diff options
author | Davis Goodin <dagood@users.noreply.github.com> | 2019-12-19 03:55:25 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-12-19 03:55:25 +0300 |
commit | 385121f62de417c2a2416add568b34880b4c5ea6 (patch) | |
tree | 2468ffdd9894092308d40ebc40ab3008629c1186 /eng/Signing.props | |
parent | 2755362aed8412f47a3ca6cc419a9a85f55b0314 (diff) |
Add official signed build pipeline (#1016)
* Add official signed build
* Don't attempt test signing during PR validation
* Add build trigger include/exclude paths
* Remove unnecessary conditions (config, success)
* Add issue link for internal tool restore
* Add issue link for test signing
* Fix consolidation TODO formatting, links for all
Diffstat (limited to 'eng/Signing.props')
-rw-r--r-- | eng/Signing.props | 124 |
1 files changed, 122 insertions, 2 deletions
diff --git a/eng/Signing.props b/eng/Signing.props index 8dcf5bde817..3ab32f20c8e 100644 --- a/eng/Signing.props +++ b/eng/Signing.props @@ -1,3 +1,123 @@ <Project> - <!-- TODO: Consolidate the Signing.props files into here. --> -</Project>
\ No newline at end of file + + <PropertyGroup> + <!-- + Windows arm/arm64 jobs don't have MSIs to sign. Keep it simple: allow not finding any matches + here and rely on overall signing validation. + --> + <AllowEmptySignList>true</AllowEmptySignList> + </PropertyGroup> + + <!-- Get artifact locations to sign. --> + <Import Project="$(RepositoryEngineeringDir)/liveBuilds.targets" /> + + <ItemGroup> + <!-- + Replace the default items to sign with the specific set we want. This allows the build to call + Arcade's Sign.proj multiple times for different sets of files as the build progresses. + --> + <ItemsToSign Remove="@(ItemsToSign)" /> + + <!-- Find bundle artifacts, which need multiple stages to fully sign. --> + <BundleInstallerEngineArtifact Include="$(ArtifactsPackagesDir)**/*engine.exe" /> + <BundleInstallerExeArtifact Include="$(ArtifactsPackagesDir)**/*.exe" /> + + <!-- apphost and comhost template files are not signed, by design. --> + <FileSignInfo Include="apphost.exe;comhost.dll" CertificateName="None" /> + </ItemGroup> + + <ItemGroup Condition="'$(CrossTargetComponentFolder)' != ''"> + <CoreCLRCrossTargetItemsToSign Include="$(CoreCLRArtifactsPath)$(CrossTargetComponentFolder)/sharedFramework/*.dll" /> + <CoreCLRCrossTargetItemsToSign Include="$(CoreCLRArtifactsPath)$(CrossTargetComponentFolder)/sharedFramework/*.exe" /> + </ItemGroup> + + <ItemGroup Condition="'$(SignBinaries)' == 'true'"> + <!-- Sign CoreCLR. --> + <ItemsToSign Include="$(CoreCLRSharedFrameworkDir)*.dll" /> + <ItemsToSign Include="$(CoreCLRSharedFrameworkDir)*.exe" /> + + <ItemsToSign Include="$(CoreCLRArtifactsPath)System.Private.CoreLib.dll" /> + + <ItemsToSign Include="$(CoreCLRArtifactsPath)crossgen2/crossgen2.exe" /> + <ItemsToSign Include="$(CoreCLRArtifactsPath)crossgen2/crossgen2.dll" /> + <ItemsToSign Include="$(CoreCLRArtifactsPath)crossgen2/ILCompiler.DependencyAnalysisFramework.dll" /> + <ItemsToSign Include="$(CoreCLRArtifactsPath)crossgen2/ILCompiler.ReadyToRun.dll" /> + <ItemsToSign Include="$(CoreCLRArtifactsPath)crossgen2/ILCompiler.TypeSystem.ReadyToRun.dll" /> + <ItemsToSign Include="$(CoreCLRArtifactsPath)crossgen2/clrjitilc.dll" /> + <ItemsToSign Include="$(CoreCLRArtifactsPath)crossgen2/jitinterface.dll" /> + + <ItemsToSign Include="@(CoreCLRCrossTargetItemsToSign)" /> + + <FileSignInfo Include="mscordaccore.dll" CertificateName="MicrosoftSHA2" /> + + <!-- Sign api-ms-win-core-xstate-l2-1-0 binary as it is only catalog signed in the current SDK. --> + <ItemsToSign + Condition="'$(ConfigurationGroup)' == 'Release' and '$(TargetArchitecture)' == 'x86'" + Include="$(CoreCLRArtifactsPath)Redist\ucrt\DLLs\$(TargetArchitecture)\api-ms-win-core-xstate-l2-1-0.dll" /> + + <!-- Sign libraries. --> + <ItemsToSign Include="$(LibrariesNativeArtifactsPath)*.dll" /> + <ItemsToSign Include="$(LibrariesSharedFrameworkRefArtifactsPath)*.dll" /> + <!-- Most runtime artifacts will be crossgenned, so sign them post-crossgen. mscorlib isn't. --> + <ItemsToSign Include="$(LibrariesSharedFrameworkBinArtifactsPath)mscorlib.dll" /> + + <!-- Sign the host. --> + <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/hostfxr.dll" /> + <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/hostpolicy.dll" /> + <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/dotnet.exe" /> + <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/ijwhost.dll" /> + <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/winrthost.dll" /> + <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/nethost.dll" /> + + <!-- Sign managed libraries in installer subset. --> + <ItemsToSign Include="$(ArtifactsBinDir)Microsoft.DotNet.PlatformAbstractions/**/*.dll" /> + <ItemsToSign Include="$(ArtifactsBinDir)Microsoft.Extensions.DependencyModel/**/*.dll" /> + <ItemsToSign Include="$(ArtifactsBinDir)Microsoft.NET.HostModel/**/*.dll" /> + </ItemGroup> + + <!-- Sign ready-to-run binaries after crossgen is applied. --> + <ItemGroup Condition="'$(SignR2RBinaries)' == 'true'"> + <ItemsToSign Include="$(CrossGenRootPath)**/*.dll" /> + </ItemGroup> + + <ItemGroup Condition="'$(SignMsiFiles)' == 'true'"> + <ItemsToSign Include="$(ArtifactsPackagesDir)**/*.msi" /> + <ItemsToSign Include="$(ArtifactsPackagesDir)**/*.cab" /> + </ItemGroup> + + <ItemGroup Condition="'$(SignBurnEngineFiles)' == 'true'"> + <ItemsToSign Include="@(BundleInstallerEngineArtifact)" /> + </ItemGroup> + + <ItemGroup Condition="'$(SignBurnBundleFiles)' == 'true'"> + <!-- Sign the bundles, now that the engine is reattached. Avoid re-signing the engine. --> + <ItemsToSign + Include="@(BundleInstallerExeArtifact)" + Exclude="@(BundleInstallerEngineArtifact)" /> + <!-- Note: wixstdba is internal to the engine bundle and does not get signed. --> + </ItemGroup> + + <ItemGroup Condition="'$(SignFinalPackages)' == 'true'"> + <DownloadedSymbolPackages Include="$(DownloadDirectory)**\*.symbols.nupkg" /> + <ItemsToSign Include="$(DownloadDirectory)**\*.nupkg" Exclude="@(DownloadedSymbolPackages)" /> + + <ItemsToSign Include="$(DownloadDirectory)**\*.deb" /> + <ItemsToSign Include="$(DownloadDirectory)**\*.rpm" /> + </ItemGroup> + + <ItemGroup> + <!-- External files --> + <ItemsToSign Remove="@(ItemsToSign->WithMetadataValue('Filename', 'Newtonsoft.Json'))" /> + </ItemGroup> + + <ItemGroup> + <ItemsToSign Update="@(ItemsToSign)" Authenticode="$(CertificateId)" /> + </ItemGroup> + + <ItemGroup> + <FileExtensionSignInfo Include=".msi" CertificateName="Microsoft400" /> + <FileExtensionSignInfo Include=".pkg" CertificateName="8003" /> + <FileExtensionSignInfo Include=".deb;.rpm" CertificateName="LinuxSign" /> + </ItemGroup> + +</Project> |