[build] Enable signing for .NET 6 artifacts#5529
Conversation
Context: https://github.com/xamarin/yaml-templates/tree/564100f2aa923ee4db4b69cc45a622822643309b/sign-artifacts Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/650/Enabling-Signing-in-Your-Projects The structure of our YAML pipeline has been updated to enable signing for all relevant .NET 6 artifacts. The new pipeline hierarchy is described below: mac_build ... sign nupkgs create net6 .pkg download signed .nupkgs push signed .nupkgs to feed harden/sign mach-o binaries create .pkg notarize .pkg publish .pkg create net6 .msi download signed .nupkgs download notarized .pkg create and sign .msi upload .msi and .pkg to blob storage The `dotnet_installers` stage now starts with a templated job which will sign all .nupkg files created by our `mac_build` stage. These signed packages are then downloaded by a new macOS job that will push them to a feed and use them to create, sign, and notarize the .NET 6 .pkg file. Finally, the job which previously created our .NET 6 .msi has been updated to wait for the result of the .NET 6 .pkg creation job. This job will now consume the signed .nupkg files to produce a signed .msi, and upload both the signed .pkg and .msi files to blob storage.
|
Commit 5f79468 has successfully signed artifacts - https://dl.internalx.com/vsts-devdiv/Xamarin.Android/public/net6/4389120/sign-net6-nupkg/5f794681a045dad295119f3ea422beb1032b727a/artifacts.json. This status might get overwritten when a PR build runs however. This should almost be ready to go once https://github.com/xamarin/yaml-templates/pull/96 is merged, assuming test signing works as expected against a PR build. |
jonathanpeppers
left a comment
jonathanpeppers
left a comment
There was a problem hiding this comment.
Otherwise looks great! I tested the Windows .msi and it is signed!
| <_MSBuildFiles Include="$(MSBuildSrcDir)\Xamarin.Installer.Common.dll" /> | ||
| <_MSBuildFiles Include="$(MSBuildSrcDir)\Xamarin.Installer.Common.pdb" /> | ||
| <_MSBuildFiles Include="$(MSBuildSrcDir)\Xamarin.Installer.Common.targets" /> | ||
| <_MSBuildFiles Include="$(MSBuildSrcDir)\K4os.Compression.LZ4.dll" /> |
There was a problem hiding this comment.
Were the two assemblies here listed twice?
There was a problem hiding this comment.
Yeah, I had an initial take where I was marking third party items in this file and found a couple duplicates that should be cleaned up as part of that.
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@trevors20 The It looks like this is also being worked on in #5509, maybe I should wait for that to land first? |
|
Unsigned PR artifacts from commit c90b97b: Final test build for real signing: https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=4404565&view=results This should be ready to merge. |
Context: #5529 Commit dc1f7ba enabled ESRP signing for all .NET 6 artifacts, and we've been asked to apply these changes to our stable .pkg installer that is still using a deprecated Apple Developer account and signing logic. The mac build job has been updated to sign and harden all Mach-O files included in both our stable and .NET 6 .pkg files. This was previously happening in two different passes, the first for the stable .pkg content during the build job and the second for the .NET 6 .pkg content during the `dotnet_create_pkg` job. Signing of the stable .pkg has been migrated to use the ESRP signing service via the tasks/targets imported by the new MicroBuild package reference. Notarization of the stable .pkg has been moved to the mac build job. As a result, all legacy macOS automated tests will now run against the final version of the package we ship. This will allow us to catch any potential issues with notarization earlier.
Context: #5529 Commit dc1f7ba enabled ESRP signing for all .NET 6 artifacts, and we've been asked to apply these changes to our stable `.pkg` installer which is using a deprecated Apple Developer account and signing logic. The macOS build job has been updated to sign and harden all Mach-O files included in both our stable and .NET 6 `.pkg` files. This was previously happening in two different passes, the first for the stable `.pkg` content during the build job and the second for the .NET 6 `.pkg` content during the `dotnet_create_pkg` job. Signing of the stable `.pkg` has been migrated to use the ESRP signing service via the tasks/targets imported by the new MicroBuild package reference. Our previous notarization preparation logic required us to unpack `bundletool.jar`, and sign the version of `aapt2` that is bundled inside. We now instead remove all embedded versions of `aapt2`, as we pass in the path our own bundled `aapt2` via `bundletool.jar --aapt2 /path/to/our/aapt2`.
4 participants
Context: https://github.com/xamarin/yaml-templates/tree/564100f2aa923ee4db4b69cc45a622822643309b/sign-artifacts
Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/650/Enabling-Signing-in-Your-Projects
The structure of our YAML pipeline has been updated to enable signing
for all relevant .NET 6 artifacts. The new pipeline hierarchy is
described below:
The
dotnet_installersstage now starts with a templated job which willsign all .nupkg files created by our
mac_buildstage. These signedpackages are then downloaded by a new macOS job that will push them to a
feed and use them to create, sign, and notarize the .NET 6 .pkg file.
Finally, the job which previously created our .NET 6 .msi has been
updated to wait for the result of the .NET 6 .pkg creation job. This
job will now consume the signed .nupkg files to produce a signed .msi,
and upload both the signed .pkg and .msi files to blob storage.
None of the
MicroBuildtasks/targets will run during local builds, sowe do not need to worry about additional environment provisioning when
creating these installers locally. In order to test locally, the MicroBuild
signing NuGet needs to be installed locally and either the
MicroBuildOverridePluginDirectoryorMicroBuildPluginDirectoryproperties must be set and point to the folder where the signing NuGet
was installed. See the "Enabling signing in your projects" link above
for more information.
The new SignList.xml file is used by the .nupkg signing job. The content
of this file controls which certs are used to sign which files. Anything that
was signed through an alternate source should be added to the
@(Skip)ItemGroup. Any third party file that needs signing should be added to the
@(ThirdParty)ItemGroup.