- Notifications
You must be signed in to change notification settings - Fork62
CI check signatures#382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Pull Request Overview
This PR addresses issues with signature verification after the latest Arcade update by fixing signature checks and enhancing the verification process in the CI pipeline.
- Updates artifact paths to use a subfolder "artifacts" for consistency in publishing.
- Introduces a new task (MicroBuildCodesignVerify@3) and a script step to verify signatures post-build.
- Adjusts build parameters by parameterizing build configuration and sign type.
Files not reviewed (4)
- eng/SignVerifyIgnore.txt: Language not supported
- eng/Signing.props: Language not supported
- src/redist/redist.csproj: Language not supported
- src/redist/targets/MacEntitlements/AddMacEntitlements.targets: Language not supported
Comments suppressed due to low confidence (1)
.vsts-ci.yml:147
- The flag for signing was changed from '--sign' to '-sign'. Confirm that this change is intentional, as it may break the expected behavior of the signing script.
+ -sign
Uh oh!
There was an error while loading.Please reload this page.
<ItemGroup> | ||
<PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="$(MicrosoftVisualStudioEngMicroBuildCoreVersion)" /> | ||
</ItemGroup> | ||
<Target Name="AddMacEntitlements" | ||
BeforeTargets="SignFiles" | ||
AfterTargets="GenerateLayout"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Important so that this runsbefore MicroBuild signing
eng/SignVerifyIgnore.txt Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Needed for signing verification on windows
@@ -112,11 +111,16 @@ extends: | |||
inputs: | |||
sourceFolder: 'artifacts/packages/$(_BuildConfig)/Shipping/' | |||
contents: '*.msi' | |||
targetFolder: '$(Build.ArtifactStagingDirectory)' | |||
targetFolder: '$(Build.ArtifactStagingDirectory)\artifacts' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Added artifacts dir to isolate from other files when doing signing verification in the next step
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
- task: MicroBuildCodesignVerify@3 | ||
inputs: | ||
TargetFolders: '$(Build.ArtifactStagingDirectory)\artifacts' | ||
ExcludeSNVerify: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
What does ExcludeSNVerify do? May you provide the link to where this task is documented, I couldn't find it on the web.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thank you :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Please see my comments below, but looks good!
6f834e0
intomainUh oh!
There was an error while loading.Please reload this page.
commit2011e55Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Thu Apr 3 10:02:00 2025 -0700 Windows: Remove version from .msi (#384)commitcfc4641Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Thu Apr 3 10:01:48 2025 -0700 Mac: Add rid to tar.gz artifacts (#383)commit6f834e0Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Mon Mar 31 17:08:40 2025 -0700 CI check signatures (#382) * Fix signing on Windows and macOS * Added signing verification steps to CIcommit7ea9cf1Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>Date: Sat Mar 29 10:55:39 2025 -0700 [main] Update dependencies from dotnet/arcade (#375)commitedff54cAuthor: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Thu Mar 27 10:53:37 2025 -0700 Update options (#380) * dry-run: Add option --preserve-vs-for-mac-sdks * Do not hide --version * Add version description stringcommitb4be6e6Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Mon Mar 24 15:37:22 2025 -0700 Update help text (#376) Update help text --------- Co-authored-by: Noah Gilson <OTAKUPENGUINOP@GMAIL.COM>commit9fba2f3Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Mon Mar 24 13:28:21 2025 -0700 Windows: Detect arm64 correctly (#370)commit289b92fAuthor: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Thu Mar 20 11:06:51 2025 -0700 Update ci workflow (#372)commit13d1cf7Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Wed Mar 19 14:35:24 2025 -0700 macOS: Fix corrupted binary (#346) Add entitlements.plistcommit4da3500Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>Date: Wed Mar 19 13:50:00 2025 -0700 Update dependencies fromhttps://github.com/dotnet/arcade build 20250314.6 (#343) Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.25157.1 -> To Version 10.0.0-beta.25164.6 Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>commit882aff1Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Fri Mar 14 13:42:02 2025 -0700 Require enter on user input (#340)commit24bea7dAuthor: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>Date: Thu Mar 13 08:51:54 2025 -0700 Update dependencies fromhttps://github.com/dotnet/arcade build 20250307.1 (#336) Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.25126.4 -> To Version 10.0.0-beta.25157.1 Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>commite72b91fAuthor: Marc Paine <marcpop@microsoft.com>Date: Thu Mar 13 08:51:43 2025 -0700 Update to AwesomeAssertions (#337) * Update to AwesomeAssertions Update the addreportable call * Remove unused using directivecommit03c8952Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Wed Mar 5 12:18:25 2025 -0600 Remove Visual Studio macOS checks (#318) * Remove checks for VSfM * Add --preserve-mac-vs-sdks flag * Update testscommitb648857Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Tue Mar 4 16:55:10 2025 -0600 Update CLI options and help text (#335) * Add target argument * Add TARGET argument * Add not for list by now * Update LocalizableStrings * Update --all description * Remove target from options (?) * Restore xlf translation * Show bundle types in <TARGET> argument * Update help link format * Restore CommandLine Arguments * Add --arm64 option * Fix archSelection.HasFlagcommit9823503Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>Date: Mon Mar 3 11:36:05 2025 -0800 [main] Update dependencies from dotnet/arcade (#327) * Update dependencies fromhttps://github.com/dotnet/arcade build 20250206.4 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.25080.7 -> To Version 10.0.0-beta.25106.4 * Update dependencies fromhttps://github.com/dotnet/arcade build 20250213.2 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.25080.7 -> To Version 10.0.0-beta.25113.2 * Update dependencies fromhttps://github.com/dotnet/arcade build 20250220.6 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.25080.7 -> To Version 10.0.0-beta.25120.6 * Update dependencies fromhttps://github.com/dotnet/arcade build 20250225.2 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.25080.7 -> To Version 10.0.0-beta.25125.2 * Update dependencies fromhttps://github.com/dotnet/arcade build 20250226.4 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.25080.7 -> To Version 10.0.0-beta.25126.4 --------- Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>commitea26b97Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Mon Mar 3 12:31:19 2025 -0600 Remove System.Reflection.Metadata (#334)commit275578eAuthor: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Mon Mar 3 11:41:07 2025 -0600 Remove Microsoft.Win32.Registry package (#333)commit2ac5028Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Fri Feb 28 13:14:49 2025 -0600 Small refactorings (#331)commit2393ca9Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Tue Feb 25 16:51:31 2025 -0600 Hide .xlf files in PRs (#330)commit62b46a0Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Tue Feb 25 13:58:14 2025 -0600 Fix Windows Signing (#329) Add CreateLightCommandPackageDrop to generate wixpack.zip and signcommit06d1e0eAuthor: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Tue Feb 18 12:33:11 2025 -0600 Sign macOS build (#323) * Sign on Mac * Fix typo on ArtifactName * Add TeamName variable * Add certificatename to binary * Update binary path * Update build command to include signing * Typos * Globb files to sign * Add proper certificate * Add proper certificate * MacDeveloperHarden * Add files separately * Change flags * Update certificate name * Update build parameters * Update cert namecommit85f5414Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Mon Feb 10 09:01:45 2025 -0800 Remove unused signing target Add files to ItemsToSign Sign .msi file too Update `ItemsToSign` Update certificate name UseDotNetCertificate Add .msi certificatenamecommit8c89301Author: MerlinBot <MerlinBot>Date: Fri Feb 7 21:44:29 2025 +0000 This pull request includes baselines **with an expiration date of 180 days from now** automatically generated for your 1ES PT-based pipelines. Complete this pull request as soon as possible to make sure that your pipeline becomes compliant. Longer delays in completing this PR can trigger additional emails or S360 alerts in the future. 1ES PT Auto-baselining feature helps capture existing violations in your repo and ensures to break your pipeline only for newly introduced SDL violations after baselining. Running SDL tools in break mode is required for your pipeline to be compliant. Go tohttps://aka.ms/1espt-autobaselining for more details. **Please do not Abandon this PR.** Please reach out to 1ES PT for support. More details:https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/supportcommit6a94223Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>Date: Wed Feb 5 14:33:46 2025 -0800 [main] Update dependencies from dotnet/arcade (#316) * Update dependencies fromhttps://github.com/dotnet/arcade build 20241222.1 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.24622.1 * Update dependencies fromhttps://github.com/dotnet/arcade build 20241226.1 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.24626.1 * Update dependencies fromhttps://github.com/dotnet/arcade build 20250103.3 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25053.3 * Update dependencies fromhttps://github.com/dotnet/arcade build 20250106.1 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25056.1 * Update dependencies fromhttps://github.com/dotnet/arcade build 20250111.1 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25061.1 * Update dependencies fromhttps://github.com/dotnet/arcade build 20250117.3 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25067.3 * Update dependencies fromhttps://github.com/dotnet/arcade build 20250126.1 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25076.1 * Update dependencies fromhttps://github.com/dotnet/arcade build 20250130.7 Microsoft.DotNet.Arcade.Sdk From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25080.7 --------- Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>commit0cc67a3Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Mon Feb 3 17:51:20 2025 -0600 Refactor macOS build pipeline (#325) Use matrix strategy to avoid repeating codecommit11995adAuthor: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Fri Jan 31 11:43:31 2025 -0600 macOS: Support building on Apple Silicon (#322) Update solution file, project file and ci/cd to support building for osx-arm64commitaa40644Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Wed Jan 29 17:54:52 2025 -0600 GetBundleVersion: Parse versions correctly to avoid duplicates or incomplete versions (#324)commit288db58Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Mon Jan 27 15:08:07 2025 -0600 Identify macOS runtimes correctly (#321)commit802fef7Author: Eduardo Villalpando Mello <eduardov@microsoft.com>Date: Fri Jan 24 18:40:01 2025 -0600 macOS: Show correct arm64 architecture (#320)
Uh oh!
There was an error while loading.Please reload this page.
Signatures are not working properly after latest Arcade update.
This fixes the issues and adds an extra step for signature verification so that these are easier to debug in the future.