Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the ability to use the .NET certificate with a switch #7347

Merged
merged 3 commits into from
May 6, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions Documentation/CorePackages/Signing.md

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

charts/kube-prometheus-stack/templates/prometheus/rules-1.14/kubernetes-apps.yaml

Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,30 @@ Click [here](../../src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj) to see how t
...
```

#### 8. How can I use the .NET specific certificate for executable files?

By default, `Microsoft400` is the cert used by default for most executable files (e.g .dll, .js, .exe). To use the .NET specific cert (`MicrosoftDotNet500`),
use one of the following approaches:

1. Update the existing `FileExtensionSignInfo` and `StrongNameSignInfo` metadata in [Sign.props](../../src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props)
to use `MicrosoftDotNet500`. This approach must be used if some files still need to be signed with `Microsoft400`.
```
<ItemGroup>
<FileExtensionSignInfo Update=".js;.ps1;.psd1;.psm1;.psc1;.py;.dll;.exe" CertificateName="MicrosoftDotNet500" />
<StrongNameSignInfo Update="MsSharedLib72" PublicKeyToken="31bf3856ad364e35" CertificateName="MicrosoftDotNet500" />
<StrongNameSignInfo Update="SilverlightCert121" PublicKeyToken="7cec85d7bea7798e" CertificateName="MicrosoftDotNet500" />
<StrongNameSignInfo Update="StrongName" PublicKeyToken="b77a5c561934e089" CertificateName="MicrosoftDotNet500" />
<StrongNameSignInfo Update="StrongName" PublicKeyToken="b03f5f7f11d50a3a" CertificateName="MicrosoftDotNet500" />
<StrongNameSignInfo Update="$(MSBuildThisFileDirectory)snk\Open.snk" PublicKeyToken="cc7b13ffcd2ddd51" CertificateName="MicrosoftDotNet500" />
</ItemGroup>
```
2. Specify the property `UseDotNetCertificate` with value `true` in your `eng/Signing.props` file. This **replaces** all existing use of `Microsoft400` with `MicrosoftDotNet500`.
```
<PropertyGroup>
<UseDotNetCertificate>f</UseDotNetCertificate>
</PropertyGroup>
```

## Logs & MicroBuild configuration files

The log messages from the SignToolTask itself will be included in the log (+.binlog) of the original build process. The binary log of executing the MicroBuild signing plugin will be stored in files named `SigningX.binlog` in the `LogDir` folder. The project files used to call the MicroBuild plugin will be stored in files named `RoundX.proj` in the `TempDir` folder. In both cases the `X` in the name refers to a signing round.
Expand Down
10 changes: 10 additions & 0 deletions src/Microsoft.DotNet.Arcade.Sdk/tools/Publish.proj
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,16 @@

<Import Project="Sign.props" />

<!-- Update sign infos that were using Microsoft400 to use the .NET-specific cert if UseDotNetCertificate is present.
This will update any use, even if explicitly specified.
NOTE: This is outside the target on purpose, as Update will not correctly evaluate in the target. See
https://github.com/dotnet/msbuild/issues/1618. -->
<ItemGroup Condition="$(UseDotNetCertificate)">
<FileExtensionSignInfo Update="@(FileExtensionSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
<StrongNameSignInfo Update="@(StrongNameSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
<FileSignInfo Update="@(FileSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
</ItemGroup>

<Import Project="SourceBuild/SourceBuildArcadePublish.targets" Condition="'$(ArcadeBuildFromSource)' == 'true'" />

</Project>
10 changes: 10 additions & 0 deletions src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,16 @@

<Import Project="Sign.props" />

<!-- Update sign infos that were using Microsoft400 to use the .NET-specific cert if UseDotNetCertificate is present.
This will update any use, even if explicitly specified.
NOTE: This is outside the target on purpose, as Update will not correctly evaluate in the target. See
https://github.com/dotnet/msbuild/issues/1618. -->
<ItemGroup Condition="$(UseDotNetCertificate)">
<FileExtensionSignInfo Update="@(FileExtensionSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
<StrongNameSignInfo Update="@(StrongNameSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
<FileSignInfo Update="@(FileSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
</ItemGroup>

<Target Name="Sign">
<Error Text="The value of DotNetSignType is invalid: '$(DotNetSignType)'"
Condition="'$(DotNetSignType)' != 'real' and '$(DotNetSignType)' != 'test' and '$(DotNetSignType)' != ''" />
Expand Down
8 changes: 8 additions & 0 deletions src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,14 @@
<FileExtensionSignInfo Include=".zip" CertificateName="None" />
</ItemGroup>

<!-- The name of the .NET specific certificate, which is a general replacement for Microsoft400
If UseDotNetCert is specific in a repo's eng/Signing.props, all usage of Microsoft400 is replaced
with MicrosoftDotNet500 -->
<PropertyGroup>
<DotNetCertificateName>MicrosoftDotNet500</DotNetCertificateName>
<UseDotNetCertificate>false</UseDotNetCertificate>
</PropertyGroup>

<PropertyGroup>
<!-- Flags for controlling whether empty signing lists are detected for in build and post-build signing.
These flags are split (rather than just a single check based on PostBuildSign == true/false because
Expand Down