Skip to content

Sign Microsoft.Installation library package #51488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: release/dnup
Choose a base branch
from
Open

Sign Microsoft.Installation library package #51488

wants to merge 3 commits into from

Conversation

@nagilson
Copy link
Member

@nagilson nagilson commented Oct 29, 2025
edited
Loading

  • CI now properly signs the library package for internal consumption.

Resolves #50621 (there should be another tracking issue for signing the library)

The actual additions:
src/Installer/Microsoft.Dotnet.Installation/Install.sign.proj -> uses SignTool to sign the dnup library package with NuGet's Authenticode.
eng/pipelines/templates/jobs/dnup/dnup-library-package.yml -> now runs the .sign.proj to sign the library package.

We still need to push the package to a public stream for consumption, aka dotnet/tools feed in dnceng-public. That's being tracked here: #51513

Notes:

  • .sign.proj is used over .signproj as a convention because code and other editors don't have xml highlighting for .signproj
  • I considered the ESRP/MicroBuild/SignTool task but felt this was more traceable to call via MSBuild - since the binlog shows all of the 'hidden' arcade magic and variables that flow around.
  • I was surprised to find that having a very simple FilesToSign itemgroup (as many other repos do) and that following the internal documentation for signing a nuget package did not work. SignTool was the most robust way I could find to do it.

For the first example of a successful run, See the drop at https://dev.azure.com/dnceng/internal/_build/results?buildId=2828736&view=artifacts&pathAsName=false&type=publishedArtifacts, download the dnup-library-packages-unsigned artifact (which is incorrect, and fixed), clone dotnet/arcade, build, and run
.\artifacts\bin\Microsoft.DotNet.SignCheck\x86\Debug\net472\Microsoft.DotNet.SignCheck.exe -v Detailed -i "drop_path"
or
dotnet nuget verify "drop_path" -v Detailed

@nagilson nagilson requested a review from MiYanni as a code owner October 29, 2025 23:35
@nagilson nagilson requested a review from a team as a code owner October 30, 2025 23:34
@build-analysis build-analysis bot mentioned this pull request Oct 31, 2025
Open
@nagilson
Add signing to dnup library package using SignTool
f637eda 
This is a clean commit since I had to merge with main to get the initial CI working during my development branch. Please see the branch `nagilson-dnup-nuget-sign` on origin (nagilson) or upstream (dotnet/sdk) in public if you want the history of these changes.

- CI now properly signs the library package for internal consumption.

The actual additions:
`src/Installer/Microsoft.Dotnet.Installation/Install.sign.proj` -> uses `SignTool` to sign the `dnup library` package with NuGet's Authenticode.
`eng/pipelines/templates/jobs/dnup/dnup-library-package.yml` -> now runs the .sign.proj to sign the library package.

Notes:
- `.sign.proj` is used over `.signproj` as a convention because `code` and other editors don't have xml highlighting for `.signproj`
- I considered the ESRP/MicroBuild/SignTool task but felt this was more traceable to call via MSBuild - since the binlog shows all of the 'hidden' arcade magic and variables that flow around.
- I was surprised to find that having a very simple `FilesToSign` itemgroup (as many other repos do) and that following the internal documentation for signing a nuget package did not work. `SignTool` was the most robust way I could find to do it.

See the drop at https://dev.azure.com/dnceng/internal/_build/results?buildId=2828736&view=artifacts&pathAsName=false&type=publishedArtifacts, download the `dnup-library-packages-unsigned` artifact (which is incorrect, I'm fixing that), clone dotnet/arcade, build, and run
`.\artifacts\bin\Microsoft.DotNet.SignCheck\x86\Debug\net472\Microsoft.DotNet.SignCheck.exe -v Detailed -i "drop_path"`
or
`dotnet nuget verify "drop_path" -v Detailed`
@nagilson nagilson force-pushed the nagilson-dnup-nuget-sign branch from 44440ae to f637eda Compare October 31, 2025 20:22
@nagilson nagilson removed request for a team and MiYanni October 31, 2025 20:23
@nagilson nagilson mentioned this pull request Oct 31, 2025
Open
@nagilson nagilson requested review from a team and dsplaisted October 31, 2025 20:32
dsplaisted
dsplaisted approved these changes Oct 31, 2025
View reviewed changes
src/Installer/Microsoft.Dotnet.Installation/Microsoft.Dotnet.Installation.sign.proj
Comment on lines +5 to +6
<_RepoRoot Condition="'$(RepoRoot)' != ''">$(RepoRoot)</_RepoRoot>
<_RepoRoot Condition="'$(_RepoRoot)' == ''">$([System.IO.Path]::GetFullPath('$(MSBuildThisFileDirectory)..\..\..\'))</_RepoRoot>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this necessary here? Isn't it set via the Arcade SDK which Directory.Build.props brings in?

If not, then this is probably a bit better (from Arcade):

<RepoRoot Condition="'$(RepoRoot)' == ''">$([MSBuild]::NormalizeDirectory('$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), 'global.json'))'))</RepoRoot>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dsplaisted dsplaisted dsplaisted approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nagilson @dsplaisted