Enable Signing in Repos that Override Build Actions

[ellahathaway]

Closes dotnet/source-build#4064

Enables signing for the following repos which were not passing -sign under UB modes:

• aspnetcore
• fsharp
• roslyn

[ellahathaway]

Looks like the sign arg is not valid in fsharp, but I tested passing /p:Sign=true to fsharp and that worked to invoke signing. Updated in 9ef5b62

[ellahathaway]

Signing aspnetcore is failing because there are no ItemsToSign defined in Signing.props: https://github.com/dotnet/aspnetcore/blob/main/eng/Signing.props#L7-L9

Signing aspnetcore artifacts in the VMR needs to be enabled, so I'm continuing this discussion in dotnet/aspnetcore#58445 (comment).

In the meantime, I'm going to draft this PR.

[ViktorHofer]

Looks like the sign arg is not valid in fsharp, but I tested passing /p:Sign=true to fsharp and that worked to invoke signing. Updated in 9ef5b62

That's weird. Can you please file an issue in fsharp to track allowing the -sign switch?

[ellahathaway]

Looks like the sign arg is not valid in fsharp, but I tested passing /p:Sign=true to fsharp and that worked to invoke signing. Updated in 9ef5b62

That's weird. Can you please file an issue in fsharp to track allowing the -sign switch?

Yes, filed dotnet/fsharp#18011

[ellahathaway]

Need dotnet/aspnetcore#58987 to unblock aspnetcore signing in this PR.

[ellahathaway]

Interesting. Fsharp is failing on windows with an empty ItemsToSign list. Oddly, it seems like signing is being run before the packages are finished being created. That said, it's a bit hard to tell what's occurring, since I only have access to the log and not the binlog (the log output could be a red herring as it might be a concurrency issue with the printing). I'll continue to investigate this & try to repro locally.

[ViktorHofer]

FYI, dotnet/source-build#4424 is the reason why the AzDO output isn't really helpful here. Unfortunately, fsharp sometimes returns a 0 exit code even though the inner build failed.

[ellahathaway]

Edited:

Fsharp on window builds VisualFSharp.sln which only produces artifacts when using full framework MSBuild. Since we build with core in UB, there are no artifacts & signing fails with No Items to Sign. The solution here is to allow an empty ItemsToSign list when building VisualFSharp.sln with .NET Core MSbuild.

I included the patch for the fix in a8b7fb5

[ViktorHofer]

@ellahathaway are you sure about that? When I look at a linux vertical (example AzureLinux_x64_Cross_x64) I see the following artifacts getting produced:

  New artifact(s) after building fsharp:
    -> FSharp.Compiler.Service/43.9.200-preview.24578.1
    -> FSharp.Core/9.0.200-beta.24578.1
    -> assets/symbols/FSharp.Compiler.Service.43.9.200-preview.24578.1.symbols.nupkg
    -> assets/symbols/FSharp.Core.9.0.200-beta.24578.1.symbols.nupkg

[ellahathaway]

@ellahathaway are you sure about that? When I look at a linux vertical (example AzureLinux_x64_Cross_x64) I see the following artifacts getting produced:

  New artifact(s) after building fsharp:
    -> FSharp.Compiler.Service/43.9.200-preview.24578.1
    -> FSharp.Core/9.0.200-beta.24578.1
    -> assets/symbols/FSharp.Compiler.Service.43.9.200-preview.24578.1.symbols.nupkg
    -> assets/symbols/FSharp.Core.9.0.200-beta.24578.1.symbols.nupkg

Here are the artifacts that I see when I look at the windows vertical:

-   New artifact(s) after building fsharp:
    -> Microsoft.FSharp.Compiler/13.9.200-beta.24578.1
    -> assets/symbols/Microsoft.FSharp.Compiler.13.9.200-beta.24578.1.symbols.nupkg

Diving into the fsharp binlogs, there are the following items being signed in the linux:

By contrast, there are the following items being signed in the windows vertical:

I filed dotnet/source-build#4799 to investigate the missing package from the Linux build.

[ellahathaway]

It looks like both FSharp.sln and 'VisualFSharp.slndon't produce artifacts when building with .NET Core MSBuild on windows. Passing-noVisualStudio` does not help the signing issue. That said, we may need to keep it regardless because we are not building with visual studio?

I filed dotnet/fsharp#18112 to address the lack of ItemsToSign from the fsharp side. This will have to be addressed first in order to fix the failures in this PR.

[mmitche]

Is Sign ever true in source build only mode? Does this need the extra conditional?

[ellahathaway]

You're right, I don't think it'll ever be true. Given that assumption, I don't have a problem with removing the extra conditional.

[ellahathaway]

Removed in b8dc8d6

[mmitche]

Approved with the question about SB + Signing

[ViktorHofer]

It looks like both FSharp.sln and 'VisualFSharp.slndon't produce artifacts when building with .NET Core MSBuild on windows. Passing-noVisualStudio` does not help the signing issue. That said, we may need to keep it regardless because we are not building with visual studio?

Does that mean that we need to switch to desktop msbuild when building fsharp on Windows?

[ellahathaway]

It looks like both FSharp.sln and 'VisualFSharp.slndon't produce artifacts when building with .NET Core MSBuild on windows. Passing-noVisualStudio` does not help the signing issue. That said, we may need to keep it regardless because we are not building with visual studio?

Does that mean that we need to switch to desktop msbuild when building fsharp on Windows?

If we want to produce .vsix files out of the fsharp build, then yes.

@mmitche - pinging for your thoughts on Viktor's question