Run code sign of packages before Windows installers are built, and run SignCheck in a separate step

.azure/pipelines/ci.yml

@@ -63,14 +63,20 @@ jobs:
     - script: ./build.cmd -ci -sign -forceCoreMsbuild /p:DisableCodeSigning=true -projects ./src/SiteExtensions/LoggingAggregate/src/Microsoft.AspNetCore.AzureAppServices.SiteExtension/Microsoft.AspNetCore.AzureAppServices.SiteExtension.csproj
       displayName: Build SiteExtension
 
+    # This runs code-signing on all packages, zips, and jar files as defined in build/CodeSign.targets. If https://github.com/dotnet/arcade/issues/1957 is resolved,
+    # consider running code-signing inline with the other previous steps.
+    # Sign check is disabled because it is run in a separate step below, after installers are built.
+    - script: ./build.cmd -ci -sign /t:CodeSign /p:SignType=$(_SignType) /p:DisableSignCheck=true
+      displayName: Code sign packages
+
     # Windows installers bundle both x86 and x64 assets
     - powershell: ./src/Installers/Windows/build.ps1 -ci /p:SignType=$(_SignType)
       displayName: Build Installers
 
-    # This runs code-signing on all outputs as defined in build/CodeSign.targets. If https://github.com/dotnet/arcade/issues/1957 is resolved,
-    # consider running code-signing inline with the other previous steps.
-    - script: ./build.cmd -ci -sign /t:CodeSign /t:SignCheck /p:SignType=$(_SignType)
-      displayName: Code sign packages
+    # Run sign check to verify everything was code signed.
+    - script: ./build.cmd -ci -sign /t:SignCheck /p:SignType=$(_SignType)
+      displayName: Run sign check
+      condition: eq(variables['_SignType'], 'real')
     artifacts:
     - name: Windows_Packages
       path: artifacts/packages/