Fix signing for aspire-managed bundle payload

[mitchdenny]

Fixes #15989

Description

Fix the CLI bundle signing gap where aspire-managed.exe could miss the same signing path as aspire.exe.

Root cause: the managed bundle payload is published earlier via eng/Bundle.proj, while the later native CLI build receives the usual signing properties. On top of that, eng/Signing.props only registered aspire.exe/aspire, so the bundle could preserve an unsigned aspire-managed.exe.

Changes

• register aspire-managed.exe / aspire-managed in eng/Signing.props
• forward signing-related MSBuild properties through eng/Bundle.proj so the managed payload publish participates in the same signing flow
• pass the same sign/property plumbing through the local build.ps1 / build.sh --bundle path
• add a Windows pipeline validation step in BuildAndTest.yml that fails if the produced bundle payload contains an unsigned aspire-managed.exe

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire.dev issue:
      • New issue
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15990

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15990"

[Copilot]

Pull request overview

This PR closes a signing gap in the Aspire CLI bundle flow by ensuring the aspire-managed payload participates in the same signing pipeline as the native CLI, and by adding CI validation to prevent unsigned payloads from slipping into the bundle.

Changes:

• Register aspire-managed binaries for signing in eng/Signing.props.
• Plumb CI/signing MSBuild properties through eng/Bundle.proj (and local build scripts) so the managed publish step receives signing configuration.
• Add a Windows CI check that validates aspire-managed.exe is signed after publishing the bundle payload.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
eng/Signing.props	Adds aspire-managed to the list of files eligible for signing across OSes.
eng/Bundle.proj	Forwards CI/signing/version properties into dotnet publish invocations so managed payload publish can be signed.
eng/build.sh	Passes signing/MSBuild property args through to Bundle.proj when --bundle is used.
eng/build.ps1	Passes signing/MSBuild property args through to Bundle.proj when -bundle is used.
eng/pipelines/templates/BuildAndTest.yml	Adds signing/property args to the bundle payload build and introduces a signature validation step on Windows.
eng/pipelines/templates/build_sign_native.yml	Adds extraBuildArgs passthrough to the bundle payload build step.

[Copilot]

The signature verification step is likely to run on PR builds where signing is disabled (e.g., _Sign is false and _SignArgs is empty). In that case aspire-managed.exe will legitimately be unsigned and this step will fail the pipeline. Update the condition to also require that signing is actually enabled (for example by checking variables['_Sign'] or that _SignArgs is non-empty).

Suggested change

	condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT'), in(variables['_SignType'], 'real', 'test'), startsWith('${{ targetRid }}', 'win-'))
	condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT'), eq(variables['_Sign'], 'true'), in(variables['_SignType'], 'real', 'test'), startsWith('${{ targetRid }}', 'win-'))

[Copilot]

Get-AuthenticodeSignature can return statuses other than NotSigned (e.g., HashMismatch, NotTrusted, UnknownError). The current check only fails on NotSigned, so an invalid or broken signature could still pass. Consider failing unless the status is Valid (or explicitly allow only the statuses you consider acceptable).

Suggested change

	if ($signature.Status -eq [System.Management.Automation.SignatureStatus]::NotSigned) {
	Write-Host "##[error]aspire-managed.exe is not signed: $managedPath"
	if ($signature.Status -ne [System.Management.Automation.SignatureStatus]::Valid) {
	Write-Host "##[error]aspire-managed.exe has an invalid signature status '$($signature.Status)': $managedPath"

[JamesNK]

How can we add an automated test to verify they're signed? What about an E2E console test that runs tooling to check executables signing status?

[davidfowl]

E2E tests don’t run on the signed builds. Let’s talk about making that possible first (adding a pipeline that tests the fully signed internally built bits).

Manual verification is fine for now.

[mitchdenny]

We only sign on the AzDO pipelines side of the fence so feeding signed bits from that side into the GitHub actions side where the E2E CLI tests are is going to be challenging.

[mitchdenny]

Addressed the remaining actionable feedback in eb4d202:

• the new bundle signature validation now only runs when signing is actually enabled (_Sign == true)
• it accepts the expected test-signing state (Valid or NotTrusted) while still rejecting missing/broken signatures

[github-actions]

🎬 CLI E2E Test Recordings — 56 recordings uploaded (commit eb4d202)

View recordings

Test	Recording
AddPackageInteractiveWhileAppHostRunningDetached	▶️ View Recording
AddPackageWhileAppHostRunningDetached	▶️ View Recording
AgentCommands_AllHelpOutputs_AreCorrect	▶️ View Recording
AgentInitCommand_DefaultSelection_InstallsSkillOnly	▶️ View Recording
AgentInitCommand_MigratesDeprecatedConfig	▶️ View Recording
AllPublishMethodsBuildDockerImages	▶️ View Recording
AspireAddPackageVersionToDirectoryPackagesProps	▶️ View Recording
AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps	▶️ View Recording
Banner_DisplayedOnFirstRun	▶️ View Recording
Banner_DisplayedWithExplicitFlag	▶️ View Recording
Banner_NotDisplayedWithNoLogoFlag	▶️ View Recording
CertificatesClean_RemovesCertificates	▶️ View Recording
CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate	▶️ View Recording
CertificatesTrust_WithUntrustedCert_TrustsCertificate	▶️ View Recording
ConfigSetGet_CreatesNestedJsonFormat	▶️ View Recording
CreateAndRunAspireStarterProject	▶️ View Recording
CreateAndRunAspireStarterProjectWithBundle	▶️ View Recording
CreateAndRunEmptyAppHostProject	▶️ View Recording
CreateAndRunJavaEmptyAppHostProject	▶️ View Recording
CreateAndRunJsReactProject	▶️ View Recording
CreateAndRunPythonReactProject	▶️ View Recording
CreateAndRunTypeScriptEmptyAppHostProject	▶️ View Recording
CreateAndRunTypeScriptStarterProject	▶️ View Recording
CreateJavaAppHostWithViteApp	▶️ View Recording
CreateStartAndStopAspireProject	▶️ View Recording
CreateTypeScriptAppHostWithViteApp	▶️ View Recording
DashboardRunWithOtelTracesReturnsNoTraces	▶️ View Recording
DescribeCommandResolvesReplicaNames	▶️ View Recording
DescribeCommandShowsRunningResources	▶️ View Recording
DetachFormatJsonProducesValidJson	▶️ View Recording
DoctorCommand_DetectsDeprecatedAgentConfig	▶️ View Recording
DoctorCommand_WithSslCertDir_ShowsTrusted	▶️ View Recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	▶️ View Recording
GlobalMigration_HandlesCommentsAndTrailingCommas	▶️ View Recording
GlobalMigration_HandlesMalformedLegacyJson	▶️ View Recording
GlobalMigration_PreservesAllValueTypes	▶️ View Recording
GlobalMigration_SkipsWhenNewConfigExists	▶️ View Recording
GlobalSettings_MigratedFromLegacyFormat	▶️ View Recording
InvalidAppHostPathWithComments_IsHealedOnRun	▶️ View Recording
LegacySettingsMigration_AdjustsRelativeAppHostPath	▶️ View Recording
LogsCommandShowsResourceLogs	▶️ View Recording
PsCommandListsRunningAppHost	▶️ View Recording
PsFormatJsonOutputsOnlyJsonToStdout	▶️ View Recording
PublishWithDockerComposeServiceCallbackSucceeds	▶️ View Recording
RestoreGeneratesSdkFiles	▶️ View Recording
RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes	▶️ View Recording
RunFromParentDirectory_UsesExistingConfigNearAppHost	▶️ View Recording
RunWithMissingAwaitShowsHelpfulError	▶️ View Recording
SecretCrudOnDotNetAppHost	▶️ View Recording
SecretCrudOnTypeScriptAppHost	▶️ View Recording
StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels	▶️ View Recording
StopAllAppHostsFromAppHostDirectory	▶️ View Recording
StopAllAppHostsFromUnrelatedDirectory	▶️ View Recording
StopNonInteractiveMultipleAppHostsShowsError	▶️ View Recording
StopNonInteractiveSingleAppHost	▶️ View Recording
StopWithNoRunningAppHostExitsSuccessfully	▶️ View Recording

---

_{📹 Recordings uploaded automatically from CI run #24170081536}

[eerhardt]

Why are we trying to verify the signed status of the aspire-managed.exe, but not any other files? Seems odd that we'd do that here.