Skip to content

Add catalog signing for unsigned apphost template files#127888

Draft
jesuszarate wants to merge 1 commit intodotnet:mainfrom
jesuszarate:dev/jezarat/catalog-sign-apphost-templates
Draft

Add catalog signing for unsigned apphost template files#127888
jesuszarate wants to merge 1 commit intodotnet:mainfrom
jesuszarate:dev/jezarat/catalog-sign-apphost-templates

Conversation

@jesuszarate
Copy link
Copy Markdown

@jesuszarate jesuszarate commented May 6, 2026

Summary

The apphost template files (\�pphost.exe, \singlefilehost.exe, \comhost.dll) are intentionally unsigned because the .NET SDK modifies them at build time via \HostWriter.CreateAppHost(). However, the Visual Studio signing scan (SignVerify) flags them as non-compliant unsigned PE binaries.

This change adds a catalog file (.cat) containing SHA256 hashes of the template files. The catalog is signed with \MicrosoftDotNet500\ via Arcade signing and shipped alongside the templates in the AppHostPack NuGet package and MSI. This provides integrity verification for VS signing compliance without breaking the SDK workflow.

Changes

  1. *\�ng/Signing.props* — Added \FileSignInfo\ entry for \�pphost-templates.cat\ with \MicrosoftDotNet500\ certificate
  2. *\src/installer/pkg/sfx/Microsoft.NETCore.App/Microsoft.NETCore.App.Host.sfxproj* — Added \GenerateAppHostTemplateCatalog\ target that:
    • Stages the three unsigned template files in an isolated directory
    • Generates a .cat\ file using \New-FileCatalog\ (Windows only)
    • Includes the .cat\ in \FilesToPackage\ so it ships in the NuGet pack and MSI

Context

Risk

Low — This is a purely additive change. The unsigned template files are not modified. The .cat\ file is a new artifact that provides integrity verification only. The target only runs on Windows builds.

@jesuszarate
Add catalog signing for unsigned apphost template files
91f3c63 
The apphost template files (apphost.exe, singlefilehost.exe, comhost.dll)
are intentionally unsigned because the .NET SDK modifies them at build time
via HostWriter.CreateAppHost(). However, the Visual Studio signing scan
flags them as non-compliant.

This change adds a catalog file (.cat) containing SHA256 hashes of the
template files. The catalog is signed with MicrosoftDotNet500 via Arcade
signing and shipped alongside the templates in the AppHostPack NuGet
package and MSI. This provides integrity verification for VS signing
compliance without breaking the SDK workflow.

Fixes the VS signing scan finding for 54 apphost template PE files across
.NET 8/9/10 architectures.

Related: dotnet#3694
Copilot AI review requested due to automatic review settings May 6, 2026 21:28
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error: Your billing is not configured or you have Copilot licenses from multiple standalone organizations or enterprises. To use premium requests, select a billing entity via the GitHub site, under Settings > Copilot > Features.

@dotnet-policy-service dotnet-policy-service Bot added the community-contribution Indicates that the PR has been added by a community member label May 6, 2026
This was referenced May 7, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area-Host community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jesuszarate