Skip to content

Add catalog signing for .js files for VS signing compliance#1671

Merged
akoeplinger merged 4 commits intodotnet:mainfrom
jesuszarate:dev/jezarat/catalog-sign-js-files
Mar 31, 2026
Merged

Add catalog signing for .js files for VS signing compliance#1671
akoeplinger merged 4 commits intodotnet:mainfrom
jesuszarate:dev/jezarat/catalog-sign-js-files

Conversation

@jesuszarate
Copy link
Copy Markdown

The .js files in the Emscripten SDK are customer-modifiable toolchain files that cannot be directly Authenticode-signed (modifying a signed file breaks the signature). Instead, generate a .cat catalog file covering all .js files, which is signed with MicrosoftDotNet500 via the existing FileExtensionSignInfo entry for .cat files.

The GenerateCatalogFiles target runs after ReallyBuild on Windows only (makecat.exe is a Windows SDK tool), generates a CDF listing all .js files, produces emscripten-js.cat, and places it in the SDK package directory so it ships alongside the files it covers.

This fixes ~14,468 unsigned .js files flagged by VS signing compliance scans.

@jesuszarate jesuszarate force-pushed the dev/jezarat/catalog-sign-js-files branch 3 times, most recently from 747fc39 to 28f755e Compare March 27, 2026 22:24
@akoeplinger
Copy link
Copy Markdown
Member

@jesuszarate can you please sign the CLA? I verified the .nupkg now contains tools/emscripten/emscripten-js.cat

Comment thread eng/emsdk.proj
preventing modification. Only runs on Windows (makecat.exe is a Windows SDK tool)
and only the Windows packs are inserted into VS.
-->
<Target Name="GenerateCatalogFiles" AfterTargets="ReallyBuild" Condition="$([MSBuild]::IsOSPlatform('Windows'))">
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@akoeplinger Are there any cases where this would need to run on non-Windows?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't think of any given this is specifically for VS

Comment thread eng/generate-catalog.ps1
The .js files in the Emscripten SDK are customer-modifiable toolchain files
that cannot be directly Authenticode-signed (modifying a signed file breaks
the signature). Instead, generate a .cat catalog file covering all .js files,
which is signed with MicrosoftDotNet500 via the existing FileExtensionSignInfo
entry for .cat files.

The GenerateCatalogFiles target runs after ReallyBuild on Windows only
(makecat.exe is a Windows SDK tool). It invokes eng/generate-catalog.ps1 which
enumerates all .js files, generates a CDF, runs makecat.exe, and produces
emscripten-js.cat in the SDK package directory so it ships alongside the
files it covers.

This fixes ~14,468 unsigned .js files flagged by VS signing compliance scans.
@jesuszarate jesuszarate force-pushed the dev/jezarat/catalog-sign-js-files branch from 28f755e to bff6a3e Compare March 30, 2026 21:37
@jesuszarate jesuszarate marked this pull request as ready for review March 30, 2026 21:43
@jesuszarate
Copy link
Copy Markdown
Author

@dotnet-policy-service agree company="Microsoft"

akoeplinger and others added 2 commits March 31, 2026 10:01
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@akoeplinger akoeplinger enabled auto-merge (squash) March 31, 2026 08:04
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@akoeplinger akoeplinger merged commit 2d6b99d into dotnet:main Mar 31, 2026
10 checks passed
@akoeplinger
Copy link
Copy Markdown
Member

/backport to release/10.0

@github-actions
Copy link
Copy Markdown

Started backporting to release/10.0 (link to workflow run)

jesuszarate added a commit to jesuszarate/runtime that referenced this pull request Apr 21, 2026
The VS signing scan requires every signable file to carry its own
signature. The Mono workload packs contain 480 unsigned files:
- 198 .js files (browser-wasm runtime scripts)
- 282 .cab files (WiX cabinet archives inside MSIs)

For .js files: keep CertificateName=None (same as dotnet/emsdk#1671)
because these are customer-modifiable runtime files. Instead, generate
a .cat catalog file covering all .js files, signed via FileExtensionSignInfo
for .cat. The GenerateCatalogFiles target runs after AddMonoRuntimeFiles
on Windows browser-wasm builds.

For .cab files: add FileExtensionSignInfo with Microsoft400 so the
Arcade SDK SignTool signs them directly.

Both Microsoft400 entries are auto-replaced by MicrosoftDotNet500
since UseDotNetCertificate=true.

Tracking: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/2911494
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants