From f637eda2d9e9a89d0e5fc378ab06122fb945262f Mon Sep 17 00:00:00 2001
From: Noah Gilson <noahgilson@microsoft.com>
Date: Fri, 31 Oct 2025 13:21:54 -0700
Subject: [PATCH 1/3] Add signing to `dnup` library package using `SignTool`

This is a clean commit since I had to merge with main to get the initial CI working during my development branch. Please see the branch `nagilson-dnup-nuget-sign` on origin (nagilson) or upstream (dotnet/sdk) in public if you want the history of these changes.

- CI now properly signs the library package for internal consumption.

The actual additions:
`src/Installer/Microsoft.Dotnet.Installation/Install.sign.proj` -> uses `SignTool` to sign the `dnup library` package with NuGet's Authenticode.
`eng/pipelines/templates/jobs/dnup/dnup-library-package.yml` -> now runs the .sign.proj to sign the library package.

Notes:
- `.sign.proj` is used over `.signproj` as a convention because `code` and other editors don't have xml highlighting for `.signproj`
- I considered the ESRP/MicroBuild/SignTool task but felt this was more traceable to call via MSBuild - since the binlog shows all of the 'hidden' arcade magic and variables that flow around.
- I was surprised to find that having a very simple `FilesToSign` itemgroup (as many other repos do) and that following the internal documentation for signing a nuget package did not work. `SignTool` was the most robust way I could find to do it.

See the drop at https://dev.azure.com/dnceng/internal/_build/results?buildId=2828736&view=artifacts&pathAsName=false&type=publishedArtifacts, download the `dnup-library-packages-unsigned` artifact (which is incorrect, I'm fixing that), clone dotnet/arcade, build, and run
`.\artifacts\bin\Microsoft.DotNet.SignCheck\x86\Debug\net472\Microsoft.DotNet.SignCheck.exe -v Detailed -i "drop_path"`
or
`dotnet nuget verify "drop_path" -v Detailed`
---
 .../jobs/dnup/dnup-library-package.yml        |  9 ++-
 .../Microsoft.Dotnet.Installation.sign.proj   | 66 +++++++++++++++++++
 2 files changed, 73 insertions(+), 2 deletions(-)
 create mode 100644 src/Installer/Microsoft.Dotnet.Installation/Microsoft.Dotnet.Installation.sign.proj

diff --git a/eng/pipelines/templates/jobs/dnup/dnup-library-package.yml b/eng/pipelines/templates/jobs/dnup/dnup-library-package.yml
index d061b4613dbf..775904802ad2 100644
--- a/eng/pipelines/templates/jobs/dnup/dnup-library-package.yml
+++ b/eng/pipelines/templates/jobs/dnup/dnup-library-package.yml
@@ -44,7 +44,6 @@ jobs:
         targetPath: '$(Build.SourcesDirectory)/artifacts/packages/Release/NonShipping/'
         artifactName: 'dnup-library-packages'
         publishLocation: Container
-
     steps:
     - ${{ if eq(parameters.pool.os, 'windows') }}:
       - powershell: |
@@ -54,5 +53,11 @@ jobs:
           & .\.dotnet\dotnet build test\dnup.Tests\dnup.Tests.csproj -c Release
         displayName: 💻 Build Windows
       - powershell: |
-           & .\.dotnet\dotnet pack .\src\Installer\Microsoft.Dotnet.Installation\Microsoft.Dotnet.Installation.csproj
+          & .\.dotnet\dotnet pack .\src\Installer\Microsoft.Dotnet.Installation\Microsoft.Dotnet.Installation.csproj
         displayName: 📦 Package dnup library
+      - powershell: |
+          & .\.dotnet\dotnet build .\src\Installer\Microsoft.Dotnet.Installation\Microsoft.Dotnet.Installation.sign.proj
+        displayName: 🖋️ Sign dnup library packages with full.sign.proj (no sign target)
+      - powershell: |
+          & .\.dotnet\dotnet build .\src\Installer\Microsoft.Dotnet.Installation\Microsoft.Dotnet.Installation.sign.proj /t:Sign
+        displayName: 🖋️ Sign dnup library packages with arcade signtool
diff --git a/src/Installer/Microsoft.Dotnet.Installation/Microsoft.Dotnet.Installation.sign.proj b/src/Installer/Microsoft.Dotnet.Installation/Microsoft.Dotnet.Installation.sign.proj
new file mode 100644
index 000000000000..36ca45bcdbb0
--- /dev/null
+++ b/src/Installer/Microsoft.Dotnet.Installation/Microsoft.Dotnet.Installation.sign.proj
@@ -0,0 +1,66 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <!-- Determine repository root when the pipeline variables are unavailable (e.g. local invocations). -->
+    <_RepoRoot Condition="'$(RepoRoot)' != ''">$(RepoRoot)</_RepoRoot>
+    <_RepoRoot Condition="'$(_RepoRoot)' == ''">$([System.IO.Path]::GetFullPath('$(MSBuildThisFileDirectory)..\..\..\'))</_RepoRoot>
+
+    <!-- Allow callers to override these directories; fall back to repo-relative defaults. -->
+    <PackagesDir Condition="'$(PackagesDir)' == ''">$(_RepoRoot)artifacts\packages\Release\</PackagesDir>
+    <IntermediateOutputPath Condition="'$(IntermediateOutputPath)' == ''">$(_RepoRoot)artifacts\obj\Sign\</IntermediateOutputPath>
+    <LogDir Condition="'$(LogDir)' == ''">$(_RepoRoot)artifacts\log\Sign\</LogDir>
+
+    <!-- SignTool requires explicit dotnet path; default to repo-local SDK. -->
+    <DotNetPath Condition="'$(DotNetPath)' == ''">$(_RepoRoot).dotnet\dotnet.exe</DotNetPath>
+
+    <MicroBuild_DoNotStrongNameSign>true</MicroBuild_DoNotStrongNameSign>
+    <MicroBuild_SigningEnabled>true</MicroBuild_SigningEnabled>
+  </PropertyGroup>
+
+  <Import Project="$(NuGetPackageRoot)microsoft.dotnet.signtool\$(MicrosoftDotNetSignToolVersion)\build\Microsoft.DotNet.SignTool.props" />
+
+  <!-- The name of the .NET specific certificate, which is a general replacement for Microsoft400
+       If UseDotNetCert is specific in a repo's eng/Signing.props, all usage of Microsoft400 is replaced
+       with MicrosoftDotNet500 -->
+  <PropertyGroup>
+    <DotNetCertificateName>MicrosoftDotNet500</DotNetCertificateName>
+    <UseDotNetCertificate>false</UseDotNetCertificate>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <FileExtensionSignInfo Include=".nupkg" CertificateName="NuGet" />
+    <FileExtensionSignInfo Include=".dll" CertificateName="Microsoft400" />
+    <FileSignInfo Include="Microsoft.Dotnet.Installation.dll" CertificateName="Microsoft400" />
+    <FileSignInfo Include="Microsoft.Dotnet.Installation*.nupkg" CertificateName="NuGet" />
+    <ItemsToSign Include="$(PackagesDir)**\Microsoft.Dotnet.Installation*.nupkg">
+      <Authenticode>NuGet</Authenticode>
+    </ItemsToSign>
+  </ItemGroup>
+
+  <PropertyGroup Condition="'$(SignType)' == ''">
+      <SignType>test</SignType>
+      <TestSign>true</TestSign>
+  </PropertyGroup>
+
+ <PropertyGroup Condition="'$(TestSign)' == ''">
+      <TestSign>false</TestSign>
+  </PropertyGroup>
+
+
+  <Target Name="Sign" AfterTargets="Build">
+    <Microsoft.DotNet.SignTool.SignToolTask
+        DryRun="false"
+        TestSign="$(TestSign)"
+        ItemsToSign="@(ItemsToSign)"
+        FileSignInfo="@(FileSignInfo)"
+        FileExtensionSignInfo="@(FileExtensionSignInfo)"
+        TempDir="$(IntermediateOutputPath)"
+        LogDir="$(LogDir)"
+        DoStrongNameCheck="false"
+        DotNetPath="$(DotNetPath)"
+        MicroBuildCorePath="$(NuGetPackageRoot)microsoft.visualstudioeng.microbuild.core\$(MicrosoftVisualStudioEngMicroBuildCoreVersion)"
+        SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
+        >
+    </Microsoft.DotNet.SignTool.SignToolTask>
+  </Target>
+</Project>

From 703cef464cc6de6808d26c21aa911ff732f3bdaf Mon Sep 17 00:00:00 2001
From: Noah Gilson <noahgilson@microsoft.com>
Date: Fri, 31 Oct 2025 13:29:12 -0700
Subject: [PATCH 2/3] remove extraneous leftover build step

---
 eng/pipelines/templates/jobs/dnup/dnup-library-package.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/eng/pipelines/templates/jobs/dnup/dnup-library-package.yml b/eng/pipelines/templates/jobs/dnup/dnup-library-package.yml
index 775904802ad2..9d649a7b06d9 100644
--- a/eng/pipelines/templates/jobs/dnup/dnup-library-package.yml
+++ b/eng/pipelines/templates/jobs/dnup/dnup-library-package.yml
@@ -55,9 +55,6 @@ jobs:
       - powershell: |
           & .\.dotnet\dotnet pack .\src\Installer\Microsoft.Dotnet.Installation\Microsoft.Dotnet.Installation.csproj
         displayName: 📦 Package dnup library
-      - powershell: |
-          & .\.dotnet\dotnet build .\src\Installer\Microsoft.Dotnet.Installation\Microsoft.Dotnet.Installation.sign.proj
-        displayName: 🖋️ Sign dnup library packages with full.sign.proj (no sign target)
       - powershell: |
           & .\.dotnet\dotnet build .\src\Installer\Microsoft.Dotnet.Installation\Microsoft.Dotnet.Installation.sign.proj /t:Sign
         displayName: 🖋️ Sign dnup library packages with arcade signtool

From 26c8a18cc17bcb4ef6a40336970ff1c97cea6070 Mon Sep 17 00:00:00 2001
From: Noah Gilson <noahgilson@microsoft.com>
Date: Fri, 31 Oct 2025 13:32:05 -0700
Subject: [PATCH 3/3] remove unneeded property group

---
 .../Microsoft.Dotnet.Installation.sign.proj               | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/src/Installer/Microsoft.Dotnet.Installation/Microsoft.Dotnet.Installation.sign.proj b/src/Installer/Microsoft.Dotnet.Installation/Microsoft.Dotnet.Installation.sign.proj
index 36ca45bcdbb0..baea2590e599 100644
--- a/src/Installer/Microsoft.Dotnet.Installation/Microsoft.Dotnet.Installation.sign.proj
+++ b/src/Installer/Microsoft.Dotnet.Installation/Microsoft.Dotnet.Installation.sign.proj
@@ -19,14 +19,6 @@
 
   <Import Project="$(NuGetPackageRoot)microsoft.dotnet.signtool\$(MicrosoftDotNetSignToolVersion)\build\Microsoft.DotNet.SignTool.props" />
 
-  <!-- The name of the .NET specific certificate, which is a general replacement for Microsoft400
-       If UseDotNetCert is specific in a repo's eng/Signing.props, all usage of Microsoft400 is replaced
-       with MicrosoftDotNet500 -->
-  <PropertyGroup>
-    <DotNetCertificateName>MicrosoftDotNet500</DotNetCertificateName>
-    <UseDotNetCertificate>false</UseDotNetCertificate>
-  </PropertyGroup>
-
   <ItemGroup>
     <FileExtensionSignInfo Include=".nupkg" CertificateName="NuGet" />
     <FileExtensionSignInfo Include=".dll" CertificateName="Microsoft400" />