Add signing information to asset manifest (port #41889 and #42688)#43896
Add signing information to asset manifest (port #41889 and #42688)#43896mmitche merged 6 commits intodotnet:masterfrom
Conversation
|
@mmitche do you have the sample runs? |
Not yet. THat comment was from the previous PR. I'll do one tomorrow. |
|
Can we start some sample runs for this PR? I'd like to get this in ASAP if possible before I merge in my shared framework pr. |
|
Working on it...FYI if we want to maintain full signed builds then the entire stack needs to have PB signing turned on at once, which is currently blocked on net6.0 TFM changes in sdk right now. |
|
If you’re ok with not having full signed builds I’m ok with that. I just want all the work in dotnet/runtime done first so we don’t need to do additional work in our repo once the issues in the SDK are resolved. Basically I want the manifest work done before I merge my work in. |
|
https://dev.azure.com/dnceng/internal/_build/results?buildId=878258&view=results has the last PBSign=true (off this branch), should run pbsigning. |
|
@hoyosjs once we have the sample run completed, can you validate? I'd like to get this merged in as soon as possible once we've validated that the manifest/signing is good. |
yes, sounds good |
|
@jkoritzinsky @hoyosjs Everything looks good here except for one thing. In the baseline build some of the Because this FileSignInfo is under the SignBinaries target, if we sign the dac outside of the SignBinaries phase (as appears to be the case in the baseline for Linux), it would get the default dll signature (Microsof400). But the rest get MicrosoftSHA2. Which is correct here? |
|
@mmitche Baseline as in before |
|
Yeah, I did a PBSign=true with this change, and compared against the official build of the baseline sha. It's only the DAC, for the reasons above. Note that this doesn't affect RTM (I spot checked some packages there), because I removed the targets and hoisted https://github.com/dotnet/runtime/blob/release/5.0/eng/Signing.props#L39 out. |
| AzureDevOpsCollectionUri="$(SYSTEM_TEAMFOUNDATIONCOLLECTIONURI)" | ||
| AzureDevOpsProject="$(SYSTEM_TEAMPROJECT)" | ||
| AzureDevOpsBuildId="$(BUILD_BUILDID)" | ||
| ItemsToSign="@(ItemsToSignPostBuild)" |
There was a problem hiding this comment.
I didn't know specifying a parameter to a task twice was valid MSBuild. TIL
There was a problem hiding this comment.
Which one do you see as duplicated?
There was a problem hiding this comment.
Ah, not at all. I was like he ran this and it passed. Just some behavior I didn't know worked. But they are different. There's ItemsToPush and ItemsToSign.
| <DownloadedSymbolPackages Include="$(DownloadDirectory)**\*.symbols.nupkg" /> | ||
| <DownloadedSymbolPackagesWithoutPaths Include="@(DownloadedSymbolPackages->'%(Filename)%(Extension)')" /> | ||
| <!-- https://github.com/dotnet/arcade/issues/6192 --> | ||
| <!-- <FileSignInfo Include="@(DownloadedSymbolPackagesWithoutPaths->Distinct())" CertificateName="None" /> --> |
There was a problem hiding this comment.
This was fixed. Can we try uncommenting this line?
| <FileSignInfo Include="Mono.Cecil.Pdb.dll" CertificateName="3PartySHA2" /> | ||
| <FileSignInfo Include="Mono.Cecil.Rocks.dll" CertificateName="3PartySHA2" /> | ||
|
|
||
| <FileSignInfo Include="mscordaccore.dll" CertificateName="MicrosoftSHA2" /> |
There was a problem hiding this comment.
I think we hit interesting behavior of signtool here. This says the short name dac signs with sha2, but the long name is microsoft400.
There was a problem hiding this comment.
Signtool seems to match on exact name and extension. This code would need to explicitly handle the long name DAC by either calculating the name or globbing it.
There was a problem hiding this comment.
Yes, the match for FileSignInfo is the name without path. I had tried at some point to glob the mscordaccore produced and then take the file name. This won't work when signing in packages which is what we want. For that we'd probably need the versioning target to have run and then add something ugly like:
<FileSignInfo Include="mscordaccore.dll" CertificateName="MicrosoftSHA2" />
+ <FileSignInfo Include="mscordaccore_x86_x86_$(FileVersion).dll CertificateName="MicrosoftSHA2" />
+ <FileSignInfo Include="mscordaccore_x86_arm_$(FileVersion).dll CertificateName="MicrosoftSHA2" />
+ <FileSignInfo Include="mscordaccore_x64_x64_$(FileVersion).dll CertificateName="MicrosoftSHA2" />
+ <FileSignInfo Include="mscordaccore_x64_arm64_$(FileVersion).dll CertificateName="MicrosoftSHA2" />
+ <FileSignInfo Include="mscordaccore_arm_arm_$(FileVersion).dll CertificateName="MicrosoftSHA2" />
+ <FileSignInfo Include="mscordaccore_arm64_arm64_$(FileVersion).dll CertificateName="MicrosoftSHA2" />The interesting behavior I thought I was going to see was that the file contents are the same, but the names were different. One suggested signing with 400, the other with SHA2. I thought SignTool uses the hash of the content to only sign things once, so I was unsure which one it'd pick. However, but it looks like it uses name and hash so this isn't a concern. It just means the long name has always been signed using 400 since 3.1.
There was a problem hiding this comment.
Signtool uses hash of content + name. So if you have foo.nupkg and foo.symbols.nupkg and they happen to be identical you can make different signing decisions. This is by design.
| </Choose> | ||
|
|
||
| <ItemGroup> | ||
| <ItemsToSign Update="@(ItemsToSign)" Authenticode="$(CertificateId)" /> |
There was a problem hiding this comment.
I actually don't think that does anything at all unless calling the Microbuild targets directly. I'll remove this and see what happens.
There was a problem hiding this comment.
Yeah, SignTool itself doesn't read this property, but it would be have been read by the Microbuild targets at one point.
|
https://dev.azure.com/dnceng/internal/_build/results?buildId=880901&view=results - Post build signing |
|
I did a quick spot check. And as you said, the only weird case is the long name DAC for PBSign=false. For PBSign=true I can see that the cross-bit DAC (you can find them in the runtime pack under |
|
@hoyosjs Looks like not included here: https://github.com/dotnet/runtime/pull/43896/files#diff-a923a7746e08ef5df4bfd49f340d9f93055d66ba792770a7e1c227b3eaf3d4efR164 I think I fixed it. I also removed the original itemgroup to make it a little more clear. |
|
@hoyosjs I spot checked the cross dacs and I think they look signed now. |
|
Newest build with no PBSign: https://dev.azure.com/dnceng/internal/_build/results?buildId=882618&view=results |
|
@mmitche everything looks good. Now in PB sign I see that the long name DAC is 400 signed. Not any concerns for now, it mimics behavior that already existed in master. |
|
@hoyosjs I'll port that one tweak for PBSign to release/5.0 |
ghost
locked as resolved and limited conversation to collaborators
4 participants
Addresses the other part of dotnet/core-eng#10459 (first addressed in WindowsDesktop here dotnet/windowsdesktop#1039).
Validated that this works and is properly producing the manifest in this build. The manifest now contains signing information which will be consumed by the release pipeline.
Also change over to using 2019 Pool for the leg.