diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2022-08-23 00:19:44 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-23 00:19:44 +0300 |
commit | e69c9d07ab06c606c4e494ab7f41a880a1dcb122 (patch) | |
tree | 37a2f3a17b078e36c38c6dea6aa218c116ffb568 /eng/Signing.props | |
parent | d8e84363082681b59d9c9c2777af9dc5eac5c287 (diff) |
[release/7.0-rc1] Change signature for diagnostic binaries (#74323)
* Add DAC signature infrastructure
* Use a .NET 6 SDK to enable signing
* Add signature verification
Co-authored-by: Juan Sebastian Hoyos Ayala <juan.hoyos@microsoft.com>
Diffstat (limited to 'eng/Signing.props')
-rw-r--r-- | eng/Signing.props | 41 |
1 files changed, 8 insertions, 33 deletions
diff --git a/eng/Signing.props b/eng/Signing.props index b4fb10e90e4..f76a7aa22c2 100644 --- a/eng/Signing.props +++ b/eng/Signing.props @@ -1,5 +1,4 @@ -<Project InitialTargets="SetupFilesToSign"> - +<Project> <PropertyGroup> <!-- Windows arm/arm64 jobs don't have MSIs to sign. Keep it simple: allow not finding any matches @@ -20,6 +19,13 @@ <!-- apphost and comhost template files are not signed, by design. --> <FileSignInfo Include="apphost.exe;singlefilehost.exe;comhost.dll" CertificateName="None" /> + <!-- + The DAC and the DBI must go through special signing provisioning using a system separate + from MicroBuild. + --> + <FileSignInfo Include="mscordaccore.dll" CertificateName="None" /> + <FileSignInfo Include="mscordbi.dll" CertificateName="None" /> + <!-- We don't need to code sign .js files because they are not used in Windows Script Host. --> <!-- WARNING: Needs to happed outside of any target --> <FileExtensionSignInfo Update=".js" CertificateName="None" /> @@ -31,8 +37,6 @@ <FileSignInfo Include="Mono.Cecil.Pdb.dll" CertificateName="3PartySHA2" /> <FileSignInfo Include="Mono.Cecil.Rocks.dll" CertificateName="3PartySHA2" /> - <FileSignInfo Include="mscordaccore.dll" CertificateName="MicrosoftSHA2" /> - <!-- Exclude symbol packages from have a NuGet signature. These are never pushed to NuGet.org or other feeds (in fact, that have identical identity to their non-symbol variant) --> <DownloadedSymbolPackages Include="$(DownloadDirectory)**\*.symbols.nupkg" /> @@ -61,33 +65,4 @@ <ItemsToSignPostBuild Include="@(ItemsToSignWithoutPaths->Distinct())" Condition="'$(PostBuildSign)' == 'true'" /> <ItemsToSign Include="@(ItemsToSignWithPaths->Distinct())" Condition="'$(PostBuildSign)' != 'true'" /> </ItemGroup> - - <Target Name="SetupFilesToSign"> - <!-- Ensure that we don't miss the DAC or DBI with the globbing below --> - <PropertyGroup Condition="'$(SignDiagnostics)' == 'true' or '$(SignDiagnosticsPackages)' == 'true'"> - <AllowEmptySignList>false</AllowEmptySignList> - </PropertyGroup> - - <ItemGroup Condition="'$(SignDiagnostics)' == 'true'"> - <ItemsToSign Include="$(DiagnosticsFilesRoot)\**\mscordaccore*.dll" /> - <ItemsToSign Include="$(DiagnosticsFilesRoot)\**\mscordbi.dll" /> - <!-- - The DAC should be signed with the SHA2 cert (both long and short name). - We already add the short-name DAC above, so add the long-name DAC here. - --> - <DacFileSignInfo Include="@(ItemsToSign->'%(FileName)%(Extension)')" - Condition="$([System.String]::new('%(FileName)').StartsWith('mscordaccore'))" /> - <FileSignInfo Include="@(DacFileSignInfo->ClearMetadata()->Distinct())" - Exclude="mscordaccore.dll" - CertificateName="MicrosoftSHA2" /> - </ItemGroup> - - <ItemGroup Condition="'$(SignDiagnosticsPackages)' == 'true'"> - <!-- The cross OS diagnostics symbol packages need to be signed as they are the only packages - that have a specific version of assets that are only meant to be indexed in symbol servers. - Since only *symbols.nupkg get indexed, and installer doesn't produce these, we need to glob them for signing. --> - <ItemsToSign Include="$(PackagesFolder)\**\*CrossOsDiag*.nupkg" /> - </ItemGroup> - </Target> - </Project> |