aspnetcore/eng/Signing.props

<Project>
  <!-- See https://github.com/dotnet/arcade/blob/master/Documentation/CorePackages/Signing.md for details. -->
  <Import Project="Common.props" />

  <ItemGroup>
    <!-- Reset Arcade's defaults. -->
    <ItemsToSign Remove="@(ItemsToSign)" />
    <FileExtensionSignInfo Remove="@(FileExtensionSignInfo)" />
  </ItemGroup>

  <!-- Files that should be always be signed between in-build and post-build signing -->
  <ItemGroup Label="Common Files to Sign">
    <CommonFilesToSign Include="$(ArtifactsPackagesDir)**\*.nupkg" />
    <CommonFilesToSign Include="$(VisualStudioSetupOutputPath)**\*.vsix" />
    <CommonFilesToSign Include="$(ArtifactsPackagesDir)**\*.jar"  />
    <CommonFilesToSign Include="$(ArtifactsDir)installers\$(Configuration)\**\*.zip" />
    <CommonFilesToSign Remove="$(ArtifactsDir)installers\$(Configuration)\**\*.wixpack.zip" Condition="'$(PostBuildSign)' != 'true'" />
  </ItemGroup>
  <Choose>
    <!-- When post build signing is false - Sign as normal.
         When post build signing is true - Sign all of our signable artifacts
          that we would publish. Use a different ItemGroup name so that
          the signing stage signs nothing. We then set ItemToSign during
          publishing to this ItemGroup.
        -->
    <When Condition="'$(PostBuildSign)' != 'true'">
      <ItemGroup Label="Files To Sign">
        <ItemsToSign Include="@(CommonFilesToSign)" />
        <ItemsToSign Remove="$(ArtifactsPackagesDir)**\*symbols.nupkg" />
      </ItemGroup>
    </When>
    <When Condition="'$(PostBuildSign)' == 'true'">
      <PropertyGroup>
        <AllowEmptySignList>true</AllowEmptySignList>
      </PropertyGroup>
      <ItemGroup Label="Files To Sign">
        <!-- Sign symbol nupkgs so that shared files between layouts and msis end up identical. -->
        <ItemsToSignPostBuild Include="@(CommonFilesToSign)" />
        <ItemsToSignPostBuild Include="$(ArtifactsDir)installers\$(Configuration)\**\*.exe" />
        <ItemsToSignPostBuild Include="$(ArtifactsDir)installers\$(Configuration)\**\*.msi" />
        <!-- Wixlibs are signed because they are containers of other files -->
        <ItemsToSignPostBuild Include="$(ArtifactsDir)installers\$(Configuration)\**\*.wixlib" />
      </ItemGroup>
    </When>
  </Choose>


  <ItemGroup Label="File signing information">
    <!--
      Map file extensions to a code-sign cert.
      "None" means don't sign the file itself, but still scan the contents for signable files.
    -->
    <FileExtensionSignInfo Include=".jar" CertificateName="MicrosoftJARSHA2" />
    <FileExtensionSignInfo Include=".ps1;.psd1;.psm1;.psc1" CertificateName="Microsoft400" />
    <FileExtensionSignInfo Include=".dll;.exe" CertificateName="Microsoft400" />
    <FileExtensionSignInfo Include=".nupkg" CertificateName="NuGet" />
    <FileExtensionSignInfo Include=".vsix" CertificateName="VsixSHA2" />
    <FileExtensionSignInfo Include=".zip" CertificateName="None" />
    <FileExtensionSignInfo Include=".cab" CertificateName="None" />
    <!-- If doing post build sign, explicitly give MSIs a cert. If doing in build signing,
         this is handled by the wix targets, and .msi should be "None" -->
    <FileExtensionSignInfo Include=".msi" CertificateName="Microsoft400" Condition="'$(PostBuildSign)' == 'true'" />
    <FileExtensionSignInfo Include=".msi" CertificateName="None" Condition="'$(PostBuildSign)' != 'true'" />

    <!-- Native .dll's. These don't have a public key token, but are from Microsoft and should be signed. -->
    <FileSignInfo Include="aspnetcore.dll" CertificateName="Microsoft400" />
    <FileSignInfo Include="aspnetcorev2_inprocess.dll" CertificateName="Microsoft400" />
    <FileSignInfo Include="aspnetcorev2_outofprocess.dll" CertificateName="Microsoft400" />
    <FileSignInfo Include="aspnetcorev2.dll" CertificateName="Microsoft400" />
    <FileSignInfo Include="blazor-devserver.exe" CertificateName="Microsoft400" />
    <FileSignInfo Include="dotnet-dev-certs.exe" CertificateName="Microsoft400" />
    <FileSignInfo Include="dotnet-sql-cache.exe" CertificateName="Microsoft400" />
    <FileSignInfo Include="dotnet-user-secrets.exe" CertificateName="Microsoft400" />
    <FileSignInfo Include="dotnet-watch.exe" CertificateName="Microsoft400" />
    <FileSignInfo Include="dotnet-openapi.exe" CertificateName="Microsoft400" />
    <FileSignInfo Include="Microsoft.AspNetCore.Blazor.Build.exe" CertificateName="Microsoft400" />
    <FileSignInfo Include="sni.dll" CertificateName="Microsoft400" />

    <!-- Third-party components which should be signed.  -->
    <FileSignInfo Include="Newtonsoft.Json.dll" CertificateName="3PartySHA2" />
    <FileSignInfo Include="AngleSharp.dll" CertificateName="3PartySHA2" />
    <FileSignInfo Include="Mono.Cecil.dll" CertificateName="3PartySHA2" />
    <FileSignInfo Include="Mono.Cecil.Mdb.dll" CertificateName="3PartySHA2" />
    <FileSignInfo Include="Mono.Cecil.Pdb.dll" CertificateName="3PartySHA2" />
    <FileSignInfo Include="Mono.Cecil.Rocks.dll" CertificateName="3PartySHA2" />
  </ItemGroup>

  <PropertyGroup>
    <BaseRedistNetCorePath>$(ArtifactsObjDir)RedistSharedFx.Layout\$(Configuration)\</BaseRedistNetCorePath>
    <RedistNetCorePath>$(BaseRedistNetCorePath)$(TargetRuntimeIdentifier)\</RedistNetCorePath>
  </PropertyGroup>

  <ItemGroup Label="Code sign exclusions">
    <!-- We don't need to code sign .js files because they are not used in Windows Script Host. -->
    <FileExtensionSignInfo Include=".js" CertificateName="None" />
    <!-- We don't produce font files. We rebundle some for using the web brower, so they do not need to be signed. -->
    <FileExtensionSignInfo Include=".otf" CertificateName="None" />
    <FileExtensionSignInfo Include=".ttf" CertificateName="None" />
    <!-- This is a text file which doesn't need to be code signed, even though some .mof files can be signed. -->
    <FileSignInfo Include="ancm.mof" CertificateName="None" />
    <!-- Exclude the apphost because this is expected to be code-signed by customers after the SDK modifies it. -->
    <FileSignInfo Include="apphost.exe" CertificateName="None" />

    <!--
      These files should already be signed by the .NET Core team. They have to be listed again here because we recreate a redistributable which includes the Microsoft.NETCore.App runtime.
      List all combinations of Windows RID's because CI may build multiple combinations of artitectures on the same machine.
      This uses globs because some of the file names change on every build of .NET Core, like sos_amd64_$(fileversion).dll.

      Technically, this may not be necessary. SignTool does a good deal of detection to determine
      whether files are already signed.

      Do not include these with cert "None" when doing post-build signing. In that case, we will recognize that
    -->
    <_DotNetFilesToExclude Include="$(BaseRedistNetCorePath)win-x64\shared\Microsoft.NETCore.App\**\*.dll" CertificateName="None" />
    <_DotNetFilesToExclude Include="$(BaseRedistNetCorePath)win-x86\shared\Microsoft.NETCore.App\**\*.dll" CertificateName="None" />
    <_DotNetFilesToExclude Include="$(BaseRedistNetCorePath)win-arm\shared\Microsoft.NETCore.App\**\*.dll" CertificateName="None" />
    <_DotNetFilesToExclude Include="$(BaseRedistNetCorePath)win-arm64\shared\Microsoft.NETCore.App\**\*.dll" CertificateName="None" />
    <_DotNetFilesToExclude Include="$(BaseRedistNetCorePath)win-x64\host\**\*.dll" CertificateName="None" />
    <_DotNetFilesToExclude Include="$(BaseRedistNetCorePath)win-x86\host\**\*.dll" CertificateName="None" />
    <_DotNetFilesToExclude Include="$(BaseRedistNetCorePath)win-arm\host\**\*.dll" CertificateName="None" />
    <_DotNetFilesToExclude Include="$(BaseRedistNetCorePath)win-arm64\host\**\*.dll" CertificateName="None" />
    <_DotNetFilesToExclude Include="$(RedistNetCorePath)dotnet.exe" CertificateName="None" />
    <FileSignInfo Include="@(_DotNetFilesToExclude->'%(FileName)%(Extension)'->Distinct())" CertificateName="None" Condition="'$(PostBuildSign)' != 'true'" />

    <!-- Symbol packages should get no NuGet signature -->
    <!-- Requires https://github.com/dotnet/arcade/issues/6192 to be fixed -->
    <!-- <FileSignInfo Include="@(_SymbolPackages->'%(FileName)%(Extension)'->Distinct())" CertificateName="None" /> -->

    <!--
      We include the Microsoft.Build.Locator.dll assembly in our global tool 'Microsoft.dotnet-openapi'.
      It is already signed by that team, so we don't need to sign it.
    -->
    <FileSignInfo Include="Microsoft.Build.Locator.dll" CertificateName="None" />

    <!--
      We include the Microsoft.Data.SqlClient.dll and Microsoft.Identity.Client.dll assembly in our global tool 'dotnet-sql-cache'.
      It is already signed by that team, so we don't need to sign it.
    -->
    <FileSignInfo Include="Microsoft.Data.SqlClient.dll" CertificateName="None" />
    <FileSignInfo Include="Microsoft.Identity.Client.dll" CertificateName="None" />
  </ItemGroup>

</Project>