngineName)" />
-    </ItemGroup>
-    <Microsoft.DotNet.SignTool.SignToolTask
-        DryRun="$(_DryRun)"
-        TestSign="$(_TestSign)"
-        CertificatesSignInfo="@(CertificatesSignInfo)"
-        ItemsToSign="@(EngineFileToSign)"
-        StrongNameSignInfo="@(StrongNameSignInfo)"
-        FileSignInfo="@(FileSignInfo)"
-        FileExtensionSignInfo="@(FileExtensionSignInfo)"
-        TempDir="$(ArtifactsTmpDir)"
-        LogDir="$(ArtifactsLogDir)"
-        MSBuildPath="$(_DesktopMSBuildPath)"
-        SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
-        MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
-
-    <!-- Reattach engine to bundle -->
-    <Exec Command="$(WixRoot)/insignia.exe -ab $(CombinedFrameworkSdkHostBundleEngineName) $(CombinedFrameworkSdkHostMSIInstallerFile) -o $(CombinedFrameworkSdkHostMSIInstallerFile)" />
-
-    <!-- Sign bundle -->
-    <ItemGroup>
-      <BundleFileToSign Include="$(CombinedFrameworkSdkHostMSIInstallerFile)" />
-    </ItemGroup>
-
-    <Microsoft.DotNet.SignTool.SignToolTask
-        DryRun="$(_DryRun)"
-        TestSign="$(_TestSign)"
-        CertificatesSignInfo="@(CertificatesSignInfo)"
-        ItemsToSign="@(BundleFileToSign)"
-        StrongNameSignInfo="@(StrongNameSignInfo)"
-        FileSignInfo="@(FileSignInfo)"
-        FileExtensionSignInfo="@(FileExtensionSignInfo)"
-        TempDir="$(ArtifactsTmpDir)"
-        LogDir="$(ArtifactsLogDir)"
-        MSBuildPath="$(_DesktopMSBuildPath)"
-        SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
-        MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
-
-  </Target>
-
-  <Target Name="SignSdkPlaceholderMsi"
-      Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
-      DependsOnTargets="SetSignProps">
-
-    <ItemGroup>
-      <SdkPlaceholderMsiFilesToSign Include="$(SdkPlaceholderMSIInstallerFile)" />
-    </ItemGroup>
-
-    <Microsoft.DotNet.SignTool.SignToolTask
-        DryRun="$(_DryRun)"
-        TestSign="$(_TestSign)"
-        CertificatesSignInfo="@(CertificatesSignInfo)"
-        ItemsToSign="@(SdkPlaceholderMsiFilesToSign)"
-        StrongNameSignInfo="@(StrongNameSignInfo)"
-        FileSignInfo="@(FileSignInfo)"
-        FileExtensionSignInfo="@(FileExtensionSignInfo)"
-        TempDir="$(ArtifactsTmpDir)"
-        LogDir="$(ArtifactsLogDir)"
-        MSBuildPath="$(_DesktopMSBuildPath)"
-        SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
-        MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>
-
-  </Target>
-
-</Project>