Signing cleanup #44658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

jkoritzinsky merged 9 commits into dotnet:master from jkoritzinsky:signing-cleanup

Nov 17, 2020

eng/Signing.props

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -47,7 +47,7 @@
  
      <Target Name="SetupFilesToSign">

        <!-- Ensure that we don't miss the DAC or DBI with the globbing below -->

        <PropertyGroup Condition="'$(SignDiagnostics)' == 'true'">

        <PropertyGroup Condition="'$(SignDiagnostics)' == 'true' or '$(SignDiagnosticsPackages)' == 'true'">

          <AllowEmptySignList>false</AllowEmptySignList>

        </PropertyGroup>

    @@ -65,11 +65,11 @@
  
                        CertificateName="MicrosoftSHA2" />

        </ItemGroup>

        <ItemGroup Condition="'$(SignFinalPackages)' == 'true'">

        <ItemGroup Condition="'$(SignDiagnosticsPackages)' == 'true'">

          <!-- The cross OS diagnostics symbol packages need to be signed as they are the only packages

          that have a specific version of assets that are only meant to be indexed in symbol servers.

          Since only *symbols.nupkg get indexed, and installer doesn't produce these, we need to glob them for signing. -->

          <ItemsToSign Include="$(DownloadDirectory)**\*CrossOsDiag*.nupkg" />

          <ItemsToSign Include="$(PackagesFolder)\**\*CrossOsDiag*.nupkg" />

        </ItemGroup>

      </Target>

eng/Subsets.props

-Original file line number
+Diff line change
@@ Expand Up / @@ -258,7 +258,7 @@ @@
       </ItemGroup>
       <ItemGroup Condition="$(_subset.Contains('+host.pkg+'))">
-        <PkgprojProjectToBuild Include="$(InstallerProjectRoot)pkg\projects\**\*.pkgproj" SignPhase="MsiFiles" BuildInParallel="false" />
+        <PkgprojProjectToBuild Include="$(InstallerProjectRoot)pkg\projects\host-packages.proj" SignPhase="MsiFiles" BuildInParallel="false" />
         <ProjectToBuild Include="@(PkgprojProjectToBuild)" Pack="true" Category="host" />
       </ItemGroup>
@@ Expand Down @@

eng/pipelines/common/upload-intermediate-artifacts-step.yml

-Original file line number
+Diff line change
@@ -0,0 +1,20 @@
+    parameters:
+      name: ''
+    steps:
+    - task: CopyFiles@2
+      displayName: Prepare job-specific intermediate artifacts subdirectory
+      inputs:
+        SourceFolder: '$(Build.SourcesDirectory)/artifacts/packages/$(_BuildConfig)'
+        Contents: |
+          Shipping/**/*
+          NonShipping/**/*
+        TargetFolder: '$(Build.StagingDirectory)/IntermediateArtifacts/${{ parameters.name }}'
+        CleanTargetFolder: true
+    - task: PublishBuildArtifacts@1
+      displayName: Publish intermediate artifacts
+      inputs:
+        pathToPublish: '$(Build.StagingDirectory)/IntermediateArtifacts'
+        artifactName: IntermediateArtifacts
+        artifactType: container

eng/pipelines/common/upload-unsigned-artifacts-step.yml

This file was deleted.

eng/pipelines/coreclr/templates/build-job.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -259,7 +259,6 @@ jobs: @@
               archType: ${{ parameters.archType }}
               osGroup: ${{ parameters.osGroup }}
               osSubgroup: ${{ parameters.osSubgroup }}
-              signCrossDac: ${{ parameters.signBinaries }}
         - ${{ if and(ne(parameters.compilerName, 'gcc'), ne(parameters.testGroup, ''), ne(parameters.testGroup, 'clrTools')) }}:
           # Publish test native components for consumption by test execution.
@@ Expand All / @@ -284,7 +283,7 @@ jobs: @@
         # Save packages using the prepare-signed-artifacts format.
         - ${{ if and(eq(parameters.isOfficialBuild, true), ne(parameters.testGroup, 'clrTools')) }}:
-          - template: /eng/pipelines/common/upload-unsigned-artifacts-step.yml
+          - template: /eng/pipelines/common/upload-intermediate-artifacts-step.yml
             parameters:
               name: ${{ parameters.platform }}
@@ Expand Down @@

eng/pipelines/coreclr/templates/crossdac-build.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,6 @@ parameters: @@
       archType: ''
       osGroup: ''
       osSubgroup: ''
-      signCrossDac: false
     steps:
       # Always build the crossdac, that way we know in CI/PR if things break to build.
@@ Expand Down Expand Up / @@ -31,23 +30,6 @@ steps: @@
               !**/sharedFramework/**/*
             TargetFolder: '$(buildMuslDacStagingPath)'
-        # Sign diagnostic files on Windows
-        - ${{ if eq(parameters.signCrossDac, true) }}:
-          - powershell: >-
-              eng\common\build.ps1 -ci -sign -restore -configuration:$(buildConfig) -warnaserror:0
-              /p:DiagnosticsFilesRoot="$(buildLinuxDacStagingPath)"
-              /p:SignDiagnostics=true
-              /p:DotNetSignType=$(SignType)
-              -projects $(Build.SourcesDirectory)\eng\empty.csproj
-            displayName: Sign Linux CrossDac
-          - powershell: >-
-              eng\common\build.ps1 -ci -sign -restore -configuration:$(buildConfig) -warnaserror:0
-              /p:DiagnosticsFilesRoot="$(buildMuslDacStagingPath)"
-              /p:SignDiagnostics=true
-              /p:DotNetSignType=$(SignType)
-              -projects $(Build.SourcesDirectory)\eng\empty.csproj
-            displayName: Sign Linux-musl CrossDac
       - ${{ if eq(parameters.osGroup, 'Linux') }}:
         - task: CopyFiles@2
           displayName: Gather runtime for CrossDac
@@ Expand Down @@

eng/pipelines/coreclr/templates/crossdac-pack.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -42,6 +42,8 @@ jobs: @@
             value: '/p:OfficialBuildId=$(Build.BuildNumber)'
           - name: crossDacArgs
             value: '/p:CrossDacArtifactsDir=$(crossDacArtifactPath)/$(buildCrossDacArtifactName)'
+        - name: SignType
+          value: $[ coalesce(variables.OfficialSignType, 'real') ]
         - ${{ parameters.variables }}
         dependsOn:
@@ Expand All / @@ -50,6 +52,19 @@ jobs: @@
             - ${{ parameters.runtimeFlavor }}_${{ parameters.runtimeVariant }}_product_build_${{ platform }}_${{ parameters.buildConfig }}
         steps:
+        # Install MicroBuild for signing the package
+        - ${{ if eq(parameters.isOfficialBuild, true) }}:
+          - template: /eng/pipelines/common/restore-internal-tools.yml
+          - task: MicroBuildSigningPlugin@2
+            displayName: Install MicroBuild plugin for Signing
+            inputs:
+              signType: $(SignType)
+              zipSources: false
+              feedSource: https://dnceng.pkgs.visualstudio.com/_packaging/MicroBuildToolset/nuget/v3/index.json
+            continueOnError: false
+            condition: and(succeeded(), in(variables['SignType'], 'real', 'test'))
         - task: DownloadBuildArtifacts@0
           displayName: Download CrossDac artifacts
           inputs:
@@ Expand All / @@ -59,8 +74,18 @@ jobs: @@
         - script: $(Build.SourcesDirectory)$(dir)build$(scriptExt) -subset crossdacpack -arch $(archType) $(osArg) -c $(buildConfig) $(officialBuildIdArg) $(crossDacArgs) -ci
           displayName: Build crossdac packaging
+        # Sign diagnostic files
+        - ${{ if eq(parameters.isOfficialBuild, true) }}:
+          - powershell: >-
+              eng\common\build.ps1 -ci -sign -restore -configuration:$(buildConfig) -warnaserror:0
+              /p:PackagesFolder="$(Build.SourcesDirectory)/artifacts/packages/$(buildConfig)"
+              /p:SignDiagnosticsPackages=true
+              /p:DotNetSignType=$(SignType)
+              -projects $(Build.SourcesDirectory)\eng\empty.csproj
+            displayName: Sign CrossDac package and contents
         # Save packages using the prepare-signed-artifacts format.
-        - template: /eng/pipelines/common/upload-unsigned-artifacts-step.yml
+        - template: /eng/pipelines/common/upload-intermediate-artifacts-step.yml
           parameters:
             name: ${{ parameters.platform }}
@@ Expand Down @@

eng/pipelines/installer/jobs/steps/upload-job-artifacts.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -7,7 +7,7 @@ parameters: @@
     steps:
     # Upload build artifacts (packages) to pipeline only if official, to save storage space.
     - ${{ if eq(parameters.isOfficialBuild, true) }}:
-      - template: /eng/pipelines/common/upload-unsigned-artifacts-step.yml
+      - template: /eng/pipelines/common/upload-intermediate-artifacts-step.yml
         parameters:
           name: ${{ parameters.name }}
@@ Expand Down @@

eng/pipelines/libraries/build-job.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -129,7 +129,7 @@ jobs: @@
               # platform-specific jobs' nupkgs automatically flow through the matching platform-specific
               # Installer build, but AllConfigurations should only be uploaded once, here.
               - ${{ if eq(parameters.isOfficialAllConfigurations, true) }}:
-                - template: /eng/pipelines/common/upload-unsigned-artifacts-step.yml
+                - template: /eng/pipelines/common/upload-intermediate-artifacts-step.yml
                   parameters:
                     name: Libraries_AllConfigurations
@@ Expand Down @@

eng/pipelines/official/jobs/prepare-signed-artifacts.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -37,9 +37,9 @@ jobs:
  
                    in(variables['SignType'], 'real', 'test'))

      - task: DownloadBuildArtifacts@0

        displayName: Download IntermediateUnsignedArtifacts

        displayName: Download IntermediateArtifacts

        inputs:

          artifactName: IntermediateUnsignedArtifacts

          artifactName: IntermediateArtifacts

          downloadPath: $(Build.SourcesDirectory)\artifacts\PackageDownload

      - script: >-

eng/pipelines/runtime-official.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -72,7 +72,7 @@ stages:
  
          jobTemplate: /eng/pipelines/coreclr/templates/crossdac-pack.yml

          buildConfig: release

          platforms:

          - Linux_musl_x64

          - windows_x64

          jobParameters:

            isOfficialBuild: ${{ variables.isOfficialBuild }}

            crossDacPlatforms:

    @@ -120,7 +120,7 @@ stages:
  
            buildArgs: -s mono+libs+host+packs -c $(_BuildConfig)

            nameSuffix: AllSubsets_Mono

            isOfficialBuild: ${{ variables.isOfficialBuild }}

            extraStepsTemplate: /eng/pipelines/common/upload-unsigned-artifacts-step.yml

            extraStepsTemplate: /eng/pipelines/common/upload-intermediate-artifacts-step.yml

            extraStepsParameters:

              name: MonoRuntimePacks

    @@ -151,7 +151,7 @@ stages:
  
              nameSuffix: AllSubsets_Mono_LLVMJIT

              runtimeVariant: LLVMJIT

              isOfficialBuild: ${{ variables.isOfficialBuild }}

              extraStepsTemplate: /eng/pipelines/common/upload-unsigned-artifacts-step.yml

              extraStepsTemplate: /eng/pipelines/common/upload-intermediate-artifacts-step.yml

              extraStepsParameters:

                name: MonoRuntimePacks

          #LLVMAOT

    @@ -164,7 +164,7 @@ stages:
  
              nameSuffix: AllSubsets_Mono_LLVMAOT

              runtimeVariant: LLVMAOT

              isOfficialBuild: ${{ variables.isOfficialBuild }}

              extraStepsTemplate: /eng/pipelines/common/upload-unsigned-artifacts-step.yml

              extraStepsTemplate: /eng/pipelines/common/upload-intermediate-artifacts-step.yml

              extraStepsParameters:

                name: MonoRuntimePacks

eng/pipelines/runtimelab.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -92,7 +92,7 @@ stages:
  
            extraStepsTemplate: /eng/pipelines/runtimelab/runtimelab-post-build-steps.yml

            extraStepsParameters:

              uploadLibrariesTests: ${{ eq(variables.isOfficialBuild, false) }}

              uploadUnsignedArtifacts: false

              uploadIntermediateArtifacts: false

            ${{ if eq(variables.isOfficialBuild, false) }}:

              buildArgs: -s clr+libs+libs.tests+host+packs -c $(_BuildConfig) /p:ArchiveTests=true

            ${{ if eq(variables.isOfficialBuild, true) }}:

    @@ -115,7 +115,7 @@ stages:
  
            ${{ if eq(variables.isOfficialBuild, true) }}:

              extraStepsTemplate: /eng/pipelines/runtimelab/runtimelab-post-build-steps.yml

              extraStepsParameters:

                uploadUnsignedArtifacts: true

                uploadIntermediateArtifacts: true

                isOfficialBuild: true

                librariesBinArtifactName: libraries_bin_official_allconfigurations

eng/pipelines/runtimelab/runtimelab-post-build-steps.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -9,7 +9,7 @@ parameters:
  
      isOfficialBuild: false

      uploadLibrariesTests: false

      uploadRuntimeTests: false

      uploadUnsignedArtifacts: false

      uploadIntermediateArtifacts: false

    steps:

      # Build coreclr native test output

    @@ -69,7 +69,7 @@ steps:
  
          displayName: Build Assets

      # Upload unsigned artifacts

      - ${{ if eq(parameters.uploadUnsignedArtifacts, true) }}:

        - template: /eng/pipelines/common/upload-unsigned-artifacts-step.yml

      - ${{ if eq(parameters.uploadIntermediateArtifacts, true) }}:

        - template: /eng/pipelines/common/upload-intermediate-artifacts-step.yml

          parameters:

            name: ${{ parameters.platform }}${{ parameters.nameSuffix }}

src/installer/pkg/projects/Directory.Build.props

-Original file line number
+Diff line change
@@ -1,6 +1,5 @@
     <Project>
       <Import Project="$([MSBuild]::GetPathOfFileAbove(Directory.Build.props, $(MSBuildThisFileDirectory)..))" />
-      <Import Project="Sdk.props" Sdk="Microsoft.DotNet.Build.Tasks.SharedFramework.Sdk" />
       <PropertyGroup>
         <PackagePlatform>AnyCPU</PackagePlatform>
@@ Expand Down Expand Up / @@ -46,22 +45,9 @@ @@
         <RestoreAllBuildRids Condition="'$(RestoreAllBuildRids)' == ''">true</RestoreAllBuildRids>
       </PropertyGroup>
-      <PropertyGroup>
-        <VSInsertionProductName>NetCore</VSInsertionProductName>
-        <VSInsertionCommonPrefix>VS.Redist.Common</VSInsertionCommonPrefix>
-      </PropertyGroup>
-      <!-- Most packages need the host to be built first. -->
+      <!-- Host packages need the host to be built first. -->
       <ItemGroup Condition="'$(DisableOrderDependencies)' != 'true'">
         <OrderProjectReference Include="@(CorehostProjectToBuild)" />
-        <!-- NETCoreApp depproj requires binaries (CoreCLR, Libraries, Host) to be signed. -->
-        <OrderProjectReference
-          Condition="'$(MSBuildProjectExtension)' == '.depproj'"
-          Include="$(SigningToolsDir)\SignBinaries.proj" />
-        <!-- Pkgproj requires its depproj crossgen outputs to be signed. -->
-        <OrderProjectReference
-          Condition="'$(MSBuildProjectExtension)' == '.pkgproj'"
-          Include="$(SigningToolsDir)\SignR2RBinaries.proj" />
       </ItemGroup>
       <!-- In *.proj projects, the current phase's name is the same as the project name. -->
@@ Expand Down Expand Up / @@ -168,5 +154,9 @@ @@
         <RuntimeIdentifier>$(PackageRID)</RuntimeIdentifier>
       </PropertyGroup>
+      <ItemGroup>
+        <PackageReference Include="Microsoft.DotNet.Build.Tasks.Packaging" Version="$(MicrosoftDotNetBuildTasksPackagingVersion)" PrivateAssets="all" IsImplicitlyDefined="true" />
+      </ItemGroup>
       <Import Project="$(RepoRoot)eng\native\naming.props" />
     </Project>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Signing cleanup #44658

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!