Skip to content

Add catalog signing for unsigned apphost template files #127888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
jesuszarate wants to merge 1 commit into
base: main
Choose a base branch
from
+31 −0
Draft

Add catalog signing for unsigned apphost template files #127888

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions eng/Signing.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@
<ItemGroup>
<!-- apphost and comhost template files are not signed, by design. -->
<FileSignInfo Include="apphost.exe;singlefilehost.exe;comhost.dll" CertificateName="None" />
<!-- Sign the catalog file that provides integrity verification for the unsigned apphost templates. -->
<FileSignInfo Include="apphost-templates.cat" CertificateName="MicrosoftDotNet500" />

<!--
The DAC and the DBI must go through special signing provisioning using a system separate
Expand Down
29 changes: 29 additions & 0 deletions src/installer/pkg/sfx/Microsoft.NETCore.App/Microsoft.NETCore.App.Host.sfxproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,4 +88,33 @@
<HeatOutputFileElementToStabilize Include="native\singlefilehost.exe" ReplacementId="staticapphosttemplateapphostexe" />
<HeatOutputFileElementToStabilize Include="native\comhost.dll" ReplacementId="comhosttemplatecomhostdll" />
</ItemGroup>

<!--
Generate a catalog file (.cat) containing SHA256 hashes of the unsigned apphost template files.
These templates are intentionally unsigned because the .NET SDK modifies them at build time
via HostWriter.CreateAppHost(). The signed catalog provides integrity verification for
Visual Studio signing compliance without breaking the SDK workflow.
See https://github.com/dotnet/runtime/issues/3694
-->
<Target Name="GenerateAppHostTemplateCatalog"
BeforeTargets="GetFilesToPackage"
Condition="'$(TargetOS)' == 'windows'">
<PropertyGroup>
<_CatStagingDir>$(IntermediateOutputPath)apphost-catalog\</_CatStagingDir>
<_CatalogFilePath>$(DotNetHostBinDir)apphost-templates.cat</_CatalogFilePath>
</PropertyGroup>

<!-- Stage the unsigned template files in an isolated directory for catalog generation -->
<RemoveDir Directories="$(_CatStagingDir)" />
<MakeDir Directories="$(_CatStagingDir)" />
<Copy SourceFiles="$(DotNetHostBinDir)apphost.exe" DestinationFolder="$(_CatStagingDir)" Condition="Exists('$(DotNetHostBinDir)apphost.exe')" />
<Copy SourceFiles="$(DotNetHostBinDir)singlefilehost.exe" DestinationFolder="$(_CatStagingDir)" Condition="Exists('$(DotNetHostBinDir)singlefilehost.exe')" />
<Copy SourceFiles="$(DotNetHostBinDir)comhost.dll" DestinationFolder="$(_CatStagingDir)" Condition="Exists('$(DotNetHostBinDir)comhost.dll')" />

<Exec Command="powershell.exe -NoProfile -NonInteractive -Command &quot;New-FileCatalog -Path '$(_CatStagingDir)' -CatalogFilePath '$(_CatalogFilePath)' -CatalogVersion 2&quot;" />

<ItemGroup>
<FilesToPackage Include="$(_CatalogFilePath)" />
</ItemGroup>
</Target>
</Project>
Loading