eng/Signing.props


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

<Project InitialTargets="SetupFilesToSign">

  <PropertyGroup>
    <!--
      Windows arm/arm64 jobs don't have MSIs to sign. Keep it simple: allow not finding any matches
      here and rely on overall signing validation.

      During post build signing, there are no packages to sign during SignFinalPackages.
    -->
    <AllowEmptySignList>true</AllowEmptySignList>
  </PropertyGroup>

  <ItemGroup>
    <!--
      Replace the default items to sign with the specific set we want. This allows the build to call
      Arcade's Sign.proj multiple times for different sets of files as the build progresses.
    -->
    <ItemsToSign Remove="@(ItemsToSign)" />

    <!-- apphost and comhost template files are not signed, by design. -->
    <FileSignInfo Include="apphost.exe;singlefilehost.exe;comhost.dll" CertificateName="None" />

    <!-- Third-party components which should be signed.  -->
    <FileSignInfo Include="Newtonsoft.Json.dll" CertificateName="3PartySHA2" />
    <FileSignInfo Include="Mono.Cecil.dll" CertificateName="3PartySHA2" />
    <FileSignInfo Include="Mono.Cecil.Mdb.dll" CertificateName="3PartySHA2" />
    <FileSignInfo Include="Mono.Cecil.Pdb.dll" CertificateName="3PartySHA2" />
    <FileSignInfo Include="Mono.Cecil.Rocks.dll" CertificateName="3PartySHA2" />

    <FileSignInfo Include="mscordaccore.dll" CertificateName="MicrosoftSHA2" />

    <!-- Exclude symbol packages from have a NuGet signature. These are never pushed to NuGet.org or
         other feeds (in fact, that have identical identity to their non-symbol variant) -->
    <DownloadedSymbolPackages Include="$(DownloadDirectory)**\*.symbols.nupkg" />
    <DownloadedSymbolPackagesWithoutPaths Include="@(DownloadedSymbolPackages->'%(Filename)%(Extension)')" />
    <FileSignInfo Include="@(DownloadedSymbolPackagesWithoutPaths->Distinct())" CertificateName="None" />

    <FileExtensionSignInfo Include=".msi" CertificateName="MicrosoftDotNet500" />
    <FileExtensionSignInfo Include=".pkg" CertificateName="8003" />
    <FileExtensionSignInfo Include=".deb;.rpm" CertificateName="LinuxSign" />
  </ItemGroup>

  <!-- Update existing defaults from arcade that were using Microsoft400 to use the .NET-specific cert -->
  <ItemGroup>
    <FileExtensionSignInfo Update="@(FileExtensionSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="MicrosoftDotNet500" />
    <StrongNameSignInfo Update="@(StrongNameSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="MicrosoftDotNet500" />
    <FileSignInfo Update="@(FileSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="MicrosoftDotNet500" />
  </ItemGroup>

  <ItemGroup Condition="'$(PrepareArtifacts)' == 'true' and '$(PostBuildSign)' == 'true'">
    <ItemsToSignWithPaths Include="$(DownloadDirectory)**\*.msi" />
    <ItemsToSignWithPaths Include="$(DownloadDirectory)**\*.exe" />
    <ItemsToSignWithPaths Include="$(DownloadDirectory)**\*.nupkg" />
    <ItemsToSignWithPaths Include="$(DownloadDirectory)**\*.zip" />

    <ItemsToSignWithoutPaths Include="@(ItemsToSignWithPaths->'%(Filename)%(Extension)')" />
    <ItemsToSignPostBuild Include="@(ItemsToSignWithoutPaths->Distinct())" />
  </ItemGroup>

  <Target Name="SetupFilesToSign">
    <!-- Ensure that we don't miss the DAC or DBI with the globbing below -->
    <PropertyGroup Condition="'$(SignDiagnostics)' == 'true' or '$(SignDiagnosticsPackages)' == 'true'">
      <AllowEmptySignList>false</AllowEmptySignList>
    </PropertyGroup>

    <ItemGroup Condition="'$(SignDiagnostics)' == 'true'">
      <ItemsToSign Include="$(DiagnosticsFilesRoot)\**\mscordaccore*.dll" />
      <ItemsToSign Include="$(DiagnosticsFilesRoot)\**\mscordbi.dll" />
      <!--
        The DAC should be signed with the SHA2 cert (both long and short name).
        We already add the short-name DAC above, so add the long-name DAC here.
      -->
      <DacFileSignInfo Include="@(ItemsToSign->'%(FileName)%(Extension)')"
                    Condition="$([System.String]::new('%(FileName)').StartsWith('mscordaccore'))" />
      <FileSignInfo Include="@(DacFileSignInfo->ClearMetadata()->Distinct())"
                    Exclude="mscordaccore.dll"
                    CertificateName="MicrosoftSHA2" />
    </ItemGroup>
    
    <ItemGroup Condition="'$(SignDiagnosticsPackages)' == 'true'">
      <!-- The cross OS diagnostics symbol packages need to be signed as they are the only packages
      that have a specific version of assets that are only meant to be indexed in symbol servers.
      Since only *symbols.nupkg get indexed, and installer doesn't produce these, we need to glob them for signing. -->
      <ItemsToSign Include="$(PackagesFolder)\**\*CrossOsDiag*.nupkg" />
    </ItemGroup>
  </Target>

</Project>