Skip to content

Add catalog signing for .js files and direct signing for .cab files#127242

Open
jesuszarate wants to merge 1 commit intodotnet:mainfrom
jesuszarate:dev/jezarat/sign-mono-cab-js
Open

Add catalog signing for .js files and direct signing for .cab files#127242
jesuszarate wants to merge 1 commit intodotnet:mainfrom
jesuszarate:dev/jezarat/sign-mono-cab-js

Conversation

@jesuszarate
Copy link
Copy Markdown

@jesuszarate jesuszarate commented Apr 21, 2026
edited
Loading

Problem

The Visual Studio signing scan flags 480 unsigned files across Mono workload pack MSI payloads (.NET 6-10):

  • 198 .js files - Mono browser-wasm runtime JavaScript files, unsigned
  • 282 .cab files - WiX-generated cabinet archives inside MSIs, unsigned

These MSI payloads are produced by the dotnet/runtime CI build and inserted into Visual Studio via the DotNet-SDK-Workloads staging pipeline. Every signable file in VS setup must carry its own signature.

Approach

Follows the same pattern as dotnet/emsdk#1671 (merged):

.js files - Catalog signing (not direct Authenticode)

The .js files are customer-modifiable runtime/toolchain files. Direct Authenticode signing would break when users modify them. Instead:

  1. Keep FileExtensionSignInfo .js as CertificateName=None (don''t Authenticode-sign)
  2. Generate a .cat catalog file covering all .js files for integrity verification
  3. Sign the .cat via FileExtensionSignInfo .cat with Microsoft400 (auto-replaced by MicrosoftDotNet500 since UseDotNetCertificate=true)

A GenerateCatalogFiles target in the Mono runtime sfxproj runs after AddMonoRuntimeFiles on Windows browser-wasm builds, using the same generate-catalog.ps1 script pattern from emsdk.

.cab files - Direct Authenticode signing

Cabinet archives are immutable build artifacts. Added FileExtensionSignInfo .cab with Microsoft400 so the Arcade SDK SignTool signs them directly.

Changes

File Change
eng/Signing.props Keep .js as None with explanatory comment; add .cab and .cat FileExtensionSignInfo
eng/generate-catalog.ps1 New script (same as dotnet/emsdk#1671) - generates CDF + runs makecat.exe
src/installer/pkg/sfx/.../Microsoft.NETCore.App.Runtime.Mono.sfxproj GenerateCatalogFiles target for browser-wasm builds

Affected Payloads

All Mono workload packs for .NET 6-10 (276 payloads total):

  • Microsoft.NETCore.App.Runtime.Mono.* (browser-wasm, android-, ios-, maccatalyst-, tvos-, wasi-wasm)
  • Microsoft.NET.Runtime.MonoAOTCompiler.Task
  • Microsoft.NET.Runtime.MonoTargets.Sdk
  • Microsoft.Mono.Toolchain.*.Manifest

Tracking

VS signing compliance: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/2911494

Copilot AI review requested due to automatic review settings April 21, 2026 20:54
@dotnet-policy-service dotnet-policy-service Bot added the community-contribution Indicates that the PR has been added by a community member label Apr 21, 2026
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repo signing configuration to satisfy Visual Studio setup signing compliance by ensuring additional signable file types included in Mono workload MSI payloads are Authenticode-signed.

Changes:

  • Updates .js signing to use the Microsoft400 certificate instead of opting out (None).
  • Adds signing configuration for .cab files using the Microsoft400 certificate.

@jesuszarate
Add catalog signing for .js files and direct signing for .cab files
c974f16 
The VS signing scan requires every signable file to carry its own
signature. The Mono workload packs contain 480 unsigned files:
- 198 .js files (browser-wasm runtime scripts)
- 282 .cab files (WiX cabinet archives inside MSIs)

For .js files: keep CertificateName=None (same as dotnet/emsdk#1671)
because these are customer-modifiable runtime files. Instead, generate
a .cat catalog file covering all .js files, signed via FileExtensionSignInfo
for .cat. The GenerateCatalogFiles target runs after AddMonoRuntimeFiles
on Windows browser-wasm builds.

For .cab files: add FileExtensionSignInfo with Microsoft400 so the
Arcade SDK SignTool signs them directly.

Both Microsoft400 entries are auto-replaced by MicrosoftDotNet500
since UseDotNetCertificate=true.

Tracking: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/2911494
@jesuszarate jesuszarate force-pushed the dev/jezarat/sign-mono-cab-js branch from 245664b to c974f16 Compare April 21, 2026 21:12
@jesuszarate jesuszarate changed the title Sign .js and .cab files for VS signing compliance Add catalog signing for .js files and direct signing for .cab files Apr 21, 2026
jkoritzinsky
jkoritzinsky reviewed Apr 22, 2026
View reviewed changes
Comment thread eng/Signing.props
Instead, a catalog file (.cat) is generated and signed to provide integrity
verification. See the GenerateCatalogFiles target in eng/mono.proj. -->
<FileExtensionSignInfo Update=".js" CertificateName="None" />
<FileExtensionSignInfo Include=".cab" CertificateName="Microsoft400" />
Copy link
Copy Markdown
Member

@jkoritzinsky jkoritzinsky Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is for correctness, can we instead add this in dotnet/arcade? Then everyone that builds MSIs will get it (SDK as well).

This was referenced Apr 22, 2026
Open
Open
Open
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkoritzinsky jkoritzinsky jkoritzinsky left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area-Build-mono community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jesuszarate @jkoritzinsky