[9.0] Make duplicate deb/rpm packages so we can sign them with the new PMC key #63249
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
/backport to release/8.0 |
Contributor
|
Started backporting to release/8.0: https://github.com/dotnet/aspnetcore/actions/runs/16951661469 |
jkoritzinsky
added
the
tell-mode
Merged
10 tasks
jkoritzinsky
added
the
Servicing-consider
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR creates duplicate DEB and RPM package files to support signing with a new PMC (Package Manager Client) key for upcoming Linux distributions like Debian 13 and SLES vNext, while maintaining existing keys for current feeds.
- Introduces new build properties and targets for creating "newkey" variants of installer packages
- Adds copy operations to generate duplicate package files with "-newkey" suffixes
- Maintains existing build processes while extending them to support dual signing requirements
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/Installers/Rpm/Directory.Build.props | Adds NewKeyVersionSuffix property for RPM packages |
| src/Installers/Rpm/Directory.Build.targets | Implements copy operation to create newkey RPM variants |
| src/Installers/Rpm/TargetingPack/Rpm.TargetingPack.rpmproj | Defines NewKeyBaseName and NewKeyExtension properties |
| src/Installers/Rpm/Runtime/Rpm.Runtime.rpmproj | Defines NewKeyBaseName and NewKeyExtension properties |
| src/Installers/Debian/Directory.Build.targets | Implements copy operation to create newkey DEB variants |
| src/Installers/Debian/TargetingPack/Debian.TargetingPack.debproj | Defines NewKeyTargetFileName property |
| src/Installers/Debian/Runtime/Debian.Runtime.debproj | Defines NewKeyTargetFileName property |
| <BuildScriptOutputFileName>$(PackageId)_$(DebPackageVersion)-$(PackageRevision)_$(DebianPackageArch).deb</BuildScriptOutputFileName> | ||
| </PropertyGroup> | ||
|
|
||
| <Copy SourceFiles="$(IntermediateOutputPath)out/$(BuildScriptOutputFileName)" DestinationFiles="$(TargetPath)" /> |
There was a problem hiding this comment.
The copy operation lacks consistency with the RPM implementation. Consider adding a message task similar to line 114 in the RPM Directory.Build.targets to provide feedback about the copy operation.
Suggested change
| <Copy SourceFiles="$(IntermediateOutputPath)out/$(BuildScriptOutputFileName)" DestinationFiles="$(TargetPath)" /> | |
| <Copy SourceFiles="$(IntermediateOutputPath)out/$(BuildScriptOutputFileName)" DestinationFiles="$(TargetPath)" /> | |
| <Message Text="Copying $(IntermediateOutputPath)out/$(BuildScriptOutputFileName) to $(OutputPath)$(NewKeyTargetFileName)" Importance="high" /> |
rbhanda
added
Servicing-approved
wtgodbe
approved these changes
Aug 21, 2025
dotnet-policy-service
bot
added
the
pending-ci-rerun
wtgodbe
removed
the
pending-ci-rerun
This was referenced Oct 14, 2025
Closed
This was referenced Nov 17, 2025
chore(api): Bump Microsoft.AspNetCore.Authentication.JwtBearer from 9.0.9 to 9.0.11
maq77/GP14-26#58
Open
github-actions bot
pushed a commit
to saan800/github
that referenced
this pull request
Nov 17, 2025
Updated [Microsoft.AspNetCore.Mvc.Testing](https://github.com/dotnet/aspnetcore) from 9.0.9 to 9.0.11. <details> <summary>Release notes</summary> _Sourced from [Microsoft.AspNetCore.Mvc.Testing's releases](https://github.com/dotnet/aspnetcore/releases)._ ## 9.0.11 [Release](https://github.com/dotnet/core/releases/tag/v9.0.11) ## What's Changed * Update branding to 9.0.11 by @vseanreesermsft in dotnet/aspnetcore#63950 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63677 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63678 * [release/9.0] (deps): Bump src/submodules/googletest from `eb2d85e` to `9706f75` by @dependabot[bot] in dotnet/aspnetcore#63894 * [release/9.0] Fixed devtools url used for debug with chrome and edge by @github-actions[bot] in dotnet/aspnetcore#61948 * [release/9.0] (http2): Lower WINDOWS_UPDATE received on (half)closed stream to stream abortion by @DeagleGross in dotnet/aspnetcore#63934 * [release/9.0] Re-quarantine ServerRoutingTest.NavigationLock_OverlappingNavigationsCancelExistingNavigations_HistoryNavigation by @github-actions[bot] in dotnet/aspnetcore#63956 * [release/9.0] Fix nginx install on mac, linux by @wtgodbe in dotnet/aspnetcore#63966 * [Hot Reload] Do not attempt to apply empty deltas. by @tmat in dotnet/aspnetcore#63979 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#64036 * Revert log level severity for unknown proxy in ForwardedHeadersMiddleware by @BrennanConroy in dotnet/aspnetcore#64091 * Set timeoutInMinutes to 0 for Windows build job by @vseanreesermsft in dotnet/aspnetcore#64126 **Full Changelog**: dotnet/aspnetcore@v9.0.10...v9.0.11 ## 9.0.10 [Release](https://github.com/dotnet/core/releases/tag/v9.0.10) ## What's Changed * Update branding to 9.0.10 by @vseanreesermsft in dotnet/aspnetcore#63510 * [9.0] Make duplicate deb/rpm packages so we can sign them with the new PMC key by @jkoritzinsky in dotnet/aspnetcore#63249 * [release/9.0] Extend Unofficial 1ES template in IdentityModel nightly tests job by @github-actions[bot] in dotnet/aspnetcore#63465 * [release/9.0] (deps): Bump src/submodules/googletest from `373af2e` to `eb2d85e` by @dependabot[bot] in dotnet/aspnetcore#63501 * [release/9.0] Quarantine ResponseBody_WriteContentLength_PassedThrough by @wtgodbe in dotnet/aspnetcore#63533 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63304 * [release/9.0] [OpenAPI] Use invariant culture for TextWriter by @martincostello in dotnet/aspnetcore#62239 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63303 * Unquarantine `RadioButtonGetsResetAfterSubmittingEnhancedForm` by @ilonatommy in dotnet/aspnetcore#63556 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63577 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#63604 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63648 * backport(9.0): Fix runtime architecture detection logic in ANCM. by @DeagleGross in dotnet/aspnetcore#63707 **Full Changelog**: dotnet/aspnetcore@v9.0.9...v9.0.10 Commits viewable in [compare view](dotnet/aspnetcore@v9.0.9...v9.0.11). </details> Updated [Microsoft.AspNetCore.OpenApi](https://github.com/dotnet/aspnetcore) from 9.0.9 to 9.0.11. <details> <summary>Release notes</summary> _Sourced from [Microsoft.AspNetCore.OpenApi's releases](https://github.com/dotnet/aspnetcore/releases)._ ## 9.0.11 [Release](https://github.com/dotnet/core/releases/tag/v9.0.11) ## What's Changed * Update branding to 9.0.11 by @vseanreesermsft in dotnet/aspnetcore#63950 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63677 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63678 * [release/9.0] (deps): Bump src/submodules/googletest from `eb2d85e` to `9706f75` by @dependabot[bot] in dotnet/aspnetcore#63894 * [release/9.0] Fixed devtools url used for debug with chrome and edge by @github-actions[bot] in dotnet/aspnetcore#61948 * [release/9.0] (http2): Lower WINDOWS_UPDATE received on (half)closed stream to stream abortion by @DeagleGross in dotnet/aspnetcore#63934 * [release/9.0] Re-quarantine ServerRoutingTest.NavigationLock_OverlappingNavigationsCancelExistingNavigations_HistoryNavigation by @github-actions[bot] in dotnet/aspnetcore#63956 * [release/9.0] Fix nginx install on mac, linux by @wtgodbe in dotnet/aspnetcore#63966 * [Hot Reload] Do not attempt to apply empty deltas. by @tmat in dotnet/aspnetcore#63979 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#64036 * Revert log level severity for unknown proxy in ForwardedHeadersMiddleware by @BrennanConroy in dotnet/aspnetcore#64091 * Set timeoutInMinutes to 0 for Windows build job by @vseanreesermsft in dotnet/aspnetcore#64126 **Full Changelog**: dotnet/aspnetcore@v9.0.10...v9.0.11 ## 9.0.10 [Release](https://github.com/dotnet/core/releases/tag/v9.0.10) ## What's Changed * Update branding to 9.0.10 by @vseanreesermsft in dotnet/aspnetcore#63510 * [9.0] Make duplicate deb/rpm packages so we can sign them with the new PMC key by @jkoritzinsky in dotnet/aspnetcore#63249 * [release/9.0] Extend Unofficial 1ES template in IdentityModel nightly tests job by @github-actions[bot] in dotnet/aspnetcore#63465 * [release/9.0] (deps): Bump src/submodules/googletest from `373af2e` to `eb2d85e` by @dependabot[bot] in dotnet/aspnetcore#63501 * [release/9.0] Quarantine ResponseBody_WriteContentLength_PassedThrough by @wtgodbe in dotnet/aspnetcore#63533 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63304 * [release/9.0] [OpenAPI] Use invariant culture for TextWriter by @martincostello in dotnet/aspnetcore#62239 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63303 * Unquarantine `RadioButtonGetsResetAfterSubmittingEnhancedForm` by @ilonatommy in dotnet/aspnetcore#63556 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63577 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#63604 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63648 * backport(9.0): Fix runtime architecture detection logic in ANCM. by @DeagleGross in dotnet/aspnetcore#63707 **Full Changelog**: dotnet/aspnetcore@v9.0.9...v9.0.10 Commits viewable in [compare view](dotnet/aspnetcore@v9.0.9...v9.0.11). </details> Updated [Microsoft.NET.Test.Sdk](https://github.com/microsoft/vstest) from 18.0.0 to 18.0.1. <details> <summary>Release notes</summary> _Sourced from [Microsoft.NET.Test.Sdk's releases](https://github.com/microsoft/vstest/releases)._ ## 18.0.1 ## What's Changed Fixing an issue with loading covrun64.dll on systems that have .NET 10 SDK installed: https://learn.microsoft.com/en-us/dotnet/core/compatibility/sdk/10.0/code-coverage-dynamic-native-instrumentation * Disable DynamicNative instrumentation by default by @nohwnd in microsoft/vstest#15298 * Update MicrosoftInternalCodeCoveragePackageVersion to 18.0.6 by @nohwnd in microsoft/vstest#15312 ### Internal changes * Update VersionPrefix to 18.0.1 by @nohwnd in microsoft/vstest#15301 * Update build tools to 17.8.43 by @nohwnd in microsoft/vstest#15305 **Full Changelog**: microsoft/vstest@v18.0.0...v18.0.1 Commits viewable in [compare view](microsoft/vstest@v18.0.0...v18.0.1). </details> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Nov 18, 2025
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contributes to dotnet/arcade#16047
Make duplicate deb/rpm packages so we can sign them with the new PMC key
Description
PMC has added a new signing key for packages published to repositories for new Linux distributions they will add support for, such as Debian 13 and SLES vNext. Packages pushed to these feeds must be signed with the new key. Existing feeds will maintain the same keys. The .NET signing infrastructure requires us to have separate copies of the package files to have them signed with different keys. This PR introduces separate copies of the DEB and RPM installers to be signed with the new signing keys.
Contributes to dotnet/arcade#16047
Customer Impact
Without this change, we can't ship
.debinstallers for Debian 13. With this change, we can.Regression?
Risk
[Justify the selection above]
Verification
Packaging changes reviewed?