Component .pkgs that were signed using SignTool are being reported as "not signed" #4889
Assignees
Labels
Comments
|
@mmitche - Heads up that I added this to the board under preview4 since I think this is something that should get addressed by that deadline. |
|
Yep thanks. |
|
The pkgs lose their signature on unpack. That said, we do need to properly notarize them first, so doing that. dotnet/runtime#114027 and dotnet/sdk#47996 |
|
Closing in favor of #4994 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related to dotnet/arcade#15489
After adding the SignCheck logic to check .pkg signatures, I discovered that component (nested) pkgs are being reported as "unsigned". I validated this locally by pulling a signed installer pkg, unpacking the installer, and verifying the component pkg. When I did this, the component pkg was reported to not have a signature. This is despite SignTool + MicroBuild binlogs showing that the component pkg was submitted for signing and was signed successfully.
Interestingly, when I then repacked the installer pkg and reverified it's signature, it was reported to not be signed. This suggests that the repack logic is likely modifying the package.
We should investigate this further.
cc @mmitche
The text was updated successfully, but these errors were encountered: