From a0ab0964d4b8e425cbc3dd375eebf3bdbe5a4d72 Mon Sep 17 00:00:00 2001
From: Matt Mitchell <mmitche@microsoft.com>
Date: Wed, 14 Oct 2020 10:19:10 -0700
Subject: [PATCH] [release/5.0] Fix some post-build signing issues (#26506)

* Fix some post-build signing issues
This fixes some post-build signing issues that are present in the aspnetcore repo
1. Add the .msi extension to be signed by Microsoft400 - Msis must be signed. With in-build signing these get handled explicitly by the wixproj infrastructure. When we do post build signing, we must sign these files.
2. Remove the strong name exclusions. These exclusions are incorrect when applied in post-build and unnecessary for in-build signing. Most importantly, the aspnetcore PKT would not end up re-strong named (it doesn't need to be strong name signed by ESRP since it's strong named in-build) because the PKT doesn't match any of the StrongNameSignInfo specified in arcade. The rest of the entries seem to be mostly about optimization. I could not find any performance difference between these entries being present and not. I am not sure whether they actually even apply to any assets. Moreover, when doing post-build signing, they would conflict with the entries in runtime and other places.

Verification - I have a tool that I wrote which unpacks every file between two directories and compares the strong name, nuget, and authenticode certs between equivalent files. This is the same tool being used to verify post-build signing. This tool shows no difference in any aspnetcore produced asset.

Baseline: https://dev.azure.com/dnceng/internal/_build/results?buildId=836183&view=results
Diff: https://dev.azure.com/dnceng/internal/_build/results?buildId=837176&view=results

* Do not push VS packages for installers when PostBuildSign == true

* Output wix command packages to the installers output path

* Don't import microbuild signing targets from wix when PostBuildSign=true

* Tweaks:
- Don't sign wixpacks when not in post-build signing
- Generate a wixpack for both the original msi name (which the wixproj generates) AND the name we use in the final outputs. This is because while these files are the same, signing differentiates the certificate based on the file name, and wixpack lookup is also based on the file names. Aspnetcore and other repos have uses the final outputs (e.g. dotnet-aspnetcore-runtime-123.5..) as well as the internal names (e.g. AspNetCoreSharedFramework_x64.msi).
- Don't sign msi's when not post-build signing.

* Avoid generating sha512 files for wixpack zips

* Don't run xplat code sign jobs if PostBuildSign == true

* Change original target names

* Conditionalize codesign operations

* Add publishing flag for linux x64 and add deb sha512 generation

* Do not push the x64 linux runtime archive more than once
---
 .azure/pipelines/ci.yml                       | 67 ++++++++++++-------
 eng/AfterSigning.targets                      |  3 +-
 eng/Publishing.props                          | 15 +++--
 eng/Signing.props                             | 24 ++-----
 eng/targets/Cpp.Common.targets                |  2 +-
 eng/targets/Wix.Common.targets                |  5 +-
 .../ANCMIISExpressV2/AncmIISExpressV2.wixproj |  4 +-
 .../ANCMV2/AncmV2.wixproj                     |  4 +-
 .../SharedFrameworkLib.wixproj                | 10 ++-
 src/Installers/Windows/Wix.props              |  4 +-
 src/Installers/Windows/Wix.targets            | 11 ++-
 11 files changed, 84 insertions(+), 65 deletions(-)

diff --git a/.azure/pipelines/ci.yml b/.azure/pipelines/ci.yml
index 3cbd594ec3..d3d8637c41 100644
--- a/.azure/pipelines/ci.yml
+++ b/.azure/pipelines/ci.yml
@@ -32,6 +32,8 @@ variables:
   value: .NETCORE
 - name: _DotNetValidationArtifactsCategory
   value: .NETCORE
+- name: PostBuildSign
+  value: false
 - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
   - name: _BuildArgs
     value: /p:TeamName=$(_TeamName)
@@ -349,9 +351,11 @@ stages:
         includeForks: true
       - name: MacOS_x64_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: MacOS_x64
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: MacOS_x64
 
   # Build Linux x64
   - template: jobs/default-build.yml
@@ -369,7 +373,9 @@ stages:
             --no-build-nodejs
             --no-build-java
             -p:OnlyPackPlatformSpecificPackages=true
+            -p:AssetManifestFileName=aspnetcore-Linux_x64.xml
             $(_BuildArgs)
+            $(_PublishArgs)
             $(_InternalRuntimeDownloadArgs)
         displayName: Run build.sh
       - script: |
@@ -399,7 +405,7 @@ stages:
             -p:OnlyPackPlatformSpecificPackages=true \
             -p:BuildRuntimeArchive=false \
             -p:LinuxInstallerType=rpm \
-            -p:AssetManifestFileName=aspnetcore-Linux_x64.xml \
+            -p:AssetManifestFileName=aspnetcore-Linux_x64-installers.xml \
             $(_BuildArgs) \
             $(_PublishArgs) \
             $(_InternalRuntimeDownloadArgs)
@@ -413,9 +419,11 @@ stages:
         includeForks: true
       - name: Linux_x64_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: Linux_x64
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: Linux_x64
 
   # Build Linux ARM
   - template: jobs/default-build.yml
@@ -443,9 +451,11 @@ stages:
         includeForks: true
       - name: Linux_arm_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: Linux_arm
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: Linux_arm
 
   # Build Linux ARM64
   - template: jobs/default-build.yml
@@ -473,9 +483,11 @@ stages:
         includeForks: true
       - name: Linux_arm64_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: Linux_arm64
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: Linux_arm64
 
   # Build Linux Musl x64
   - template: jobs/default-build.yml
@@ -507,9 +519,11 @@ stages:
         includeForks: true
       - name: Linux_musl_x64_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: Linux_musl_x64
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: Linux_musl_x64
 
   # Build Linux Musl ARM64
   - template: jobs/default-build.yml
@@ -541,9 +555,11 @@ stages:
         includeForks: true
       - name: Linux_musl_arm64_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: Linux_musl_arm64
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: Linux_musl_arm64
 
   - ${{ if or(eq(variables['System.TeamProject'], 'public'), in(variables['Build.Reason'], 'PullRequest')) }}:
     # Test jobs
@@ -734,12 +750,13 @@ stages:
           - Windows_build
           - Windows_arm_build
           - Windows_arm64_build
-          - CodeSign_Xplat_MacOS_x64
-          - CodeSign_Xplat_Linux_x64
-          - CodeSign_Xplat_Linux_arm
-          - CodeSign_Xplat_Linux_arm64
-          - CodeSign_Xplat_Linux_musl_x64
-          - CodeSign_Xplat_Linux_musl_arm64
+          - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+            - CodeSign_Xplat_MacOS_x64
+            - CodeSign_Xplat_Linux_x64
+            - CodeSign_Xplat_Linux_arm
+            - CodeSign_Xplat_Linux_arm64
+            - CodeSign_Xplat_Linux_musl_x64
+            - CodeSign_Xplat_Linux_musl_arm64
           # In addition to the dependencies above, ensure the build was successful overall.
           - Source_Build
         pool:
diff --git a/eng/AfterSigning.targets b/eng/AfterSigning.targets
index d9205a0d56..c6a20e53b1 100644
--- a/eng/AfterSigning.targets
+++ b/eng/AfterSigning.targets
@@ -13,9 +13,10 @@
     <ItemGroup>
       <InstallerFiles Include="$(InstallersOutputPath)**\*.msi" />
       <InstallerFiles Include="$(InstallersOutputPath)**\*.exe" />
-      <InstallerFiles Include="$(InstallersOutputPath)**\*.zip" />
+      <InstallerFiles Include="$(InstallersOutputPath)**\*.zip" Exclude="$(InstallersOutputPath)**\*.wixpack.zip" />
       <InstallerFiles Include="$(InstallersOutputPath)**\*.tar.gz" />
       <InstallerFiles Include="$(InstallersOutputPath)**\*.wixlib" />
+      <InstallerFiles Include="$(InstallersOutputPath)**\*.deb" />
       <InstallerFiles Include="$(InstallersOutputPath)**\*.rpm" />
       <GenerateChecksumItems Include="%(InstallerFiles.Identity)" >
         <DestinationPath>%(FullPath).sha512</DestinationPath>
diff --git a/eng/Publishing.props b/eng/Publishing.props
index 39c3ea1f4c..3752cf44fd 100644
--- a/eng/Publishing.props
+++ b/eng/Publishing.props
@@ -50,8 +50,14 @@
     </PropertyGroup>
 
     <ItemGroup>
-      <!-- Do not push .nupkg files from Linux and macOS builds. They'll be packed up separately and signed on Windows. -->
-      <ItemsToPushToBlobFeed Remove="@(ItemsToPushToBlobFeed)" Condition="'$(OS)' != 'Windows_NT'" />
+      <!-- Do not push .nupkg files from Linux and macOS builds. They'll be packed up separately and signed on Windows.
+           Do not remove if post build sign is true, as we avoid the xplat codesign jobs, and need to have
+           the nupkgs pushed. -->
+      <ItemsToPushToBlobFeed Remove="@(ItemsToPushToBlobFeed)" Condition="'$(OS)' != 'Windows_NT' and '$(PostBuildSign)' != 'true'" />
+      <!-- Linux x64 is built in 3 stages: Build the base packages, layout, and archive. Then build deb and rpm installers.
+           The first and last segments will both publish the layout (they share artifacts). Only publish this during the first pass. -->
+      <_InstallersToPublish Remove="$(ArtifactsDir)installers\**\*.tar.gz" Condition="'$(BuildRuntimeArchive)' == 'false'" />
+      <_ChecksumsToPublish Remove="$(ArtifactsDir)installers\**\*.tar.gz.sha512" Condition="'$(BuildRuntimeArchive)' == 'false'" />
 
       <ItemsToPushToBlobFeed Include="@(_ChecksumsToPublish)">
         <PublishFlatContainer>true</PublishFlatContainer>
@@ -60,14 +66,9 @@
 
       <ItemsToPushToBlobFeed Include="@(_InstallersToPublish)">
         <IsShipping>true</IsShipping>
-        <ManifestArtifactData>ShipInstaller=dotnetcli</ManifestArtifactData>
         <PublishFlatContainer>true</PublishFlatContainer>
         <RelativeBlobPath>$(_UploadPathRoot)/%(_InstallersToPublish.UploadPathSegment)/$(_PackageVersion)/%(Filename)%(Extension)</RelativeBlobPath>
       </ItemsToPushToBlobFeed>
-
-      <!-- Set up ItemsToSign for the push task to pick up. -->
-      <ItemsToSign Remove="@(ItemsToSign)" />
-      <ItemsToSign Include="@(ItemsToSignPostBuild)" />
     </ItemGroup>
   </Target>
 </Project>
diff --git a/eng/Signing.props b/eng/Signing.props
index f35228b20f..8d59587b91 100644
--- a/eng/Signing.props
+++ b/eng/Signing.props
@@ -5,7 +5,6 @@
   <ItemGroup>
     <!-- Reset Arcade's defaults. -->
     <ItemsToSign Remove="@(ItemsToSign)" />
-    <StrongNameSignInfo Remove="@(StrongNameSignInfo)" />
     <FileExtensionSignInfo Remove="@(FileExtensionSignInfo)" />
   </ItemGroup>
 
@@ -15,6 +14,7 @@
     <CommonFilesToSign Include="$(VisualStudioSetupOutputPath)**\*.vsix" />
     <CommonFilesToSign Include="$(ArtifactsPackagesDir)**\*.jar"  />
     <CommonFilesToSign Include="$(ArtifactsDir)installers\$(Configuration)\**\*.zip" />
+    <CommonFilesToSign Remove="$(ArtifactsDir)installers\$(Configuration)\**\*.wixpack.zip" Condition="'$(PostBuildSign)' != 'true'" />
   </ItemGroup>
   <Choose>
     <!-- When post build signing is false - Sign as normal.
@@ -57,24 +57,10 @@
     <FileExtensionSignInfo Include=".vsix" CertificateName="VsixSHA2" />
     <FileExtensionSignInfo Include=".zip" CertificateName="None" />
     <FileExtensionSignInfo Include=".cab" CertificateName="None" />
-    <FileExtensionSignInfo Include=".msi" CertificateName="None" />
-
-    <!--
-      Use the PublicKeyToken of .NET assemblies to determine which authenticode cert to use.
-      'None' is required to ensure code signing does not attempt to re-sign them or submit
-      to ESPR for strong-naming signing. We don't delay sign, so we only need to authenticode sign.
-      See https://github.com/dotnet/arcade/issues/1911 for context.
-    -->
-    <!-- The AspNetCore strong name. -->
-    <StrongNameSignInfo Include="None" PublicKeyToken="adb9793829ddae60" CertificateName="Microsoft400" />
-    <!-- The MsSharedLib72 strong name. -->
-    <StrongNameSignInfo Include="None" PublicKeyToken="31bf3856ad364e35" CertificateName="Microsoft400" />
-    <!-- The MsftStrongName strong name. -->
-    <StrongNameSignInfo Include="None" PublicKeyToken="b03f5f7f11d50a3a" CertificateName="Microsoft400" />
-    <!-- The MsftStrongName2 strong name. -->
-    <StrongNameSignInfo Include="None" PublicKeyToken="b77a5c561934e089" CertificateName="Microsoft400" />
-    <!-- The MsftOpenStrongName strong name. -->
-    <StrongNameSignInfo Include="None" PublicKeyToken="cc7b13ffcd2ddd51" CertificateName="Microsoft400" />
+    <!-- If doing post build sign, explicitly give MSIs a cert. If doing in build signing,
+         this is handled by the wix targets, and .msi should be "None" -->
+    <FileExtensionSignInfo Include=".msi" CertificateName="Microsoft400" Condition="'$(PostBuildSign)' == 'true'" />
+    <FileExtensionSignInfo Include=".msi" CertificateName="None" Condition="'$(PostBuildSign)' != 'true'" />
 
     <!-- Native .dll's. These don't have a public key token, but are from Microsoft and should be signed. -->
     <FileSignInfo Include="aspnetcore.dll" CertificateName="Microsoft400" />
diff --git a/eng/targets/Cpp.Common.targets b/eng/targets/Cpp.Common.targets
index f32f3f1821..f0b3a09f11 100644
--- a/eng/targets/Cpp.Common.targets
+++ b/eng/targets/Cpp.Common.targets
@@ -5,7 +5,7 @@
 
   <Target Name="GetVcxprojFilesToSign" BeforeTargets="SignFiles">
     <ItemGroup>
-      <FilesToSign Include="$(TargetPath)" Condition="'$(ConfigurationType)' == 'DynamicLibrary'" Authenticode="Microsoft400" />
+      <FilesToSign Include="$(TargetPath)" Condition="'$(ConfigurationType)' == 'DynamicLibrary' AND '$(PostBuildSign)' != 'true'" Authenticode="Microsoft400" />
     </ItemGroup>
   </Target>
 
diff --git a/eng/targets/Wix.Common.targets b/eng/targets/Wix.Common.targets
index 4c6d15a790..3fdb8af56d 100644
--- a/eng/targets/Wix.Common.targets
+++ b/eng/targets/Wix.Common.targets
@@ -39,5 +39,8 @@
   <Import Project="$(NuGetRestoreTargets)" />
   <Import Project="$(MSBuildProjectExtensionsPath)$(MSBuildProjectFile).*.targets" />
   <Import Project="$(WixTargetsPath)" Condition="'$(WixTargetsPath)' != '' " />
-  <Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.*\**\build\MicroBuild.Plugins.*.targets" Condition="'$(DisableMicroBuild)' != 'true' AND '$(MicroBuildPluginDirectory)' != ''" />
+  <!-- Don't import the Microbuild signing targets when post build sign is enabled. They override the
+       standard Wix targets for signing, and call ESRP directly (rather than through SignTool). So without this,
+       ASPNetCore will sign even when PostbuildSign == true -->
+  <Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.*\**\build\MicroBuild.Plugins.*.targets" Condition="'$(DisableMicroBuild)' != 'true' AND '$(MicroBuildPluginDirectory)' != '' AND '$(PostBuildSign)' != 'true'" />
 </Project>
diff --git a/src/Installers/Windows/AspNetCoreModule-Setup/ANCMIISExpressV2/AncmIISExpressV2.wixproj b/src/Installers/Windows/AspNetCoreModule-Setup/ANCMIISExpressV2/AncmIISExpressV2.wixproj
index 5743c4c94c..04f70e784c 100644
--- a/src/Installers/Windows/AspNetCoreModule-Setup/ANCMIISExpressV2/AncmIISExpressV2.wixproj
+++ b/src/Installers/Windows/AspNetCoreModule-Setup/ANCMIISExpressV2/AncmIISExpressV2.wixproj
@@ -7,7 +7,7 @@
     <IsShipping>true</IsShipping>
     <ProjectGuid>17c76489-4c09-4e14-b81c-7a86cd937144</ProjectGuid>
     <OutputType>Package</OutputType>
-    <OutputName>ancm_iis_express_$(Platform)_en_v2</OutputName>
+    <OutputName>$(Name)_$(Platform)</OutputName>
     <SuppressIces>ICE03</SuppressIces>
     <DisableGuidGeneration>true</DisableGuidGeneration>
     <SchemaVersion>2.0</SchemaVersion>
@@ -67,6 +67,6 @@
   <Import Project="..\build\settings.props" />
 
   <PropertyGroup>
-    <PackageFileName>$(TargetName)_$(PackageVersion)$(TargetExt)</PackageFileName>
+    <PackageFileName>ancm_iis_express_$(Platform)_en_v2_$(PackageVersion)$(TargetExt)</PackageFileName>
   </PropertyGroup>
 </Project>
diff --git a/src/Installers/Windows/AspNetCoreModule-Setup/ANCMV2/AncmV2.wixproj b/src/Installers/Windows/AspNetCoreModule-Setup/ANCMV2/AncmV2.wixproj
index 40d0692eb8..ecc897c78b 100644
--- a/src/Installers/Windows/AspNetCoreModule-Setup/ANCMV2/AncmV2.wixproj
+++ b/src/Installers/Windows/AspNetCoreModule-Setup/ANCMV2/AncmV2.wixproj
@@ -7,7 +7,7 @@
     <IsShipping>true</IsShipping>
     <ProjectGuid>f9bacb48-3bd7-4ec2-ae31-664e8703ec12</ProjectGuid>
     <OutputType>Package</OutputType>
-    <OutputName>aspnetcoremodule_$(Platform)_en_v2</OutputName>
+    <OutputName>$(Name)_$(Platform)</OutputName>
     <GenerateRandomNamespaceGuid>true</GenerateRandomNamespaceGuid>
     <SchemaVersion>2.0</SchemaVersion>
     <DisableGuidGeneration>true</DisableGuidGeneration>
@@ -55,6 +55,6 @@
   <Import Project="..\build\settings.props" />
 
   <PropertyGroup>
-    <PackageFileName>$(TargetName)_$(PackageVersion)$(TargetExt)</PackageFileName>
+    <PackageFileName>aspnetcoremodule_$(Platform)_en_v2_$(PackageVersion)$(TargetExt)</PackageFileName>
   </PropertyGroup>
 </Project>
diff --git a/src/Installers/Windows/SharedFrameworkLib/SharedFrameworkLib.wixproj b/src/Installers/Windows/SharedFrameworkLib/SharedFrameworkLib.wixproj
index ec1867056b..834b155055 100644
--- a/src/Installers/Windows/SharedFrameworkLib/SharedFrameworkLib.wixproj
+++ b/src/Installers/Windows/SharedFrameworkLib/SharedFrameworkLib.wixproj
@@ -43,13 +43,19 @@
 
   <!-- Overwrite the wix package drop creation target to create a lit
        package instead. -->
-  <Target Name="CreateWixPackageDrop" AfterTargets="Build">
+  <Target Name="CreateWixPackageDrop" AfterTargets="CopyToArtifactsDirectory">
+    <ItemGroup>
+      <WixInstallerFilesToProcess Include="$(InstallersOutputPath)$(OutputName).wixlib" />
+      <WixInstallerFilesToProcess Include="$(InstallersOutputPath)$(PackageFileName)"
+        Condition=" '$(SkipCopyToArtifactsDirectory)' != 'true' " />
+    </ItemGroup>
+
     <CreateLitCommandPackageDrop
       LitCommandWorkingDir="$(WixCommandObjDir)"
       OutputFolder="$(WixCommandPackagesDir)"
       WixExtensions="@(WixExtension)"
       Bf="true"
-      InstallerFile="$(InstallersOutputPath)$(OutputName).wixlib"
+      InstallerFile="%(WixInstallerFilesToProcess.Identity)"
       WixSrcFiles="@(CompileObjOutput);@(WixObject);@(WixLibProjects);@(WixLibrary)">
       <Output TaskParameter="OutputFile" PropertyName="_LitCommandPackageNameOutput" />
     </CreateLitCommandPackageDrop>
diff --git a/src/Installers/Windows/Wix.props b/src/Installers/Windows/Wix.props
index b3ad64d7ad..a39ef024cd 100644
--- a/src/Installers/Windows/Wix.props
+++ b/src/Installers/Windows/Wix.props
@@ -32,8 +32,8 @@
   <PropertyGroup>
     <!-- Directory for the unzipped directory -->
     <WixCommandObjDir>$(ArtifactsObjDir)/WixCommandPackages</WixCommandObjDir>
-    <!-- Directory for the zipped up light/lit command package -->
-    <WixCommandPackagesDir>$(ArtifactsNonShippingPackagesDir)</WixCommandPackagesDir>
+    <!-- Directory for the zipped up wixpack command package -->
+    <WixCommandPackagesDir>$(InstallersOutputPath)</WixCommandPackagesDir>
   </PropertyGroup>
 
 </Project>
diff --git a/src/Installers/Windows/Wix.targets b/src/Installers/Windows/Wix.targets
index 8c84c8b3e8..07c4e8db73 100644
--- a/src/Installers/Windows/Wix.targets
+++ b/src/Installers/Windows/Wix.targets
@@ -32,7 +32,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.DotNet.Build.Tasks.Installers" Version="$(MicrosoftDotNetBuildTasksInstallersPackageVersion)" />
   </ItemGroup>
-  
+
   <PropertyGroup>
     <MicrosoftDotNetBuildTasksInstallersTaskAssembly Condition="'$(MSBuildRuntimeType)' == 'Core'">$(NuGetPackageRoot)microsoft.dotnet.build.tasks.installers\$(MicrosoftDotNetBuildTasksInstallersPackageVersion)\tools\netcoreapp2.1\Microsoft.DotNet.Build.Tasks.Installers.dll</MicrosoftDotNetBuildTasksInstallersTaskAssembly>
     <MicrosoftDotNetBuildTasksInstallersTaskAssembly Condition="'$(MSBuildRuntimeType)' != 'Core'">$(NuGetPackageRoot)microsoft.dotnet.build.tasks.installers\$(MicrosoftDotNetBuildTasksInstallersPackageVersion)\tools\net472\Microsoft.DotNet.Build.Tasks.Installers.dll</MicrosoftDotNetBuildTasksInstallersTaskAssembly>
@@ -89,14 +89,19 @@
     <Copy SourceFiles="@(_cabs)" DestinationFolder="$(InstallersOutputPath)" />
   </Target>
 
-  <Target Name="CreateWixPackageDrop" AfterTargets="Build">
+  <Target Name="CreateWixPackageDrop" AfterTargets="CopyToArtifactsDirectory">
     <MakeDir Directories="$(WixCommandPackagesDir)" />
+    <ItemGroup>
+      <WixInstallerFilesToProcess Include="$(TargetPath)" />
+      <WixInstallerFilesToProcess Include="$(InstallersOutputPath)$(PackageFileName)"
+        Condition=" '$(IsShipping)' == 'true' AND '$(SkipCopyToArtifactsDirectory)' != 'true' " />
+    </ItemGroup>
     <CreateLightCommandPackageDrop
       LightCommandWorkingDir="$(WixCommandObjDir)"
       OutputFolder="$(WixCommandPackagesDir)"
       NoLogo="true"
       Cultures="en-us"
-      InstallerFile="$(InstallersOutputPath)$(PackageFileName)"
+      InstallerFile="%(WixInstallerFilesToProcess.Identity)"
       AdditionalBasePaths="$(MSBuildProjectDirectory)"
       WixExtensions="@(WixExtension)"
       Loc="@(EmbeddedResource)"