Sign .js files with 3PartyScriptsSHA2 for VS signing compliance#1666
Closed
jesuszarate wants to merge 1 commit intodotnet:mainfrom
Closed
Sign .js files with 3PartyScriptsSHA2 for VS signing compliance#1666jesuszarate wants to merge 1 commit intodotnet:mainfrom
jesuszarate wants to merge 1 commit intodotnet:mainfrom
Conversation
Member
|
as far as I know we tried this in the past but signing the files broke something due to how the signing comment gets embedded in the .js file VS signing needs to be updated to handle this case, the rules are clear that you only need .js signing for Windows Script Host |
The .js files in the Emscripten SDK are customer-modifiable toolchain files that cannot be directly Authenticode-signed (modifying a signed file breaks the signature). Instead, generate a .cat catalog file covering all .js files, which is signed with MicrosoftDotNet500 via the existing FileExtensionSignInfo entry for .cat files. The GenerateCatalogFiles target runs after ReallyBuild on Windows only (makecat.exe is a Windows SDK tool), generates a CDF listing all .js files, produces emscripten-js.cat, and places it in the SDK package directory so it ships alongside the files it covers. This fixes ~14,468 unsigned .js files flagged by VS signing compliance scans.
jesuszarate
force-pushed
the
dev/jezarat/sign-js-files
branch
from
5e90189 to
5ed1cb7
Compare
Member
|
Superseded by #1671 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sign
.jsfiles in the Emscripten SDK workload packs with3PartyScriptsSHA2instead of skipping them (None).Problem
VS signing scans flag ~14,468 unsigned files across all Emscripten SDK workload packs (.NET 6–10). The
.jsfiles inside these packs are 3rd-party OSS Emscripten toolchain files shipped inside VS workload pack MSIs. They are currently not signed becauseeng/Signing.propsexplicitly setsCertificateName="None"for.jsfiles with the comment "We don't need to code sign .js files because they are not used in Windows Script Host."While that rationale is correct for script execution, VS signing compliance requires all files in setup packages to be signed regardless of their runtime usage.
Fix
Changed
FileExtensionSignInfofor.jsfromCertificateName="None"toCertificateName="3PartyScriptsSHA2"(cert 135020022), which is the correct certificate for 3rd-party OSS script files per the Signing Cert Guidance wiki.Impact
After this change flows through the staging pipeline and into VS, the ~14,468 previously-unsigned
.jsfiles across all emsdk workload packs will be properly signed.