Install MicroBuild code signing plugin and set SignType = real (#1376)

.vsts/builds/ci-official.yml

@@ -18,11 +18,26 @@ phases:
   variables:
     CI: true
     DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+
+    # This variable is required by MicroBuildSigningPlugin to determine permissions for codesigning.
+    TeamName: AspNetCore
+
+    # SignType = { test, real }
+    # This is prefixed underscore because variables automatically become environment variables (and therefore MSBuild properties),
+    # and this one was causing issues in MSBuild projects which use the $(SignType) MSbuild prop.
+    _SignType: real
+
   steps:
   - task: NodeTool@0
     displayName: Install Node 10.x
     inputs:
       versionSpec: 10.x
+  - task: MicroBuildSigningPlugin@1
+    displayName: Install MicroBuild plugin
+    condition: and(succeeded(), in(variables['_SignType'], 'test', 'real'))
+    inputs:
+      signType: $(_SignType)
+      zipSources: false
   # TODO: configure build.cmd to build both x64 and x86 in one invocation
   # TODO build.cmd -ci
   - script: build.cmd /p:SkipTests=true /p:Configuration=$(BuildConfiguration) /p:BuildNumber=$(Build.BuildNumber) /t:Build /t:BuildSharedFx /p:SharedFxRID=win-x64 /t:BuildFallbackArchive
@@ -34,6 +49,7 @@ phases:
       -GitCredential '$(dn-bot-devdiv-build-rw-code-rw)'
       -Config $(BuildConfiguration)
       -BuildNumber $(Build.BuildNumber)
+      -SignType $(_SignType)
     displayName: Build ANCM installers
   # TODO: configure harvesting to run as a part of build.cmd
   - powershell: >
@@ -42,6 +58,7 @@ phases:
       -x86 artifacts/runtime/aspnetcore-runtime-internal-2.2.0-preview2-$(Build.BuildNumber)-win-x86.zip
       -Config $(BuildConfiguration)
       -BuildNumber $(Build.BuildNumber)
+      -SignType $(_SignType)
     displayName: Build Windows installers
   - task: PublishTestResults@2
     displayName: Publish test results
@@ -56,6 +73,9 @@ phases:
       pathtoPublish: ./artifacts/
       artifactName: artifacts-Windows-Release
       artifactType: Container
+  - task: MicroBuildCleanup@1
+    displayName: Cleanup MicroBuild tasks
+    condition: always()
 
 - phase: macOS
   dependsOn: Windows

eng/targets/MicroBuild.Plugin.props

@@ -1,29 +1,12 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-    <PropertyGroup>
-        <!-- MicroBuild plugins can be installed in any parent directory up the tree from the project that is building.
-        The use of a sentinel file (which will be installed automatically due to package dependencies from any plugin)
-        will help us locate the plugin packages directory while being constrained to using MSBuild's intrinsic functions,
-        since we want the imports to occur at evaluation time instead of when a specific target is executing.
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <!-- Allow for the ability to override the plugin directory, for example in automated builds -->
+    <MicroBuildPluginDirectory Condition="'$(MicroBuildPluginDirectory)' == ''">$(MicroBuildOverridePluginDirectory)</MicroBuildPluginDirectory>
 
-        Note: All MicroBuild plugins must be installed to the same directory (under the same packages folder). If plugins
-        are installed to different directories, the plugins which are in the directories closest to the executing project
-        up the hierarchy will be discovered, and the ones higher up the tree will be ignored.
-         -->
-        <MicroBuildSentinelFile>packages\MicroBuild.Core.Sentinel.1.0.0\sentinel.txt</MicroBuildSentinelFile>
-        <MicroBuildSentinelFileV3>MicroBuild.Core.Sentinel\1.0.0\sentinel.txt</MicroBuildSentinelFileV3>
-
-        <MicroBuildPluginDirectory>$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), $(MicroBuildSentinelFile)))</MicroBuildPluginDirectory>
-        <MicroBuildPluginDirectory Condition="'$(MicroBuildPluginDirectory)' != ''">$(MicroBuildPluginDirectory)\packages</MicroBuildPluginDirectory>
-
-        <!-- Some people might want to put the plugin packages directly in their Nuget v3 global cache. This doesn't happen by default,
-        but we will allow for it here. We don't support nuget.config's globalPackagesFolder setting here because we don't have a good
-        way to load/parse that file with MSBuild intrinsics. We can check the other two mechanisms though, which are the %NUGET_PACKAGES%
-        environment variable and %USERPROFILE%\.nuget\packages -->
-        <MicroBuildPluginDirectory Condition="'$(MicroBuildPluginDirectory)' == '' and '$(NUGET_PACKAGES)' != '' and Exists('$(NUGET_PACKAGES)\$(MicroBuildSentinelFileV3)')">$(NUGET_PACKAGES)</MicroBuildPluginDirectory>
-        <MicroBuildPluginDirectory Condition="'$(MicroBuildPluginDirectory)' == '' and '$(USERPROFILE)' != '' and Exists('$(USERPROFILE)\.nuget\packages\$(MicroBuildSentinelFileV3)')">$(USERPROFILE)\.nuget\packages</MicroBuildPluginDirectory>
-
-        <!-- Allow for the ability to override the plugin directory, for example in automated builds -->
-        <MicroBuildPluginDirectory Condition="'$(MicroBuildOverridePluginDirectory)' != ''">$(MicroBuildOverridePluginDirectory)</MicroBuildPluginDirectory>
-    </PropertyGroup>
-</Project>
+    <!-- Some people might want to put the plugin packages directly in their Nuget v3 global cache. This doesn't happen by default, but we will allow for it here.  -->
+    <MicroBuildPluginDirectory Condition="'$(MicroBuildPluginDirectory)' == '' and '$(NuGetPackageRoot)' != '' ">$(NuGetPackageRoot)</MicroBuildPluginDirectory>
+    <MicroBuildPluginDirectory Condition="'$(MicroBuildPluginDirectory)' == '' and '$(NUGET_PACKAGES)' != '' ">$(NUGET_PACKAGES)</MicroBuildPluginDirectory>
+    <MicroBuildPluginDirectory Condition="'$(MicroBuildPluginDirectory)' == '' and '$(USERPROFILE)' != '' ">$(USERPROFILE)\.nuget\packages</MicroBuildPluginDirectory>
+  </PropertyGroup>
+</Project>

eng/targets/Wix.Common.props

@@ -22,6 +22,7 @@
   </ItemGroup>
 
   <PropertyGroup>
+    <SignOutput Condition=" '$(SignType)' != '' ">true</SignOutput>
     <DarkToolPath>$(WixExtDir)dark.exe</DarkToolPath>
   </PropertyGroup>
 

src/Installers/Windows/build.ps1

@@ -13,6 +13,7 @@ param(
     [Alias("x64")]
     [string]$Runtime64Zip,
     [string]$BuildNumber = 't000',
+    [string]$SignType = '',
 
     [string]$AccessTokenSuffix = $null,
     [string]$AssetRootUrl = $null,
@@ -80,7 +81,8 @@ try {
             "-p:SharedFrameworkHarvestRootPath=$repoRoot/obj/sfx/" `
             "-p:Configuration=$Configuration" `
             "-p:BuildNumber=$BuildNumber" `
-            -bl `
+            "-p:SignType=$SignType" `
+            "-bl:$repoRoot/artifacts/logs/installers.msbuild.binlog" `
             @msbuildArgs
     }
 }

src/Installers/Windows/clone_and_build_ancm.ps1

@@ -9,7 +9,8 @@ param(
     [string]$Configuration = 'Release',
     [string]$DepsZip,
     [string]$BuildNumber = 't000',
-    [string]$AncmSourceBranch = 'release/2.2'
+    [string]$AncmSourceBranch = 'release/2.2',
+    [string]$SignType = ''
 )
 
 $ErrorActionPreference = 'Stop'
@@ -102,7 +103,9 @@ try {
             "-p:WixTasksPath=$wixToolSetRoot\wixtasks.dll" `
             "-p:WixNativeCATargetsPath=$wixToolSetRoot\sdk\wix.nativeca.targets" `
             "-p:Configuration=$Configuration" `
-            "-p:BuildNumber=$BuildNumber"
+            "-p:BuildNumber=$BuildNumber" `
+            "-p:SignType=$SignType" `
+            "-bl:$repoRoot/artifacts/logs/ancn.msbuild.binlog"
     }
 
     $outputPath = "$repoRoot/artifacts/bin/$Configuration/installers/en-US/"