* Fix some post-build signing issues
This fixes some post-build signing issues that are present in the aspnetcore repo
1. Add the .msi extension to be signed by Microsoft400 - Msis must be signed. With in-build signing these get handled explicitly by the wixproj infrastructure. When we do post build signing, we must sign these files.
2. Remove the strong name exclusions. These exclusions are incorrect when applied in post-build and unnecessary for in-build signing. Most importantly, the aspnetcore PKT would not end up re-strong named (it doesn't need to be strong name signed by ESRP since it's strong named in-build) because the PKT doesn't match any of the StrongNameSignInfo specified in arcade. The rest of the entries seem to be mostly about optimization. I could not find any performance difference between these entries being present and not. I am not sure whether they actually even apply to any assets. Moreover, when doing post-build signing, they would conflict with the entries in runtime and other places.
Verification - I have a tool that I wrote which unpacks every file between two directories and compares the strong name, nuget, and authenticode certs between equivalent files. This is the same tool being used to verify post-build signing. This tool shows no difference in any aspnetcore produced asset.
Baseline: https://dev.azure.com/dnceng/internal/_build/results?buildId=836183&view=results
Diff: https://dev.azure.com/dnceng/internal/_build/results?buildId=837176&view=results
* Do not push VS packages for installers when PostBuildSign == true
* Output wix command packages to the installers output path
* Don't import microbuild signing targets from wix when PostBuildSign=true
* Tweaks:
- Don't sign wixpacks when not in post-build signing
- Generate a wixpack for both the original msi name (which the wixproj generates) AND the name we use in the final outputs. This is because while these files are the same, signing differentiates the certificate based on the file name, and wixpack lookup is also based on the file names. Aspnetcore and other repos have uses the final outputs (e.g. dotnet-aspnetcore-runtime-123.5..) as well as the internal names (e.g. AspNetCoreSharedFramework_x64.msi).
- Don't sign msi's when not post-build signing.
* Avoid generating sha512 files for wixpack zips
* Don't run xplat code sign jobs if PostBuildSign == true
* Change original target names
* Conditionalize codesign operations
* Add publishing flag for linux x64 and add deb sha512 generation
* Do not push the x64 linux runtime archive more than once
This change is prep for post build signing. When PostBuildSign=true, signing is not performed during the build. Instead, pass the top-level artifacts that are signable to PushToAzureDevOpsArtifacts (via Publish.proj).
Also fix up ArtifactsDir. As far as I can tell, it's been fixed up in Arcade to always include the trailing \, and Publish.proj should no longer be messed up.
- target project is a test project; need to undo `$(SkipTestBuild)` impact in these jobs
nit: remove a comment from DeveloperCertificates project that's irrelevant now
- use SignalR.Npm.FunctionalTests.npmproj to get non-stable version
- not Microsoft.AspNetCore.DeveloperCertificates.XPlat.csproj (avoid C# and F# projects)
- add `_GetPackageVersionInfo` target to all `*.npmproj` projects
- make `_GetPackageVersionInfo` target work when `yarn` is not installed
- switch codesign-xplat.yml to use `dotnet msbuild`
- above change also fixes Code-sign jobs but they're slightly faster using `dotnet msbuild`
* Always generate checksums as last part of publish job
* Initialize props correctly
* Fix wildcard
* Import Arcade SDK
* Add NoWarn MSB4011
* Make import conditional on GenerateChecksums
* Select specific files to checksum
* Respond to feedback
* AfterTargets -> BeforeTargets
* Update dependencies from Arcade
* Try publishing checksums
* Fix some errors
* Set RelativeBlobPath
* Fix publish location
* Centralize ChecksumExtension
* Fix use of ChecksumExtension in publishing.props
* Mark all blobs as shipping
- available (though not discoverable) in public dotnetcli feed
* Stabilize package versions
* Remove assumption that Microsoft.AspNetCore.AzureAppServices.SiteExtension packages have same version
- Microsoft.AspNetCore.AzureAppServices.SiteExtension.3.0 ships
- Microsoft.AspNetCore.AzureAppServices.SiteExtension.3.0.x?? do not ship
* Make installer versions consistent
- VS.Redist.Common.AspNetCore.SharedFramework and ...TargetingPack packages are non-shipping
- everything else ships
nit: remove extra whitespace in .nuspec files for the packages
* Correct assumptions in framework unit tests
- tests sometimes do not calculate version properties as product projects do
- Microsoft.AspNetCore.App.Ref and ...Runtime packages may rev versions separately
* Fix last 2 `SharedFxTests` failures
* Correct Microsoft.AspNetCore.App* versions used in ProjectTemplates tests
- `$(SharedFxVersion)` is not useful in test projects due to stable versioning
* Add continue on error for test templates
- #11924
- change ci.yml to use stages and post-build.yml
- add use of publish-build-assets.yml and post-build.yml
- create manifests and push to artifacts in last build step of each job
- pass more MSBuild properties into those builds
- use Arcade to publish installers
- use distinct `$(AssetManifestFileName)` values per job
- set global property to override what's hard-coded in Publish.proj
- change codesign-xplat.yml to use empty.proj and normal Arcade signing and publication process
- remove XPlatPackageSigner.proj
- change default-build.yml to use job.yml
- remove unused parameters e.g. `matrix`, `poolName`, `variables`
- use `enableMicrobuild` and `enablePublishTestResults` to eliminate duplicate build steps
- add .dll's and .exe's as files to sign w/ Microsoft400
- add signcheck exclusions
- remove custom manifest generation i.e. the `GenerateBuildAssetManifest` target and related artifacts
- update docker infrastructure to use same paths in and out of the container
- avoids problems adding to artifacts from within the builds
- correct typo in build.sh
- use `$env:DOTNET_INSTALL_DIR` in `DotNetCommands`
- relax expectations that an arch-specific folder exists under (say) `$env:DOTNET_HOME`
- avoids need to define `$env:DOTNET_HOME` in all jobs on CI
- update dependencies from dotnet/arcade build '20190908.2'
- upgrade to eg. Arcade SDK '1.0.0-beta.19458.2' package version
- pick up dotnet/arcade@dd593acc8b fix
- enable use of `%(PublishFlatContainer)` metadata and correct signing validation issues
- use `$(DotNetFinalVersionKind)` in preparation for servicing builds
- set `$(IsStableBuild)` for use in Arcade infrastructure
- disable signing validation for now (see #13864)
nits:
- upload logs in first artifact
- remove attempts to package non-existent VSIX
- follow-up to 29cf7ecb80
- respect verbosity setting in build.sh
- add more information to Artifacts.md
- enable test signing in internal PRs
William Godbe
Matt Mitchell
Epsitha Ananth
Doug Bunting
Ryan Nowak