From 7ee3399ce2ac4eaf677b176dc4d9a12da68b5ba6 Mon Sep 17 00:00:00 2001
From: Nate McMaster <natemcmaster@users.noreply.github.com>
Date: Fri, 1 Feb 2019 10:52:00 -0800
Subject: [PATCH] Fix code-signing for xplat packages and Windows installers
 (#7191)

---
 .azure/pipelines/ci.yml                       | 28 +++++++++++++------
 .azure/pipelines/jobs/codesign-xplat.yml      | 15 ++++++----
 .azure/pipelines/jobs/default-build.yml       | 13 +++++----
 Directory.Build.props                         | 13 +++++----
 eng/targets/Wix.Common.targets                |  1 -
 .../XplatPackageSigner.proj                   | 13 +++++----
 .../build/settings/common.props               |  4 +--
 src/Installers/Windows/Directory.Build.props  |  1 -
 .../SharedFrameworkLib.wixproj                |  2 +-
 src/Installers/Windows/build.ps1              |  7 +++--
 ...t.AspNetCore.Runtime.SiteExtension.pkgproj |  2 +-
 11 files changed, 61 insertions(+), 38 deletions(-)

diff --git a/.azure/pipelines/ci.yml b/.azure/pipelines/ci.yml
index c05e880ec8..bdebce016c 100644
--- a/.azure/pipelines/ci.yml
+++ b/.azure/pipelines/ci.yml
@@ -36,6 +36,8 @@ jobs:
     agentOs: Windows
     buildScript: ./src/SiteExtensions/LoggingAggregate/build.cmd
     buildArgs: -ci -sign /p:SignType=$(_SignType)
+    installNodeJs: false
+    installJdk: false
     jobName: SiteExtensions
     jobDisplayName: "Build: Azure Logging Site Extension"
     artifacts:
@@ -58,19 +60,22 @@ jobs:
     - script: "echo ##vso[build.addbuildtag]release-candidate"
       condition: and(ne(variables['Build.Reason'], 'PullRequest'), eq(variables['IsFinalBuild'], 'true'))
       displayName: 'Set CI tags'
-    # This is going to actually build x86 native assets
     # TODO: make it possible to build for one Windows architecture at a time
-    - script: ./eng/scripts/cibuild.cmd -arch x64 /p:SignType=$(_SignType)
+    # This is going to actually build x86 native assets
+
+    # Intentionally does not code-sign because the next step will code sign the same files.
+    # Skipping signing avoids duplicate sign requests.
+    - script: ./eng/scripts/cibuild.cmd -arch x64 /p:SignType=
       displayName: Build x64
     # Build the x86 shared framework
-    - script: ./eng/scripts/cibuild.cmd -arch x86 /t:BuildSharedFx /p:SignType=$(_SignType)
+    # Set DisableSignCheck because we'll run sign check in an explicit step after installers build
+    - script: ./eng/scripts/cibuild.cmd -arch x86 /t:BuildSharedFx /p:SignType=$(_SignType) /p:DisableSignCheck=true
       displayName: Build x86
     # Windows installers bundle both x86 and x64 assets
-    - powershell: |
-        ./src/Installers/Windows/build.ps1 `
-          -ci `
-          '/p:SignType=$(_SignType)'
+    - powershell: ./src/Installers/Windows/build.ps1 -ci /p:SignType=$(_SignType)
       displayName: Build Installers
+    - script: ./build.cmd -ci -sign /t:SignCheck /p:SignType=$(_SignType)
+      displayName: Run signcheck
     artifacts:
     - name: Windows_Packages
       path: artifacts/packages/
@@ -90,8 +95,10 @@ jobs:
     jobName: Windows_arm_build
     jobDisplayName: "Build: Windows ARM"
     agentOs: Windows
-    buildScript: ./eng/scripts/cibuild.cmd
+    buildScript: ./eng/scripts/cibuild.cmd -NoBuildNodeJS -NoBuildJava
     buildArgs: -arch arm /p:SignType=$(_SignType)
+    installNodeJs: false
+    installJdk: false
     afterBuild:
     # Remove packages that are not rid-specific.
     # TODO add a flag so builds only produce runtime packages
@@ -114,6 +121,7 @@ jobs:
     agentOs: macOs
     buildScript: ./eng/scripts/cibuild.sh
     buildArgs: --no-build-nodejs --no-build-java
+    installNodeJs: false
     afterBuild:
     # Remove packages that are not rid-specific.
     # TODO add a flag so macOS/Linux builds only produce runtime packages
@@ -137,6 +145,7 @@ jobs:
     jobName: Linux_x64_build
     jobDisplayName: "Build: Linux x64"
     agentOs: Linux
+    installNodeJs: false
     buildSteps:
     - script: ./eng/scripts/cibuild.sh --arch x64 --no-build-nodejs --no-build-java
       displayName: Run cibuild.sh
@@ -187,6 +196,7 @@ jobs:
     agentOs: Linux
     buildScript: ./eng/scripts/cibuild.sh
     buildArgs: --arch arm --no-build-nodejs --no-build-java
+    installNodeJs: false
     afterBuild:
     # Remove packages that are not rid-specific.
     # TODO add a flag so macOS/Linux builds only produce runtime packages
@@ -212,6 +222,7 @@ jobs:
     agentOs: Linux
     buildScript: ./eng/scripts/cibuild.sh
     buildArgs: --arch arm64 --no-build-nodejs --no-build-java
+    installNodeJs: false
     afterBuild:
     # Remove packages that are not rid-specific.
     # TODO add a flag so macOS/Linux builds only produce runtime packages
@@ -237,6 +248,7 @@ jobs:
     agentOs: Linux
     buildScript: ./dockerbuild.sh alpine
     buildArgs: --ci --pack --all -e KOREBUILD_SKIP_INSTALL_NETFX=0 --arch x64 --os-name linux-musl --no-build-nodejs --no-build-java
+    installNodeJs: false
     afterBuild:
     # Remove packages that are not rid-specific.
     # TODO add a flag so macOS/Linux builds only produce runtime packages
diff --git a/.azure/pipelines/jobs/codesign-xplat.yml b/.azure/pipelines/jobs/codesign-xplat.yml
index d0b3d914cf..ca6897f364 100644
--- a/.azure/pipelines/jobs/codesign-xplat.yml
+++ b/.azure/pipelines/jobs/codesign-xplat.yml
@@ -5,22 +5,27 @@ parameters:
 jobs:
 - template: default-build.yml
   parameters:
+    codeSign: true
     dependsOn:
     - ${{ parameters.inputName }}_build
     condition: in(variables['_SignType'], 'test', 'real')
     jobName: CodeSign_Xplat_${{ parameters.inputName }}
     jobDisplayName: "Code-sign ${{ parameters.inputName }} packages"
     agentOs: Windows
-    beforeBuild:
+    installNodeJs: false
+    installJdk: false
+    buildSteps:
     - task: DownloadBuildArtifacts@0
       displayName: Download ${{ parameters.inputName }} artifacts
       inputs:
         artifactName: ${{ parameters.inputName }}_Packages
         downloadPath: $(Build.StagingDirectory)/deps/
         itemPattern: '**/*.nupkg'
-    buildScript: eng\tools\XplatPackageSigner\sign-packages.cmd $(Build.StagingDirectory)\deps\${{ parameters.inputName }}Packages\
+    - task: MSBuild@1
+      displayName: Code-sign .nupkg files
+      inputs:
+        solution: eng\tools\XplatPackageSigner\XplatPackageSigner.proj
+        msbuildArguments: /p:SignType=$(_SignType) /p:DirectoryToSign=$(Build.StagingDirectory)\deps\${{ parameters.inputName }}_Packages\
     artifacts:
     - name: ${{ parameters.inputName }}_Packages_Signed
-      path: $(Build.StagingDirectory)\deps\${{ parameters.inputName }}Packages\
-    - name: ${{ parameters.inputName }}_Logs
-      path: artifacts/logs/
+      path: $(Build.StagingDirectory)\deps\${{ parameters.inputName }}_Packages\
diff --git a/.azure/pipelines/jobs/default-build.yml b/.azure/pipelines/jobs/default-build.yml
index ab728158b3..cfa5a70916 100644
--- a/.azure/pipelines/jobs/default-build.yml
+++ b/.azure/pipelines/jobs/default-build.yml
@@ -62,6 +62,8 @@ parameters:
   artifacts:  []
   buildDirectory: ''
   buildScript: ''
+  installNodeJs: true
+  installJdk: true
 
 jobs:
 - job: ${{ coalesce(parameters.jobName, parameters.agentOs) }}
@@ -111,11 +113,12 @@ jobs:
   steps:
   - checkout: self
     clean: true
-  - task: NodeTool@0
-    displayName: Install Node 10.x
-    inputs:
-      versionSpec: 10.x
-  - ${{ if eq(parameters.agentOs, 'Windows') }}:
+  - ${{ if eq(parameters.installNodeJs, 'true') }}:
+    - task: NodeTool@0
+      displayName: Install Node 10.x
+      inputs:
+        versionSpec: 10.x
+  - ${{ if and(eq(parameters.installJdk, 'true'), eq(parameters.agentOs, 'Windows')) }}:
     - powershell: ./eng/scripts/InstallJdk.ps1 '11.0.1'
       displayName: Install JDK 11
   - ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.agentOs, 'Windows'), eq(parameters.codeSign, 'true')) }}:
diff --git a/Directory.Build.props b/Directory.Build.props
index 1ba0f1b9b5..406abcec72 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -53,6 +53,8 @@
     <SignAssembly>true</SignAssembly>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <PlatformName Condition=" '$(PlatformName)' == '' ">$(Platform)</PlatformName>
     <TargetOsName Condition=" '$(TargetOsName)' == '' AND $([MSBuild]::IsOSPlatform('Windows'))">win</TargetOsName>
     <TargetOsName Condition=" '$(TargetOsName)' == '' AND $([MSBuild]::IsOSPlatform('OSX'))">osx</TargetOsName>
     <TargetOsName Condition=" '$(TargetOsName)' == '' AND $([MSBuild]::IsOSPlatform('Linux'))">linux</TargetOsName>
@@ -107,12 +109,13 @@
   </ItemGroup>
 
   <PropertyGroup Condition=" '$(OutputInRepoRoot)' == 'true' ">
-    <BaseOutputPath>$(RepositoryRoot)bin\$(Configuration)\$(MSBuildProjectName)\</BaseOutputPath>
-    <OutputPath>$(BaseOutputPath)</OutputPath>
+    <BaseOutputPath>$(RepositoryRoot)bin\$(MSBuildProjectName)\</BaseOutputPath>
+    <OutputPath Condition=" '$(PlatformName)' == 'AnyCPU' ">$(BaseOutputPath)$(Configuration)\</OutputPath>
+    <OutputPath Condition=" '$(PlatformName)' != 'AnyCPU' ">$(BaseOutputPath)$(PlatformName)\$(Configuration)\</OutputPath>
+
     <BaseIntermediateOutputPath>$(RepositoryRoot)obj\$(MSBuildProjectName)\</BaseIntermediateOutputPath>
-    <IntermediateOutputPath>$(BaseIntermediateOutputPath)$(Configuration)\</IntermediateOutputPath>
-    <OutputPath Condition=" '$(AppendPlatformToOutputPath)' == 'true' AND '$(Platform)' != '' AND '$(Platform)' != 'AnyCPU' ">$(OutputPath)$(Platform)\</OutputPath>
-    <IntermediateOutputPath Condition=" '$(AppendPlatformToOutputPath)' == 'true' AND '$(Platform)' != '' AND '$(Platform)' != 'AnyCPU' ">$(IntermediateOutputPath)$(Platform)\</IntermediateOutputPath>
+    <IntermediateOutputPath Condition=" '$(PlatformName)' == 'AnyCPU' ">$(BaseIntermediateOutputPath)$(Configuration)\</IntermediateOutputPath>
+    <IntermediateOutputPath Condition=" '$(PlatformName)' != 'AnyCPU' ">$(BaseIntermediateOutputPath)$(PlatformName)\$(Configuration)\</IntermediateOutputPath>
   </PropertyGroup>
 
   <!-- Defines project type conventions. -->
diff --git a/eng/targets/Wix.Common.targets b/eng/targets/Wix.Common.targets
index 7ff9e39fd6..4c6d15a790 100644
--- a/eng/targets/Wix.Common.targets
+++ b/eng/targets/Wix.Common.targets
@@ -31,7 +31,6 @@
     <Culture Condition=" '$(Culture)' == '' ">en-US</Culture>
     <Cultures Condition=" '$(Cultures)' == '' ">$(Culture)</Cultures>
     <InstallerPlatform>$(Platform)</InstallerPlatform>
-    <PlatformName Condition=" '$(PlatformName)' == '' ">$(Platform)</PlatformName>
     <OutDir Condition=" '$(OutDir)' == '' ">$(OutputPath)</OutDir>
     <DefineConstants>$(DefineConstants);BinPath=$(OutputPath)$(Culture)\</DefineConstants>
     <DefineConstants>$(WixVariables);$(DefineConstants)</DefineConstants>
diff --git a/eng/tools/XplatPackageSigner/XplatPackageSigner.proj b/eng/tools/XplatPackageSigner/XplatPackageSigner.proj
index 6efe7e2eab..bde2dc9a28 100644
--- a/eng/tools/XplatPackageSigner/XplatPackageSigner.proj
+++ b/eng/tools/XplatPackageSigner/XplatPackageSigner.proj
@@ -5,7 +5,7 @@
   Note: because Authenticode signing of .dll's is not something Linux and macOS can verify anyways, this signing
   process only code-signs the .nupkg itself, not the contents.
 -->
-<Project DefaultTargets="AfterBuild" InitialTargets="CheckForRequiredProperties">
+<Project DefaultTargets="Build" InitialTargets="CheckForRequiredProperties">
   <PropertyGroup>
     <SignType>$([MSBuild]::ValueOrDefault($(SignType),'real'))</SignType>
   </PropertyGroup>
@@ -14,14 +14,14 @@
   <Import Project="..\..\targets\MicroBuild.Plugin.props" Condition="'$(MicroBuildSentinelFile)' == ''" />
   <Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.*\**\build\MicroBuild.Plugins.*.props" Condition=" '$(MicroBuildPluginDirectory)' != ''" />
 
-  <PropertyGroup>
-    <OutDir>$(RepositoryRoot)bin\$(MSBuildProjectName)\</OutDir>
+  <PropertyGroup Condition="'$(DirectoryToSign)' != ''">
+    <OutDir>$([MSBuild]::NormalizeDirectory($(DirectoryToSign)))</OutDir>
     <IntermediateOutputPath>$(RepositoryRoot)obj\$(MSBuildProjectName)\</IntermediateOutputPath>
   </PropertyGroup>
 
-  <ItemGroup Condition="'$(DirectoryToSign)' != ''">
-    <SymbolsPackages Include="$([MSBuild]::NormalizeDirectory($(DirectoryToSign)))**\*.symbols.nupkg" />
-    <FilesToSign Include="$([MSBuild]::NormalizeDirectory($(DirectoryToSign)))**\*.nupkg">
+  <ItemGroup Condition="'$(OutDir)' != ''">
+    <SymbolsPackages Include="$(OutDir)**\*.symbols.nupkg" />
+    <FilesToSign Include="$(OutDir)**\*.nupkg">
       <Authenticode>NuGet</Authenticode>
     </FilesToSign>
   </ItemGroup>
@@ -33,5 +33,6 @@
 
   <!-- MicroBuild code-signing chains onto this target. -->
   <Target Name="AfterBuild" />
+  <Target Name="Build" DependsOnTargets="AfterBuild" />
   <Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.*\**\build\MicroBuild.Plugins.*.targets" Condition=" '$(MicroBuildPluginDirectory)' != ''" />
 </Project>
diff --git a/src/Installers/Windows/AspNetCoreModule-Setup/build/settings/common.props b/src/Installers/Windows/AspNetCoreModule-Setup/build/settings/common.props
index 3dfffe943f..31d8887719 100644
--- a/src/Installers/Windows/AspNetCoreModule-Setup/build/settings/common.props
+++ b/src/Installers/Windows/AspNetCoreModule-Setup/build/settings/common.props
@@ -16,8 +16,6 @@
     <IisOobWinSdkVersion Condition="'$(IisOobWinSdkVersion)' == ''">10.0.17134.0</IisOobWinSdkVersion>
     <WindowsTargetPlatformVersion Condition="'$(WindowsTargetPlatformVersion)' == ''">$(IisOobWinSdkVersion)</WindowsTargetPlatformVersion>
     <CharacterSet>Unicode</CharacterSet>
-    <OutDir>bin\$(Configuration)\$(PlatformShortname)\</OutDir>
-    <IntDir>obj\$(Configuration)\$(PlatformShortname)\</IntDir>
   </PropertyGroup>
 
   <!--
@@ -50,4 +48,4 @@
     </ClCompile>
   </ItemDefinitionGroup>
 
-</Project>
\ No newline at end of file
+</Project>
diff --git a/src/Installers/Windows/Directory.Build.props b/src/Installers/Windows/Directory.Build.props
index 641ea3aa93..854a4bf551 100644
--- a/src/Installers/Windows/Directory.Build.props
+++ b/src/Installers/Windows/Directory.Build.props
@@ -2,7 +2,6 @@
 
   <PropertyGroup>
     <OutputInRepoRoot>true</OutputInRepoRoot>
-    <AppendPlatformToOutputPath>true</AppendPlatformToOutputPath>
   </PropertyGroup>
 
   <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory)..\, Directory.Build.props))\Directory.Build.props" />
diff --git a/src/Installers/Windows/SharedFrameworkLib/SharedFrameworkLib.wixproj b/src/Installers/Windows/SharedFrameworkLib/SharedFrameworkLib.wixproj
index 2d87dc86c9..e08fb8c29d 100644
--- a/src/Installers/Windows/SharedFrameworkLib/SharedFrameworkLib.wixproj
+++ b/src/Installers/Windows/SharedFrameworkLib/SharedFrameworkLib.wixproj
@@ -5,7 +5,7 @@
   <PropertyGroup>
     <Name>AspNetCoreSharedFrameworkLib$(Platform)</Name>
     <!-- Use the internal installer name because .wixlib files are only produced so we can hand them off to the dotnet/cli repo. -->
-    <OutputName>$(InternalInstallerBaseName)-$(PackageVersion)-$(TargetRuntimeIdentifier)</OutputName>
+    <OutputName>$(InternalInstallerBaseName)-$(PackageVersion)-win-$(Platform)</OutputName>
     <!-- This is still marked as a 'product' because is needs to copied to artifact outputs. -->
     <IsProductInstaller>true</IsProductInstaller>
     <OutputType>Library</OutputType>
diff --git a/src/Installers/Windows/build.ps1 b/src/Installers/Windows/build.ps1
index 0f41b2b0b0..e9cff09674 100644
--- a/src/Installers/Windows/build.ps1
+++ b/src/Installers/Windows/build.ps1
@@ -5,7 +5,9 @@ param(
     [Alias("x86")]
     [string]$sharedfx86harvestroot,
     [Alias("x64")]
-    [string]$sharedfx64harvestroot
+    [string]$sharedfx64harvestroot,
+    [Parameter(ValueFromRemainingArguments = $true)]
+    [string[]]$AdditionalArgs
 )
 
 $ErrorActionPreference = 'Stop'
@@ -37,7 +39,8 @@ try {
             -sign `
             -BuildInstallers `
             "-bl:$repoRoot/artifacts/logs/installers.msbuild.binlog" `
-            @msbuildargs
+            @msbuildargs `
+            @AdditionalArgs
 }
 finally {
     Pop-Location
diff --git a/src/SiteExtensions/Runtime/Microsoft.AspNetCore.Runtime.SiteExtension.pkgproj b/src/SiteExtensions/Runtime/Microsoft.AspNetCore.Runtime.SiteExtension.pkgproj
index 810c8e5874..3bdae26009 100644
--- a/src/SiteExtensions/Runtime/Microsoft.AspNetCore.Runtime.SiteExtension.pkgproj
+++ b/src/SiteExtensions/Runtime/Microsoft.AspNetCore.Runtime.SiteExtension.pkgproj
@@ -19,7 +19,7 @@
     <Content Include="applicationHost.xdt" />
     <Content Include="scmApplicationHost.xdt" />
     <Content Include="install.cmd" />
-    <Content Include="$(RepositoryRoot)bin\$(Configuration)\Microsoft.Web.Xdt.Extensions\net461\Microsoft.Web.Xdt.Extensions.dll" PackagePath="content" />
+    <Content Include="$(RepositoryRoot)bin\Microsoft.Web.Xdt.Extensions\$(Configuration)\net461\Microsoft.Web.Xdt.Extensions.dll" PackagePath="content" />
   </ItemGroup>
 
   <ItemGroup>