* Fix some post-build signing issues
This fixes some post-build signing issues that are present in the aspnetcore repo
1. Add the .msi extension to be signed by Microsoft400 - Msis must be signed. With in-build signing these get handled explicitly by the wixproj infrastructure. When we do post build signing, we must sign these files.
2. Remove the strong name exclusions. These exclusions are incorrect when applied in post-build and unnecessary for in-build signing. Most importantly, the aspnetcore PKT would not end up re-strong named (it doesn't need to be strong name signed by ESRP since it's strong named in-build) because the PKT doesn't match any of the StrongNameSignInfo specified in arcade. The rest of the entries seem to be mostly about optimization. I could not find any performance difference between these entries being present and not. I am not sure whether they actually even apply to any assets. Moreover, when doing post-build signing, they would conflict with the entries in runtime and other places.
Verification - I have a tool that I wrote which unpacks every file between two directories and compares the strong name, nuget, and authenticode certs between equivalent files. This is the same tool being used to verify post-build signing. This tool shows no difference in any aspnetcore produced asset.
Baseline: https://dev.azure.com/dnceng/internal/_build/results?buildId=836183&view=results
Diff: https://dev.azure.com/dnceng/internal/_build/results?buildId=837176&view=results
* Do not push VS packages for installers when PostBuildSign == true
* Output wix command packages to the installers output path
* Don't import microbuild signing targets from wix when PostBuildSign=true
* Tweaks:
- Don't sign wixpacks when not in post-build signing
- Generate a wixpack for both the original msi name (which the wixproj generates) AND the name we use in the final outputs. This is because while these files are the same, signing differentiates the certificate based on the file name, and wixpack lookup is also based on the file names. Aspnetcore and other repos have uses the final outputs (e.g. dotnet-aspnetcore-runtime-123.5..) as well as the internal names (e.g. AspNetCoreSharedFramework_x64.msi).
- Don't sign msi's when not post-build signing.
* Avoid generating sha512 files for wixpack zips
* Don't run xplat code sign jobs if PostBuildSign == true
* Change original target names
* Conditionalize codesign operations
* Add publishing flag for linux x64 and add deb sha512 generation
* Do not push the x64 linux runtime archive more than once
This change is prep for post build signing. When PostBuildSign=true, signing is not performed during the build. Instead, pass the top-level artifacts that are signable to PushToAzureDevOpsArtifacts (via Publish.proj).
Also fix up ArtifactsDir. As far as I can tell, it's been fixed up in Arcade to always include the trailing \, and Publish.proj should no longer be messed up.
* Grab binary logs for main Windows and Linux jobs
- in the Windows case, do not do this in official builds (logging slows build down)
nit: do not set variables with only two values three times
* Do not sign twice in Windows Code-sign build step
nit: correct wording in Signing.props
* !fixup! Don't grab the large x86 binary log
* Quick fix: Simplify devBuilds.yml
- remove an excess build step
* Quick fix: Move `SetupNugetSources` script invocations above `parameters.beforeBuild`
- ensure NuGet.config is ready for all internal builds
- remove now-duplicate `SetupNugetSources` invocations wherever default-build.yml is used
* Quick fix: Clean up SiteExtensions/build.cmd
- quote all rooted paths
- check `%ERRORLEVEL%` after every `CALL`
- nits:
- add a few more `ECHO` commands
- wrap long lines
* Quick fix: Ensure `$(BuildNative)` is always set correctly
- fix problems using `-all` or `/p:BuildAllProjects=true` without `-buildNative`
- ensure `$(BuildNative)` is `false` where it's not supported
- move some duplicated settings into eng/Common.props and `<Import />` the new file
- remove now-duplicated parts of conditions using `$(BuildNative)`
* Quick fix: Consistently use `--build-*`
- avoid `/p:Build*` on the command line (except with eng/scripts/ci-source-build.sh)
- nits:
- remove now-useless `-buildNative` with `-all`
- expand and correct a couple of related comments and messages
* Quick fix: Support `-all` together with `-projects`
- remove need to specify `/p:BuildAllProjects=true`
- nit: simplify some Boolean logic
- #11924
- change ci.yml to use stages and post-build.yml
- add use of publish-build-assets.yml and post-build.yml
- create manifests and push to artifacts in last build step of each job
- pass more MSBuild properties into those builds
- use Arcade to publish installers
- use distinct `$(AssetManifestFileName)` values per job
- set global property to override what's hard-coded in Publish.proj
- change codesign-xplat.yml to use empty.proj and normal Arcade signing and publication process
- remove XPlatPackageSigner.proj
- change default-build.yml to use job.yml
- remove unused parameters e.g. `matrix`, `poolName`, `variables`
- use `enableMicrobuild` and `enablePublishTestResults` to eliminate duplicate build steps
- add .dll's and .exe's as files to sign w/ Microsoft400
- add signcheck exclusions
- remove custom manifest generation i.e. the `GenerateBuildAssetManifest` target and related artifacts
- update docker infrastructure to use same paths in and out of the container
- avoids problems adding to artifacts from within the builds
- correct typo in build.sh
- use `$env:DOTNET_INSTALL_DIR` in `DotNetCommands`
- relax expectations that an arch-specific folder exists under (say) `$env:DOTNET_HOME`
- avoids need to define `$env:DOTNET_HOME` in all jobs on CI
- update dependencies from dotnet/arcade build '20190908.2'
- upgrade to eg. Arcade SDK '1.0.0-beta.19458.2' package version
- pick up dotnet/arcade@dd593acc8b fix
- enable use of `%(PublishFlatContainer)` metadata and correct signing validation issues
- use `$(DotNetFinalVersionKind)` in preparation for servicing builds
- set `$(IsStableBuild)` for use in Arcade infrastructure
- disable signing validation for now (see #13864)
nits:
- upload logs in first artifact
- remove attempts to package non-existent VSIX
- follow-up to 29cf7ecb80
- respect verbosity setting in build.sh
- add more information to Artifacts.md
- enable test signing in internal PRs
* Replace usages of $(CI) with $(ContinuousIntegrationBuild)
* Move RepoTasks to eng/tools/
* Remove dead code
* Update build.sh/ps1 to invoke Arcade instead of KoreBuild
* build/repo.props => eng/Build.props
* build/CodeSign.{props,targets} => eng/Signing.props
* build/repo.targets => eng/Build.props, eng/CodeGen.proj, and eng/AfterSolutionBuild.targets
* Remove AddAllProjectRefsToSolution.ps1
* Put selenium process tracking into artifacts/tmp/
* build/docker => eng/docker
* Move content from korebuild.json to global.json
* Remove cibuild.{sh,cmd} and update ci.yml
* Ensure vswhere detects BuildTools installations
* Remove sign check exclusions (Arcade does not support)
* list VS required components in global.json
* Update CodeCheck.ps1
* Update arcade (#11143)
* Fixups to broken build
* capture test results in xunit form
* attempt to fix code check
* restore before linux build
* remove duplicate signinfos
* More build fixes
* exclude node_modules from unique project check
* fixup signing props
* More build fixes
* Remove unused NoWarns
* Skip building site extension
* Suppress xunit color in console output
* Install x86 runtime
* Run KillProcesses.ps1 at end of build on CI
* activate env vars in codecheck.ps1
* Fix signing and generate build manifests
* Fixup code check and linux installers build
* Remove custom restore targets
* Import flaky test props
* Restore original manifest generation code and set warnAsErrors=false
* Alwasy restore the toolset
* More attempts at build fixes
* run restore before building deb/rpm packages
* pre-install Yarn.MSBuild
* Remove WIX workaround
* Attempt to fix RPM installers and x86 build
* Fix helix tests, java auto-detection, and code gen steps
* Globally disable MSBuild node resuse and capture MSbuild crash logs
* Cleanup build invocation for installers
* Set max time on xunit tests to 15 min
* Update helix-test.yml
* Fix Hosting tests
* Fix TestHost
* Fix Negotiate.Test
* Fix Mvc tests
* Capture results
* Fix Hosting tests
* Fix Kestrel tests
* Fix ServerComparison tests
* Fix DefaultBuilder functional tests
* Skip template tests
Need to run pack before running tests on mac/linux now
* Fix Identity test
* Fix ServerComparison tests
* Verify nginx installation on ubuntu
* Verify nginx installation?
* Try adding to path
* Try symlink
* Sudo?
* Woot it works
* Disable timeout
Template tests require more than 15 mins
* list env vars
* Use correct dotnet_home
* Prepent path instead
* Fix npmproj tests
* Fix CORS tests
* Debug signalr tests
* Debug signalr
* Capture bin
* Try building templates sequentially
* Debug signalr
* Cleanup
* Disable signalr npm tests
* Debug template test
* Try to fix templates again and make steps more reliable
* Cleanup
* Feedback
Matt Mitchell
Doug Bunting
John Luo
Ryan Brandenburg
Andrew Stanton-Nurse
Justin Kotalik
Nate McMaster