[release/5.0.1xx] Enable post build signing (#8764)

* Enable post build signing
Enables post build signing of installer by including the items that need to be signed
post build in an ItemsToSignPostBuild item group and moving the file signing information
into the Signing.props files.

Changes to in-build signing have been verified by taking a drop with the current in-build
structure and comparing the the signatures and strong name keys between files
in equivalent builds.

* Enable post build signing
Enables post build signing of installer by including the items that need to be signed
post build in an ItemsToSignPostBuild item group and moving the file signing information
into the Signing.props files.

Changes to in-build signing have been verified by taking a drop with the current in-build
structure and comparing the the signatures and strong name keys between files
in equivalent builds.

Co-authored-by: dotnet-bot <dotnet-bot@dotnetfoundation.org>
Co-authored-by: Christopher Costa <chcosta@microsoft.com>
This commit is contained in:
Matt Mitchell 2020-10-14 14:55:38 -07:00 committed by GitHub
parent 6f9d636715
commit e8dddcc611
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 110 additions and 143 deletions

View file

@ -8,7 +8,6 @@
<PropertyGroup> <PropertyGroup>
<Product>Sdk</Product> <Product>Sdk</Product>
<BlobStoragePartialRelativePath>$(Product)</BlobStoragePartialRelativePath> <BlobStoragePartialRelativePath>$(Product)</BlobStoragePartialRelativePath>
<BlobStoragePartialRelativePath Condition="'$(IsNotOrchestratedPublish)' == 'false'">assets/$(Product)</BlobStoragePartialRelativePath>
<ChecksumsFeedUrl>$(DotnetPublishChecksumsBlobFeedUrl)</ChecksumsFeedUrl> <ChecksumsFeedUrl>$(DotnetPublishChecksumsBlobFeedUrl)</ChecksumsFeedUrl>
<SdkAssetsFeedUrl>$(DotnetPublishSdkAssetsBlobFeedUrl)</SdkAssetsFeedUrl> <SdkAssetsFeedUrl>$(DotnetPublishSdkAssetsBlobFeedUrl)</SdkAssetsFeedUrl>
@ -56,10 +55,8 @@
<BaseAssetManifestFileName>$(AssetManifestOS)</BaseAssetManifestFileName> <BaseAssetManifestFileName>$(AssetManifestOS)</BaseAssetManifestFileName>
<BaseAssetManifestFileName Condition="'$(AGENT_JOBNAME)' == '' and '$(Architecture)' != ''">$(AssetManifestOS)-$(Architecture)</BaseAssetManifestFileName> <BaseAssetManifestFileName Condition="'$(AGENT_JOBNAME)' == '' and '$(Architecture)' != ''">$(AssetManifestOS)-$(Architecture)</BaseAssetManifestFileName>
<InstallersAssetManifestFileName>$(BaseAssetManifestFileName)-installers</InstallersAssetManifestFileName> <InstallersAssetManifestFileName>$(BaseAssetManifestFileName)-installers</InstallersAssetManifestFileName>
<ChecksumsAssetManifestFileName>$(BaseAssetManifestFileName)-checksums</ChecksumsAssetManifestFileName>
<!-- Property AssetManifestFilePath would be reassigned by the Arcade SDK, so use a different name (InstallersAssetManifestFilePath) --> <!-- Property AssetManifestFilePath would be reassigned by the Arcade SDK, so use a different name (InstallersAssetManifestFilePath) -->
<InstallersAssetManifestFilePath>$(ArtifactsLogDir)AssetManifest\$(InstallersAssetManifestFileName).xml</InstallersAssetManifestFilePath> <InstallersAssetManifestFilePath>$(ArtifactsLogDir)AssetManifest\$(InstallersAssetManifestFileName).xml</InstallersAssetManifestFilePath>
<ChecksumsAssetManifestFilePath>$(ArtifactsLogDir)AssetManifest\$(ChecksumsAssetManifestFileName).xml</ChecksumsAssetManifestFilePath>
<DotnetTempWorkingDirectory>$(ArtifactsDir)..\DotnetAssetsTmpDir\$([System.Guid]::NewGuid())</DotnetTempWorkingDirectory> <DotnetTempWorkingDirectory>$(ArtifactsDir)..\DotnetAssetsTmpDir\$([System.Guid]::NewGuid())</DotnetTempWorkingDirectory>
<ChecksumTempWorkingDirectory>$(ArtifactsDir)..\ChecksumAssetsTmpDir\$([System.Guid]::NewGuid())</ChecksumTempWorkingDirectory> <ChecksumTempWorkingDirectory>$(ArtifactsDir)..\ChecksumAssetsTmpDir\$([System.Guid]::NewGuid())</ChecksumTempWorkingDirectory>
@ -119,26 +116,29 @@
</ChecksumsToPushToBlobFeed> </ChecksumsToPushToBlobFeed>
</ItemGroup> </ItemGroup>
<PropertyGroup>
<IsStableBuild>false</IsStableBuild>
<IsStableBuild Condition="'$(DotNetFinalVersionKind)' == 'release'">true</IsStableBuild>
</PropertyGroup>
<PushToAzureDevOpsArtifacts <PushToAzureDevOpsArtifacts
ItemsToPush="@(SdkAssetsToPushToBlobFeed)" AzureDevOpsCollectionUri="$(SYSTEM_TEAMFOUNDATIONCOLLECTIONURI)"
AzureDevOpsProject="$(SYSTEM_TEAMPROJECT)"
AzureDevOpsBuildId="$(BUILD_BUILDID)"
ItemsToPush="@(SdkAssetsToPushToBlobFeed);@(ChecksumsToPushToBlobFeed)"
ItemsToSign="@(ItemsToSignPostBuild)"
CertificatesSignInfo="@(CertificatesSignInfo)"
StrongNameSignInfo="@(StrongNameSignInfo)"
FileSignInfo="@(FileSignInfo)"
FileExtensionSignInfo="@(FileExtensionSignInfo)"
ManifestBuildData="@(ManifestBuildData)" ManifestBuildData="@(ManifestBuildData)"
ManifestRepoUri="$(BUILD_REPOSITORY_NAME)" ManifestRepoName="$(BUILD_REPOSITORY_NAME)"
ManifestBranch="$(BUILD_SOURCEBRANCH)" ManifestBranch="$(BUILD_SOURCEBRANCH)"
ManifestBuildId="$(BUILD_BUILDNUMBER)" ManifestBuildId="$(BUILD_BUILDNUMBER)"
ManifestCommit="$(BUILD_SOURCEVERSION)" ManifestCommit="$(BUILD_SOURCEVERSION)"
AssetManifestPath="$(InstallersAssetManifestFilePath)" AssetManifestPath="$(InstallersAssetManifestFilePath)"
PublishFlatContainer="true" PublishFlatContainer="true"
PublishingVersion="3"/> IsStableBuild="$(IsStableBuild)"
PublishingVersion="3" />
<PushToAzureDevOpsArtifacts
ItemsToPush="@(ChecksumsToPushToBlobFeed)"
ManifestBuildData="@(ManifestBuildData)"
ManifestRepoUri="$(BUILD_REPOSITORY_NAME)"
ManifestBranch="$(BUILD_SOURCEBRANCH)"
ManifestBuildId="$(BUILD_BUILDNUMBER)"
ManifestCommit="$(BUILD_SOURCEVERSION)"
AssetManifestPath="$(ChecksumsAssetManifestFilePath)"
PublishFlatContainer="true"
PublishingVersion="3"/>
</Target> </Target>
</Project> </Project>

View file

@ -1,16 +1,56 @@
<Project> <Project>
<ItemGroup> <ItemGroup>
<!-- Do not sign non-shipping packages --> <!-- Do not sign non-shipping packages when doing in-build signing -->
<ItemsToSign Remove="$(ArtifactsNonShippingPackagesDir)**\*.nupkg" /> <ItemsToSign Remove="$(ArtifactsNonShippingPackagesDir)**\*.nupkg" />
</ItemGroup> </ItemGroup>
<ItemGroup Condition="'$(PostBuildSign)' == 'true'">
<ItemsToSignPostBuild Include="$(ArtifactsShippingPackagesDir)*.zip" />
<ItemsToSignPostBuild Include="$(ArtifactsShippingPackagesDir)*.exe" />
<ItemsToSignPostBuild Include="$(ArtifactsShippingPackagesDir)*.msi" />
<ItemsToSignPostBuild Include="$(ArtifactsShippingPackagesDir)*.nupkg" />
<ItemsToSignPostBuild Include="$(ArtifactsNonShippingPackagesDir)*.msi" />
<ItemsToSignPostBuild Include="$(ArtifactsNonShippingPackagesDir)*.zip" />
<ItemsToSignPostBuild Include="$(ArtifactsNonShippingPackagesDir)*.nupkg" />
</ItemGroup>
<PropertyGroup> <PropertyGroup>
<ExternalCertificateId Condition="'$(ExternalCertificateId)' == ''">3PartySHA2</ExternalCertificateId>
<InternalCertificateId Condition="'$(InternalCertificateId)' == ''">Microsoft400</InternalCertificateId>
<!-- <!--
Signing of shipping artifacts (layout, msi, bundle) are handled separately. Signing of shipping artifacts (layout, msi, bundle) are handled separately.
It is therefore expected that above removal can yield an empty set. It is therefore expected that <ItemsToSign> could be an empty set.
--> -->
<AllowEmptySignList>true</AllowEmptySignList> <AllowEmptySignList>true</AllowEmptySignList>
</PropertyGroup> </PropertyGroup>
<ItemGroup>
<FileSignInfo Include="Newtonsoft.Json.dll" CertificateName="$(ExternalCertificateId)" />
<FileSignInfo Include="MessagePack.Annotations.dll" CertificateName="$(ExternalCertificateId)" />
<FileSignInfo Include="MessagePack.dll" CertificateName="$(ExternalCertificateId)" />
<FileSignInfo Include="Nerdbank.Streams.dll" CertificateName="$(ExternalCertificateId)" />
<FileSignInfo Include="StreamJsonRpc.dll" CertificateName="$(ExternalCertificateId)" />
<!-- Files in the layout that should not be signed -->
<FileSignInfo Include="apphost.exe" CertificateName="None" />
<!-- These are 3rd party nupkgs and should not be signed with an MS cert -->
<FileSignInfo Include="nunit3.dotnetnew.template.$(NUnit3Templates21PackageVersion).nupkg" CertificateName="None" />
<FileSignInfo Include="nunit3.dotnetnew.template.$(NUnit3Templates30PackageVersion).nupkg" CertificateName="None" />
<FileSignInfo Include="nunit3.dotnetnew.template.$(NUnit3Templates31PackageVersion).nupkg" CertificateName="None" />
<FileSignInfo Include="nunit3.dotnetnew.template.$(NUnit3Templates50PackageVersion).nupkg" CertificateName="None" />
<FileExtensionSignInfo Include=".msi" CertificateName="$(InternalCertificateId)" />
<!-- .ttf and .js files come in from some older aspnetcore packages (e.g. 2.1).
These files in the 5.0 packages are NOT signed. When doing postbuild signing,
SignTool will recognize that the files in the installer zips came from the 5.0 packages
pulled in from aspnetcore, and aspnetcore said not to sign them. This info is not
available for the 2.1 packages, so we need to avoid signing these in this repo. -->
<FileExtensionSignInfo Include=".ttf" CertificateName="None" />
<FileExtensionSignInfo Remove=".js" />
<FileExtensionSignInfo Include=".js" CertificateName="None" />
</ItemGroup>
</Project> </Project>

View file

@ -166,6 +166,7 @@ docker run $INTERACTIVE -t --rm --sig-proxy=true \
-e BUILD_BUILDID \ -e BUILD_BUILDID \
-e BUILD_SOURCEVERSION \ -e BUILD_SOURCEVERSION \
-e SYSTEM_TEAMPROJECT \ -e SYSTEM_TEAMPROJECT \
-e POSTBUILDSIGN \
-e SYSTEM_DEFINITIONID \ -e SYSTEM_DEFINITIONID \
-e SYSTEM_TEAMFOUNDATIONCOLLECTIONURI \ -e SYSTEM_TEAMFOUNDATIONCOLLECTIONURI \
-e DOTNETCLIMSRC_READ_SAS_TOKEN \ -e DOTNETCLIMSRC_READ_SAS_TOKEN \

View file

@ -3,54 +3,13 @@
<PackageReference Include="Microsoft.DotNet.SignTool" Version="$(MicrosoftDotNetSignToolVersion)" PrivateAssets="All" /> <PackageReference Include="Microsoft.DotNet.SignTool" Version="$(MicrosoftDotNetSignToolVersion)" PrivateAssets="All" />
</ItemGroup> </ItemGroup>
<!-- Import Arcade's Sign.props, when then imports the eng/Signing.props for this repo -->
<Import Project="../tools/Sign.props" Sdk="Microsoft.DotNet.Arcade.Sdk" />
<Target Name="SetSignProps" <Target Name="SetSignProps"
Condition="'$(SignCoreSdk)' == 'true'"> Condition="'$(SignCoreSdk)' == 'true'">
<MakeDir Directories="$(ArtifactsTmpDir)" Condition="!Exists('$(ArtifactsTmpDir)')" /> <MakeDir Directories="$(ArtifactsTmpDir)" Condition="!Exists('$(ArtifactsTmpDir)')" />
<PropertyGroup>
<ExternalCertificateId Condition="'$(ExternalCertificateId)' == ''">3PartySHA2</ExternalCertificateId>
<InternalCertificateId Condition="'$(InternalCertificateId)' == ''">Microsoft400</InternalCertificateId>
<NugetCertificateId Condition="'$(NugetCertificateId)' == ''">NuGet</NugetCertificateId>
</PropertyGroup>
<!-- Logic copied from https://github.com/dotnet/arcade/blob/master/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj -->
<ItemGroup>
<!--
This is intended to hold information about the certificates used for signing.
For now the only information required is whether or not the certificate can be
used for signing already signed files - DualSigningAllowed==true.
-->
<CertificatesSignInfo Include="3PartyDual" DualSigningAllowed="true" />
<CertificatesSignInfo Include="3PartySHA2" DualSigningAllowed="true" />
<!-- List of container files that will be opened and checked for files that need to be signed. -->
<!--<ItemsToSign Include="$(ArtifactsPackagesDir)**\*.nupkg" />
<ItemsToSign Include="$(VisualStudioSetupOutputPath)**\*.vsix" />-->
<!--
Map of file extensions to default certificate name. Files with these extensions are
signed with the specified certificate. Particularly useful for files that don't have
a public key token.
The certificate can be overriden using the StrongNameSignInfo or the FileSignInfo item group.
-->
<FileExtensionSignInfo Include=".jar" CertificateName="MicrosoftJAR" />
<FileExtensionSignInfo Include=".js;.ps1;.psd1;.psm1;.psc1;.py" CertificateName="Microsoft400" />
<FileExtensionSignInfo Include=".dll;.exe" CertificateName="Microsoft400" />
<FileExtensionSignInfo Include=".nupkg" CertificateName="NuGet" />
<FileExtensionSignInfo Include=".vsix" CertificateName="VsixSHA2" />
<FileExtensionSignInfo Include=".zip" CertificateName="None" />
</ItemGroup>
<PropertyGroup>
<!-- Control whether an empty ItemsToSign item group is allowed when calling SignToolTask. -->
<AllowEmptySignList>false</AllowEmptySignList>
</PropertyGroup>
<!-- Allow repository to customize signing configuration -->
<!--<Import Project="$(RepositoryEngineeringDir)Signing.props" Condition="Exists('$(RepositoryEngineeringDir)Signing.props')" />-->
<!-- Logic copied from https://github.com/dotnet/arcade/blob/master/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj --> <!-- Logic copied from https://github.com/dotnet/arcade/blob/master/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj -->
<Error Text="The value of DotNetSignType is invalid: '$(DotNetSignType)'" <Error Text="The value of DotNetSignType is invalid: '$(DotNetSignType)'"
@ -81,53 +40,41 @@
</Target> </Target>
<Target Name="SignLayout" <Target Name="SignLayout"
Condition="'$(SignCoreSdk)' == 'true'" Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
DependsOnTargets="SetSignProps"> DependsOnTargets="SetSignProps">
<ItemGroup> <ItemGroup>
<!-- External files -->
<LayoutFilesToSign Include="$(SdkOutputDirectory)**/Newtonsoft.Json.dll;
$(SdkOutputDirectory)**/MessagePack.Annotations.dll;
$(SdkOutputDirectory)**/MessagePack.dll;
$(SdkOutputDirectory)**/Nerdbank.Streams.dll;
$(SdkOutputDirectory)**/StreamJsonRpc.dll">
<CertificateName>$(ExternalCertificateId)</CertificateName>
</LayoutFilesToSign>
<!-- Built binaries -->
<LayoutFilesToSign Include="$(SdkOutputDirectory)**/csc.exe; <LayoutFilesToSign Include="$(SdkOutputDirectory)**/csc.exe;
$(SdkOutputDirectory)**/csc.dll; $(SdkOutputDirectory)**/csc.dll;
$(SdkOutputDirectory)**/VBCSCompiler.dll; $(SdkOutputDirectory)**/VBCSCompiler.dll;
$(SdkOutputDirectory)**/vbc.exe; $(SdkOutputDirectory)**/vbc.exe;
$(SdkOutputDirectory)**/vbc.dll; $(SdkOutputDirectory)**/vbc.dll;
$(SdkOutputDirectory)**/fsc.exe; $(SdkOutputDirectory)**/fsc.exe;
$(SdkOutputDirectory)**/fsi.exe; $(SdkOutputDirectory)**/fsi.exe;
$(SdkOutputDirectory)**/FSharp.*.dll; $(SdkOutputDirectory)**/FSharp.*.dll;
$(SdkOutputDirectory)**/Interactive.DependencyManager.dll; $(SdkOutputDirectory)**/Interactive.DependencyManager.dll;
$(SdkOutputDirectory)**/dotnet.dll; $(SdkOutputDirectory)**/dotnet.dll;
$(SdkOutputDirectory)**/dotnet.resources.dll; $(SdkOutputDirectory)**/dotnet.resources.dll;
$(SdkOutputDirectory)**/System.*.dll; $(SdkOutputDirectory)**/System.*.dll;
$(SdkOutputDirectory)**/Microsoft.*.dll; $(SdkOutputDirectory)**/Microsoft.*.dll;
$(SdkOutputDirectory)**/NuGet*.dll; $(SdkOutputDirectory)**/NuGet*.dll;
$(SdkOutputDirectory)**/datacollector.dll; $(SdkOutputDirectory)**/datacollector.dll;
$(SdkOutputDirectory)**/datacollector.exe; $(SdkOutputDirectory)**/datacollector.exe;
$(SdkOutputDirectory)**/MSBuild.dll; $(SdkOutputDirectory)**/MSBuild.dll;
$(SdkOutputDirectory)**/MSBuild.resources.dll; $(SdkOutputDirectory)**/MSBuild.resources.dll;
$(SdkOutputDirectory)**/PresentationBuildTasks.dll; $(SdkOutputDirectory)**/PresentationBuildTasks.dll;
$(SdkOutputDirectory)**/redist.dll; $(SdkOutputDirectory)**/redist.dll;
$(SdkOutputDirectory)**/rzc.dll; $(SdkOutputDirectory)**/rzc.dll;
$(SdkOutputDirectory)**/testhost.dll; $(SdkOutputDirectory)**/testhost.dll;
$(SdkOutputDirectory)**/testhost.exe; $(SdkOutputDirectory)**/testhost.exe;
$(SdkOutputDirectory)**/testhost.x86.exe; $(SdkOutputDirectory)**/testhost.x86.exe;
$(SdkOutputDirectory)**/vstest.console.dll; $(SdkOutputDirectory)**/vstest.console.dll;
$(SdkOutputDirectory)**/vstest.console.resources.dll"> $(SdkOutputDirectory)**/vstest.console.resources.dll;
<CertificateName>$(InternalCertificateId)</CertificateName> $(SdkOutputDirectory)**/Newtonsoft.Json.dll;
</LayoutFilesToSign> $(SdkOutputDirectory)**/MessagePack.Annotations.dll;
$(SdkOutputDirectory)**/MessagePack.dll;
$(SdkOutputDirectory)**/Nerdbank.Streams.dll;
<LayoutFileSignInfo Include="@(LayoutFilesToSign->'%(Filename)%(Extension)')"> $(SdkOutputDirectory)**/StreamJsonRpc.dll" />
<CertificateName>%(CertificateName)</CertificateName>
</LayoutFileSignInfo>
<DistinctLayoutFileSignInfo Include="@(LayoutFileSignInfo->Distinct())" />
</ItemGroup> </ItemGroup>
<Error Condition="'$(AllowEmptySignList)' != 'true' AND '@(LayoutFilesToSign)' == ''" <Error Condition="'$(AllowEmptySignList)' != 'true' AND '@(LayoutFilesToSign)' == ''"
@ -136,10 +83,10 @@
<Microsoft.DotNet.SignTool.SignToolTask <Microsoft.DotNet.SignTool.SignToolTask
DryRun="$(_DryRun)" DryRun="$(_DryRun)"
TestSign="$(_TestSign)" TestSign="$(_TestSign)"
CertificatesSignInfo="$(CertificatesSignInfo)" CertificatesSignInfo="@(CertificatesSignInfo)"
ItemsToSign="@(LayoutFilesToSign)" ItemsToSign="@(LayoutFilesToSign)"
StrongNameSignInfo="@(StrongNameSignInfo)" StrongNameSignInfo="@(StrongNameSignInfo)"
FileSignInfo="@(DistinctLayoutFileSignInfo)" FileSignInfo="@(FileSignInfo)"
FileExtensionSignInfo="@(FileExtensionSignInfo)" FileExtensionSignInfo="@(FileExtensionSignInfo)"
TempDir="$(ArtifactsTmpDir)" TempDir="$(ArtifactsTmpDir)"
LogDir="$(ArtifactsLogDir)" LogDir="$(ArtifactsLogDir)"
@ -150,25 +97,20 @@
</Target> </Target>
<Target Name="SignSdkMsi" <Target Name="SignSdkMsi"
Condition="'$(SignCoreSdk)' == 'true'" Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
DependsOnTargets="SetSignProps"> DependsOnTargets="SetSignProps">
<ItemGroup> <ItemGroup>
<SdkMsiFilesToSign Include="$(SdkMSIInstallerFile)" /> <SdkMsiFilesToSign Include="$(SdkMSIInstallerFile)" />
<SdkMsiFileSignInfo Include="@(SdkMsiFilesToSign->'%(Filename)%(Extension)')">
<CertificateName>$(InternalCertificateId)</CertificateName>
</SdkMsiFileSignInfo>
<DistinctSdkMsiFileSignInfo Include="@(SdkMsiFileSignInfo->Distinct())" />
</ItemGroup> </ItemGroup>
<Microsoft.DotNet.SignTool.SignToolTask <Microsoft.DotNet.SignTool.SignToolTask
DryRun="$(_DryRun)" DryRun="$(_DryRun)"
TestSign="$(_TestSign)" TestSign="$(_TestSign)"
CertificatesSignInfo="$(CertificatesSignInfo)" CertificatesSignInfo="@(CertificatesSignInfo)"
ItemsToSign="@(SdkMsiFilesToSign)" ItemsToSign="@(SdkMsiFilesToSign)"
StrongNameSignInfo="@(StrongNameSignInfo)" StrongNameSignInfo="@(StrongNameSignInfo)"
FileSignInfo="@(DistinctSdkMsiFileSignInfo)" FileSignInfo="@(FileSignInfo)"
FileExtensionSignInfo="@(FileExtensionSignInfo)" FileExtensionSignInfo="@(FileExtensionSignInfo)"
TempDir="$(ArtifactsTmpDir)" TempDir="$(ArtifactsTmpDir)"
LogDir="$(ArtifactsLogDir)" LogDir="$(ArtifactsLogDir)"
@ -179,7 +121,7 @@
</Target> </Target>
<Target Name="SignTemplatesMsis" <Target Name="SignTemplatesMsis"
Condition="'$(SignCoreSdk)' == 'true'" Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
DependsOnTargets="SetSignProps"> DependsOnTargets="SetSignProps">
<ItemGroup> <ItemGroup>
@ -191,21 +133,14 @@
<TemplatesMsiFilesToSign Include="$(Templates30MSIInstallerFile)" /> <TemplatesMsiFilesToSign Include="$(Templates30MSIInstallerFile)" />
<TemplatesMsiFilesToSign Include="$(Templates21MSIInstallerFile)" /> <TemplatesMsiFilesToSign Include="$(Templates21MSIInstallerFile)" />
</ItemGroup> </ItemGroup>
<ItemGroup>
<TemplatesMsiFileSignInfo Include="@(TemplatesMsiFilesToSign->'%(Filename)%(Extension)')">
<CertificateName>$(InternalCertificateId)</CertificateName>
</TemplatesMsiFileSignInfo>
<DistinctTemplatesMsiFileSignInfo Include="@(TemplatesMsiFileSignInfo->Distinct())" />
</ItemGroup>
<Microsoft.DotNet.SignTool.SignToolTask <Microsoft.DotNet.SignTool.SignToolTask
DryRun="$(_DryRun)" DryRun="$(_DryRun)"
TestSign="$(_TestSign)" TestSign="$(_TestSign)"
CertificatesSignInfo="$(CertificatesSignInfo)" CertificatesSignInfo="@(CertificatesSignInfo)"
ItemsToSign="@(TemplatesMsiFilesToSign)" ItemsToSign="@(TemplatesMsiFilesToSign)"
StrongNameSignInfo="@(StrongNameSignInfo)" StrongNameSignInfo="@(StrongNameSignInfo)"
FileSignInfo="@(DistinctTemplatesMsiFileSignInfo)" FileSignInfo="@(FileSignInfo)"
FileExtensionSignInfo="@(FileExtensionSignInfo)" FileExtensionSignInfo="@(FileExtensionSignInfo)"
TempDir="$(ArtifactsTmpDir)" TempDir="$(ArtifactsTmpDir)"
LogDir="$(ArtifactsLogDir)" LogDir="$(ArtifactsLogDir)"
@ -216,7 +151,7 @@
</Target> </Target>
<Target Name="SignSdkBundle" <Target Name="SignSdkBundle"
Condition="'$(SignCoreSdk)' == 'true'" Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
DependsOnTargets="SetSignProps"> DependsOnTargets="SetSignProps">
<!-- Extract engine from bundle --> <!-- Extract engine from bundle -->
@ -225,16 +160,14 @@
<!-- Sign engine--> <!-- Sign engine-->
<ItemGroup> <ItemGroup>
<EngineFileToSign Include="$(CombinedFrameworkSdkHostBundleEngineName)" /> <EngineFileToSign Include="$(CombinedFrameworkSdkHostBundleEngineName)" />
<EngineFileSignInfo Include="$([System.IO.Path]::GetFileName('$(CombinedFrameworkSdkHostBundleEngineName)'))"
CertificateName="$(InternalCertificateId)"/>
</ItemGroup> </ItemGroup>
<Microsoft.DotNet.SignTool.SignToolTask <Microsoft.DotNet.SignTool.SignToolTask
DryRun="$(_DryRun)" DryRun="$(_DryRun)"
TestSign="$(_TestSign)" TestSign="$(_TestSign)"
CertificatesSignInfo="$(CertificatesSignInfo)" CertificatesSignInfo="@(CertificatesSignInfo)"
ItemsToSign="@(EngineFileToSign)" ItemsToSign="@(EngineFileToSign)"
StrongNameSignInfo="@(StrongNameSignInfo)" StrongNameSignInfo="@(StrongNameSignInfo)"
FileSignInfo="@(EngineFileSignInfo)" FileSignInfo="@(FileSignInfo)"
FileExtensionSignInfo="@(FileExtensionSignInfo)" FileExtensionSignInfo="@(FileExtensionSignInfo)"
TempDir="$(ArtifactsTmpDir)" TempDir="$(ArtifactsTmpDir)"
LogDir="$(ArtifactsLogDir)" LogDir="$(ArtifactsLogDir)"
@ -248,17 +181,15 @@
<!-- Sign bundle --> <!-- Sign bundle -->
<ItemGroup> <ItemGroup>
<BundleFileToSign Include="$(CombinedFrameworkSdkHostMSIInstallerFile)" /> <BundleFileToSign Include="$(CombinedFrameworkSdkHostMSIInstallerFile)" />
<BundleFileSignInfo Include="$([System.IO.Path]::GetFileName('$(CombinedFrameworkSdkHostMSIInstallerFile)'))"
CertificateName="$(InternalCertificateId)"/>
</ItemGroup> </ItemGroup>
<Microsoft.DotNet.SignTool.SignToolTask <Microsoft.DotNet.SignTool.SignToolTask
DryRun="$(_DryRun)" DryRun="$(_DryRun)"
TestSign="$(_TestSign)" TestSign="$(_TestSign)"
CertificatesSignInfo="$(CertificatesSignInfo)" CertificatesSignInfo="@(CertificatesSignInfo)"
ItemsToSign="@(BundleFileToSign)" ItemsToSign="@(BundleFileToSign)"
StrongNameSignInfo="@(StrongNameSignInfo)" StrongNameSignInfo="@(StrongNameSignInfo)"
FileSignInfo="@(BundleFileSignInfo)" FileSignInfo="@(FileSignInfo)"
FileExtensionSignInfo="@(FileExtensionSignInfo)" FileExtensionSignInfo="@(FileExtensionSignInfo)"
TempDir="$(ArtifactsTmpDir)" TempDir="$(ArtifactsTmpDir)"
LogDir="$(ArtifactsLogDir)" LogDir="$(ArtifactsLogDir)"
@ -269,25 +200,20 @@
</Target> </Target>
<Target Name="SignSdkPlaceholderMsi" <Target Name="SignSdkPlaceholderMsi"
Condition="'$(SignCoreSdk)' == 'true'" Condition="'$(SignCoreSdk)' == 'true' and '$(PostBuildSign)' != 'true'"
DependsOnTargets="SetSignProps"> DependsOnTargets="SetSignProps">
<ItemGroup> <ItemGroup>
<SdkPlaceholderMsiFilesToSign Include="$(SdkPlaceholderMSIInstallerFile)" /> <SdkPlaceholderMsiFilesToSign Include="$(SdkPlaceholderMSIInstallerFile)" />
<SdkPlaceholderMsiFileSignInfo Include="@(SdkPlaceholderMsiFilesToSign->'%(Filename)%(Extension)')">
<CertificateName>$(InternalCertificateId)</CertificateName>
</SdkPlaceholderMsiFileSignInfo>
<DistinctSdkPlaceholderMsiFileSignInfo Include="@(SdkPlaceholderMsiFileSignInfo->Distinct())" />
</ItemGroup> </ItemGroup>
<Microsoft.DotNet.SignTool.SignToolTask <Microsoft.DotNet.SignTool.SignToolTask
DryRun="$(_DryRun)" DryRun="$(_DryRun)"
TestSign="$(_TestSign)" TestSign="$(_TestSign)"
CertificatesSignInfo="$(CertificatesSignInfo)" CertificatesSignInfo="@(CertificatesSignInfo)"
ItemsToSign="@(SdkPlaceholderMsiFilesToSign)" ItemsToSign="@(SdkPlaceholderMsiFilesToSign)"
StrongNameSignInfo="@(StrongNameSignInfo)" StrongNameSignInfo="@(StrongNameSignInfo)"
FileSignInfo="@(DistinctSdkPlaceholderMsiFileSignInfo)" FileSignInfo="@(FileSignInfo)"
FileExtensionSignInfo="@(FileExtensionSignInfo)" FileExtensionSignInfo="@(FileExtensionSignInfo)"
TempDir="$(ArtifactsTmpDir)" TempDir="$(ArtifactsTmpDir)"
LogDir="$(ArtifactsLogDir)" LogDir="$(ArtifactsLogDir)"