huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix code-signing for xplat packages and Windows installers (#7191)

This commit is contained in:
Nate McMaster 2019-02-01 10:52:00 -08:00 committed by GitHub
parent 1dcfa6e7fd
commit 7ee3399ce2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 61 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.azure/pipelines/ci.yml
View File

@ -36,6 +36,8 @@ jobs:
agentOs: Windows agentOs: Windows
buildScript: ./src/SiteExtensions/LoggingAggregate/build.cmd buildScript: ./src/SiteExtensions/LoggingAggregate/build.cmd
buildArgs: -ci -sign /p:SignType=$(_SignType) buildArgs: -ci -sign /p:SignType=$(_SignType)
installNodeJs: false
installJdk: false
jobName: SiteExtensions jobName: SiteExtensions
jobDisplayName: "Build: Azure Logging Site Extension" jobDisplayName: "Build: Azure Logging Site Extension"
artifacts: artifacts:
@ -58,19 +60,22 @@ jobs:
- script: "echo ##vso[build.addbuildtag]release-candidate" - script: "echo ##vso[build.addbuildtag]release-candidate"
condition: and(ne(variables['Build.Reason'], 'PullRequest'), eq(variables['IsFinalBuild'], 'true')) condition: and(ne(variables['Build.Reason'], 'PullRequest'), eq(variables['IsFinalBuild'], 'true'))
displayName: 'Set CI tags' displayName: 'Set CI tags'
# This is going to actually build x86 native assets
# TODO: make it possible to build for one Windows architecture at a time # TODO: make it possible to build for one Windows architecture at a time
- script: ./eng/scripts/cibuild.cmd -arch x64 /p:SignType=$(_SignType) # This is going to actually build x86 native assets
# Intentionally does not code-sign because the next step will code sign the same files.
# Skipping signing avoids duplicate sign requests.
- script: ./eng/scripts/cibuild.cmd -arch x64 /p:SignType=
displayName: Build x64 displayName: Build x64
# Build the x86 shared framework # Build the x86 shared framework
- script: ./eng/scripts/cibuild.cmd -arch x86 /t:BuildSharedFx /p:SignType=$(_SignType) # Set DisableSignCheck because we'll run sign check in an explicit step after installers build
- script: ./eng/scripts/cibuild.cmd -arch x86 /t:BuildSharedFx /p:SignType=$(_SignType) /p:DisableSignCheck=true
displayName: Build x86 displayName: Build x86
# Windows installers bundle both x86 and x64 assets # Windows installers bundle both x86 and x64 assets
- powershell: | - powershell: ./src/Installers/Windows/build.ps1 -ci /p:SignType=$(_SignType)
./src/Installers/Windows/build.ps1 `
-ci `
'/p:SignType=$(_SignType)'
displayName: Build Installers displayName: Build Installers
- script: ./build.cmd -ci -sign /t:SignCheck /p:SignType=$(_SignType)
displayName: Run signcheck
artifacts: artifacts:
- name: Windows_Packages - name: Windows_Packages
path: artifacts/packages/ path: artifacts/packages/
@ -90,8 +95,10 @@ jobs:
jobName: Windows_arm_build jobName: Windows_arm_build
jobDisplayName: "Build: Windows ARM" jobDisplayName: "Build: Windows ARM"
agentOs: Windows agentOs: Windows
buildScript: ./eng/scripts/cibuild.cmd buildScript: ./eng/scripts/cibuild.cmd -NoBuildNodeJS -NoBuildJava
buildArgs: -arch arm /p:SignType=$(_SignType) buildArgs: -arch arm /p:SignType=$(_SignType)
installNodeJs: false
installJdk: false
afterBuild: afterBuild:
# Remove packages that are not rid-specific. # Remove packages that are not rid-specific.
# TODO add a flag so builds only produce runtime packages # TODO add a flag so builds only produce runtime packages
@ -114,6 +121,7 @@ jobs:
agentOs: macOs agentOs: macOs
buildScript: ./eng/scripts/cibuild.sh buildScript: ./eng/scripts/cibuild.sh
buildArgs: --no-build-nodejs --no-build-java buildArgs: --no-build-nodejs --no-build-java
installNodeJs: false
afterBuild: afterBuild:
# Remove packages that are not rid-specific. # Remove packages that are not rid-specific.
# TODO add a flag so macOS/Linux builds only produce runtime packages # TODO add a flag so macOS/Linux builds only produce runtime packages
@ -137,6 +145,7 @@ jobs:
jobName: Linux_x64_build jobName: Linux_x64_build
jobDisplayName: "Build: Linux x64" jobDisplayName: "Build: Linux x64"
agentOs: Linux agentOs: Linux
installNodeJs: false
buildSteps: buildSteps:
- script: ./eng/scripts/cibuild.sh --arch x64 --no-build-nodejs --no-build-java - script: ./eng/scripts/cibuild.sh --arch x64 --no-build-nodejs --no-build-java
displayName: Run cibuild.sh displayName: Run cibuild.sh
@ -187,6 +196,7 @@ jobs:
agentOs: Linux agentOs: Linux
buildScript: ./eng/scripts/cibuild.sh buildScript: ./eng/scripts/cibuild.sh
buildArgs: --arch arm --no-build-nodejs --no-build-java buildArgs: --arch arm --no-build-nodejs --no-build-java
installNodeJs: false
afterBuild: afterBuild:
# Remove packages that are not rid-specific. # Remove packages that are not rid-specific.
# TODO add a flag so macOS/Linux builds only produce runtime packages # TODO add a flag so macOS/Linux builds only produce runtime packages
@ -212,6 +222,7 @@ jobs:
agentOs: Linux agentOs: Linux
buildScript: ./eng/scripts/cibuild.sh buildScript: ./eng/scripts/cibuild.sh
buildArgs: --arch arm64 --no-build-nodejs --no-build-java buildArgs: --arch arm64 --no-build-nodejs --no-build-java
installNodeJs: false
afterBuild: afterBuild:
# Remove packages that are not rid-specific. # Remove packages that are not rid-specific.
# TODO add a flag so macOS/Linux builds only produce runtime packages # TODO add a flag so macOS/Linux builds only produce runtime packages
@ -237,6 +248,7 @@ jobs:
agentOs: Linux agentOs: Linux
buildScript: ./dockerbuild.sh alpine buildScript: ./dockerbuild.sh alpine
buildArgs: --ci --pack --all -e KOREBUILD_SKIP_INSTALL_NETFX=0 --arch x64 --os-name linux-musl --no-build-nodejs --no-build-java buildArgs: --ci --pack --all -e KOREBUILD_SKIP_INSTALL_NETFX=0 --arch x64 --os-name linux-musl --no-build-nodejs --no-build-java
installNodeJs: false
afterBuild: afterBuild:
# Remove packages that are not rid-specific. # Remove packages that are not rid-specific.
# TODO add a flag so macOS/Linux builds only produce runtime packages # TODO add a flag so macOS/Linux builds only produce runtime packages

15
.azure/pipelines/jobs/codesign-xplat.yml
View File

@ -5,22 +5,27 @@ parameters:
jobs: jobs:
- template: default-build.yml - template: default-build.yml
parameters: parameters:
codeSign: true
dependsOn: dependsOn:
- ${{ parameters.inputName }}_build - ${{ parameters.inputName }}_build
condition: in(variables['_SignType'], 'test', 'real') condition: in(variables['_SignType'], 'test', 'real')
jobName: CodeSign_Xplat_${{ parameters.inputName }} jobName: CodeSign_Xplat_${{ parameters.inputName }}
jobDisplayName: "Code-sign ${{ parameters.inputName }} packages" jobDisplayName: "Code-sign ${{ parameters.inputName }} packages"
agentOs: Windows agentOs: Windows
beforeBuild: installNodeJs: false
installJdk: false
buildSteps:
- task: DownloadBuildArtifacts@0 - task: DownloadBuildArtifacts@0
displayName: Download ${{ parameters.inputName }} artifacts displayName: Download ${{ parameters.inputName }} artifacts
inputs: inputs:
artifactName: ${{ parameters.inputName }}_Packages artifactName: ${{ parameters.inputName }}_Packages
downloadPath: $(Build.StagingDirectory)/deps/ downloadPath: $(Build.StagingDirectory)/deps/
itemPattern: '**/*.nupkg' itemPattern: '**/*.nupkg'
buildScript: eng\tools\XplatPackageSigner\sign-packages.cmd $(Build.StagingDirectory)\deps\${{ parameters.inputName }}Packages\ - task: MSBuild@1
displayName: Code-sign .nupkg files
inputs:
solution: eng\tools\XplatPackageSigner\XplatPackageSigner.proj
msbuildArguments: /p:SignType=$(_SignType) /p:DirectoryToSign=$(Build.StagingDirectory)\deps\${{ parameters.inputName }}_Packages\
artifacts: artifacts:
- name: ${{ parameters.inputName }}_Packages_Signed - name: ${{ parameters.inputName }}_Packages_Signed
path: $(Build.StagingDirectory)\deps\${{ parameters.inputName }}Packages\ path: $(Build.StagingDirectory)\deps\${{ parameters.inputName }}_Packages\
- name: ${{ parameters.inputName }}_Logs
path: artifacts/logs/

5
.azure/pipelines/jobs/default-build.yml
View File

@ -62,6 +62,8 @@ parameters:
artifacts: [] artifacts: []
buildDirectory: '' buildDirectory: ''
buildScript: '' buildScript: ''
installNodeJs: true
installJdk: true
jobs: jobs:
- job: ${{ coalesce(parameters.jobName, parameters.agentOs) }} - job: ${{ coalesce(parameters.jobName, parameters.agentOs) }}
@ -111,11 +113,12 @@ jobs:
steps: steps:
- checkout: self - checkout: self
clean: true clean: true
- ${{ if eq(parameters.installNodeJs, 'true') }}:
- task: NodeTool@0 - task: NodeTool@0
displayName: Install Node 10.x displayName: Install Node 10.x
inputs: inputs:
versionSpec: 10.x versionSpec: 10.x
- ${{ if eq(parameters.agentOs, 'Windows') }}: - ${{ if and(eq(parameters.installJdk, 'true'), eq(parameters.agentOs, 'Windows')) }}:
- powershell: ./eng/scripts/InstallJdk.ps1 '11.0.1' - powershell: ./eng/scripts/InstallJdk.ps1 '11.0.1'
displayName: Install JDK 11 displayName: Install JDK 11
- ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.agentOs, 'Windows'), eq(parameters.codeSign, 'true')) }}: - ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.agentOs, 'Windows'), eq(parameters.codeSign, 'true')) }}:

13
Directory.Build.props
View File

@ -53,6 +53,8 @@
<SignAssembly>true</SignAssembly> <SignAssembly>true</SignAssembly>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors> <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration> <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<PlatformName Condition=" '$(PlatformName)' == '' ">$(Platform)</PlatformName>
<TargetOsName Condition=" '$(TargetOsName)' == '' AND $([MSBuild]::IsOSPlatform('Windows'))">win</TargetOsName> <TargetOsName Condition=" '$(TargetOsName)' == '' AND $([MSBuild]::IsOSPlatform('Windows'))">win</TargetOsName>
<TargetOsName Condition=" '$(TargetOsName)' == '' AND $([MSBuild]::IsOSPlatform('OSX'))">osx</TargetOsName> <TargetOsName Condition=" '$(TargetOsName)' == '' AND $([MSBuild]::IsOSPlatform('OSX'))">osx</TargetOsName>
<TargetOsName Condition=" '$(TargetOsName)' == '' AND $([MSBuild]::IsOSPlatform('Linux'))">linux</TargetOsName> <TargetOsName Condition=" '$(TargetOsName)' == '' AND $([MSBuild]::IsOSPlatform('Linux'))">linux</TargetOsName>
@ -107,12 +109,13 @@
</ItemGroup> </ItemGroup>
<PropertyGroup Condition=" '$(OutputInRepoRoot)' == 'true' "> <PropertyGroup Condition=" '$(OutputInRepoRoot)' == 'true' ">
<BaseOutputPath>$(RepositoryRoot)bin\$(Configuration)\$(MSBuildProjectName)\</BaseOutputPath> <BaseOutputPath>$(RepositoryRoot)bin\$(MSBuildProjectName)\</BaseOutputPath>
<OutputPath>$(BaseOutputPath)</OutputPath> <OutputPath Condition=" '$(PlatformName)' == 'AnyCPU' ">$(BaseOutputPath)$(Configuration)\</OutputPath>
<OutputPath Condition=" '$(PlatformName)' != 'AnyCPU' ">$(BaseOutputPath)$(PlatformName)\$(Configuration)\</OutputPath>
<BaseIntermediateOutputPath>$(RepositoryRoot)obj\$(MSBuildProjectName)\</BaseIntermediateOutputPath> <BaseIntermediateOutputPath>$(RepositoryRoot)obj\$(MSBuildProjectName)\</BaseIntermediateOutputPath>
<IntermediateOutputPath>$(BaseIntermediateOutputPath)$(Configuration)\</IntermediateOutputPath> <IntermediateOutputPath Condition=" '$(PlatformName)' == 'AnyCPU' ">$(BaseIntermediateOutputPath)$(Configuration)\</IntermediateOutputPath>
<OutputPath Condition=" '$(AppendPlatformToOutputPath)' == 'true' AND '$(Platform)' != '' AND '$(Platform)' != 'AnyCPU' ">$(OutputPath)$(Platform)\</OutputPath> <IntermediateOutputPath Condition=" '$(PlatformName)' != 'AnyCPU' ">$(BaseIntermediateOutputPath)$(PlatformName)\$(Configuration)\</IntermediateOutputPath>
<IntermediateOutputPath Condition=" '$(AppendPlatformToOutputPath)' == 'true' AND '$(Platform)' != '' AND '$(Platform)' != 'AnyCPU' ">$(IntermediateOutputPath)$(Platform)\</IntermediateOutputPath>
</PropertyGroup> </PropertyGroup>
<!-- Defines project type conventions. --> <!-- Defines project type conventions. -->

1
eng/targets/Wix.Common.targets
View File

@ -31,7 +31,6 @@
<Culture Condition=" '$(Culture)' == '' ">en-US</Culture> <Culture Condition=" '$(Culture)' == '' ">en-US</Culture>
<Cultures Condition=" '$(Cultures)' == '' ">$(Culture)</Cultures> <Cultures Condition=" '$(Cultures)' == '' ">$(Culture)</Cultures>
<InstallerPlatform>$(Platform)</InstallerPlatform> <InstallerPlatform>$(Platform)</InstallerPlatform>
<PlatformName Condition=" '$(PlatformName)' == '' ">$(Platform)</PlatformName>
<OutDir Condition=" '$(OutDir)' == '' ">$(OutputPath)</OutDir> <OutDir Condition=" '$(OutDir)' == '' ">$(OutputPath)</OutDir>
<DefineConstants>$(DefineConstants);BinPath=$(OutputPath)$(Culture)\</DefineConstants> <DefineConstants>$(DefineConstants);BinPath=$(OutputPath)$(Culture)\</DefineConstants>
<DefineConstants>$(WixVariables);$(DefineConstants)</DefineConstants> <DefineConstants>$(WixVariables);$(DefineConstants)</DefineConstants>

13
eng/tools/XplatPackageSigner/XplatPackageSigner.proj
View File

@ -5,7 +5,7 @@
Note: because Authenticode signing of .dll's is not something Linux and macOS can verify anyways, this signing Note: because Authenticode signing of .dll's is not something Linux and macOS can verify anyways, this signing
process only code-signs the .nupkg itself, not the contents. process only code-signs the .nupkg itself, not the contents.
--> -->
<Project DefaultTargets="AfterBuild" InitialTargets="CheckForRequiredProperties"> <Project DefaultTargets="Build" InitialTargets="CheckForRequiredProperties">
<PropertyGroup> <PropertyGroup>
<SignType>$([MSBuild]::ValueOrDefault($(SignType),'real'))</SignType> <SignType>$([MSBuild]::ValueOrDefault($(SignType),'real'))</SignType>
</PropertyGroup> </PropertyGroup>
@ -14,14 +14,14 @@
<Import Project="..\..\targets\MicroBuild.Plugin.props" Condition="'$(MicroBuildSentinelFile)' == ''" /> <Import Project="..\..\targets\MicroBuild.Plugin.props" Condition="'$(MicroBuildSentinelFile)' == ''" />
<Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.*\**\build\MicroBuild.Plugins.*.props" Condition=" '$(MicroBuildPluginDirectory)' != ''" /> <Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.*\**\build\MicroBuild.Plugins.*.props" Condition=" '$(MicroBuildPluginDirectory)' != ''" />
<PropertyGroup> <PropertyGroup Condition="'$(DirectoryToSign)' != ''">
<OutDir>$(RepositoryRoot)bin\$(MSBuildProjectName)\</OutDir> <OutDir>$([MSBuild]::NormalizeDirectory($(DirectoryToSign)))</OutDir>
<IntermediateOutputPath>$(RepositoryRoot)obj\$(MSBuildProjectName)\</IntermediateOutputPath> <IntermediateOutputPath>$(RepositoryRoot)obj\$(MSBuildProjectName)\</IntermediateOutputPath>
</PropertyGroup> </PropertyGroup>
<ItemGroup Condition="'$(DirectoryToSign)' != ''"> <ItemGroup Condition="'$(OutDir)' != ''">
<SymbolsPackages Include="$([MSBuild]::NormalizeDirectory($(DirectoryToSign)))**\*.symbols.nupkg" /> <SymbolsPackages Include="$(OutDir)**\*.symbols.nupkg" />
<FilesToSign Include="$([MSBuild]::NormalizeDirectory($(DirectoryToSign)))**\*.nupkg"> <FilesToSign Include="$(OutDir)**\*.nupkg">
<Authenticode>NuGet</Authenticode> <Authenticode>NuGet</Authenticode>
</FilesToSign> </FilesToSign>
</ItemGroup> </ItemGroup>
@ -33,5 +33,6 @@
<!-- MicroBuild code-signing chains onto this target. --> <!-- MicroBuild code-signing chains onto this target. -->
<Target Name="AfterBuild" /> <Target Name="AfterBuild" />
<Target Name="Build" DependsOnTargets="AfterBuild" />
<Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.*\**\build\MicroBuild.Plugins.*.targets" Condition=" '$(MicroBuildPluginDirectory)' != ''" /> <Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.*\**\build\MicroBuild.Plugins.*.targets" Condition=" '$(MicroBuildPluginDirectory)' != ''" />
</Project> </Project>

2
src/Installers/Windows/AspNetCoreModule-Setup/build/settings/common.props
View File

@ -16,8 +16,6 @@
<IisOobWinSdkVersion Condition="'$(IisOobWinSdkVersion)' == ''">10.0.17134.0</IisOobWinSdkVersion> <IisOobWinSdkVersion Condition="'$(IisOobWinSdkVersion)' == ''">10.0.17134.0</IisOobWinSdkVersion>
<WindowsTargetPlatformVersion Condition="'$(WindowsTargetPlatformVersion)' == ''">$(IisOobWinSdkVersion)</WindowsTargetPlatformVersion> <WindowsTargetPlatformVersion Condition="'$(WindowsTargetPlatformVersion)' == ''">$(IisOobWinSdkVersion)</WindowsTargetPlatformVersion>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
<OutDir>bin\$(Configuration)\$(PlatformShortname)\</OutDir>
<IntDir>obj\$(Configuration)\$(PlatformShortname)\</IntDir>
</PropertyGroup> </PropertyGroup>
<!-- <!--

1
src/Installers/Windows/Directory.Build.props
View File

@ -2,7 +2,6 @@
<PropertyGroup> <PropertyGroup>
<OutputInRepoRoot>true</OutputInRepoRoot> <OutputInRepoRoot>true</OutputInRepoRoot>
<AppendPlatformToOutputPath>true</AppendPlatformToOutputPath>
</PropertyGroup> </PropertyGroup>
<Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory)..\, Directory.Build.props))\Directory.Build.props" /> <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory)..\, Directory.Build.props))\Directory.Build.props" />

2
src/Installers/Windows/SharedFrameworkLib/SharedFrameworkLib.wixproj
View File

@ -5,7 +5,7 @@
<PropertyGroup> <PropertyGroup>
<Name>AspNetCoreSharedFrameworkLib$(Platform)</Name> <Name>AspNetCoreSharedFrameworkLib$(Platform)</Name>
<!-- Use the internal installer name because .wixlib files are only produced so we can hand them off to the dotnet/cli repo. --> <!-- Use the internal installer name because .wixlib files are only produced so we can hand them off to the dotnet/cli repo. -->
<OutputName>$(InternalInstallerBaseName)-$(PackageVersion)-$(TargetRuntimeIdentifier)</OutputName> <OutputName>$(InternalInstallerBaseName)-$(PackageVersion)-win-$(Platform)</OutputName>
<!-- This is still marked as a 'product' because is needs to copied to artifact outputs. --> <!-- This is still marked as a 'product' because is needs to copied to artifact outputs. -->
<IsProductInstaller>true</IsProductInstaller> <IsProductInstaller>true</IsProductInstaller>
<OutputType>Library</OutputType> <OutputType>Library</OutputType>

7
src/Installers/Windows/build.ps1
View File

@ -5,7 +5,9 @@ param(
[Alias("x86")] [Alias("x86")]
[string]$sharedfx86harvestroot, [string]$sharedfx86harvestroot,
[Alias("x64")] [Alias("x64")]
[string]$sharedfx64harvestroot [string]$sharedfx64harvestroot,
[Parameter(ValueFromRemainingArguments = $true)]
[string[]]$AdditionalArgs
) )
$ErrorActionPreference = 'Stop' $ErrorActionPreference = 'Stop'
@ -37,7 +39,8 @@ try {
-sign ` -sign `
-BuildInstallers ` -BuildInstallers `
"-bl:$repoRoot/artifacts/logs/installers.msbuild.binlog" ` "-bl:$repoRoot/artifacts/logs/installers.msbuild.binlog" `
@msbuildargs @msbuildargs `
@AdditionalArgs
} }
finally { finally {
Pop-Location Pop-Location

2
src/SiteExtensions/Runtime/Microsoft.AspNetCore.Runtime.SiteExtension.pkgproj
View File

@ -19,7 +19,7 @@
<Content Include="applicationHost.xdt" /> <Content Include="applicationHost.xdt" />
<Content Include="scmApplicationHost.xdt" /> <Content Include="scmApplicationHost.xdt" />
<Content Include="install.cmd" /> <Content Include="install.cmd" />
<Content Include="$(RepositoryRoot)bin\$(Configuration)\Microsoft.Web.Xdt.Extensions\net461\Microsoft.Web.Xdt.Extensions.dll" PackagePath="content" /> <Content Include="$(RepositoryRoot)bin\Microsoft.Web.Xdt.Extensions\$(Configuration)\net461\Microsoft.Web.Xdt.Extensions.dll" PackagePath="content" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>