Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
This repository was archived by the owner on Jan 23, 2023. It is now read-only.
/coreclrPublic archive

Commita7193c8

Browse files
hoyosjsmmitche
authored andcommitted
[release/3.1] Add signing infrastructure for diagnostic binaries
* Add DAC signing infrastructure* Fix msbuild attrib in signing.props* Update sign-diagnostic-files.yml to only kick in on release branches.
1 parent0b2e85b commita7193c8

File tree

3 files changed

+82
-4
lines changed

3 files changed

+82
-4
lines changed

‎eng/Signing.props

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,6 @@
66
<ItemsToSignInclude="$(BinDir)*.exe" />
77
</ItemGroup>
88

9-
<ItemGroup>
10-
<FileSignInfoInclude="mscordaccore.dll"CertificateName="MicrosoftSHA2" />
11-
</ItemGroup>
12-
139
<ItemGroupCondition="'$(BuildArch)' == 'x86'">
1410
<!-- Sign api-ms-win-core-xstate-l2-1-0 binary as it is only catalog signed in the current SDK.-->
1511
<ItemsToSignCondition="'$(BuildType)'=='Release'"Include="$(BinDir)Redist\ucrt\DLLs\$(BuildArch)\api-ms-win-core-xstate-l2-1-0.dll" />
@@ -21,6 +17,15 @@
2117
<ItemsToSignInclude="$(BinDir)$(CrossTargetComponentFolder)/*.exe" />
2218
</ItemGroup>
2319

20+
<ItemGroup>
21+
<!-- The DAC and the DBI must be signed separately.-->
22+
<ItemsToSignRemove="$(BinDir)/mscordaccore*.dll" />
23+
<ItemsToSignRemove="$(BinDir)$(CrossTargetComponentFolder)/mscordaccore*.dll" />
24+
<ItemsToSignRemove="$(BinDir)/mscordbi.dll" />
25+
<FileSignInfoInclude="mscordaccore.dll"CertificateName="None" />
26+
<FileSignInfoInclude="mscordbi.dll"CertificateName="None" />
27+
</ItemGroup>
28+
2429
<TargetName="ValidateSignFileListIsNotEmpty"BeforeTargets="Sign">
2530
<ErrorCondition="'@(ItemsToSign)' == ''"Text="List of files to sign is empty" />
2631
<MessageImportance="High"Text="Attempting to sign %(ItemsToSign.Identity)" />

‎eng/build-job.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -134,6 +134,11 @@ jobs:
134134
-powershell:eng\common\build.ps1 -ci -sign -restore -configuration:$(buildConfig) -warnaserror:0 /p:ArcadeBuild=true /p:OfficialBuild=true /p:BuildOS=$(osGroup) /p:BuildArch=$(archType) /p:BuildType=$(_BuildConfig) /p:DotNetSignType=$env:_SignType -projects $(Build.SourcesDirectory)\eng\empty.csproj
135135
displayName:Sign Binaries
136136

137+
-template:/eng/sign-diagnostic-files.yml
138+
parameters:
139+
basePath:$(Build.SourcesDirectory)/bin/Product/$(osGroup).$(archType).$(_BuildConfig)
140+
timeoutInMinutes:30
141+
137142
-task:PublishBuildArtifacts@1
138143
displayName:Publish Signing Logs
139144
inputs:

‎eng/sign-diagnostic-files.yml

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
parameters:
2+
basePath:''
3+
timeoutInMinutes:''
4+
5+
steps:
6+
-${{ if and(ne(variables['System.TeamProject'], 'public'), ne(variables['Build.Reason'], 'PullRequest'), or(startswith(variables['Build.SourceBranch'], 'refs/heads/release/'), startswith(variables['Build.SourceBranch'], 'refs/heads/internal/release/'))) }}:
7+
-task:EsrpCodeSigning@1
8+
displayName:Sign Diagnostic Binaries
9+
inputs:
10+
ConnectedServiceName:'dotnetesrp-diagnostics-dnceng'
11+
FolderPath:${{ parameters.basePath }}
12+
Pattern:|
13+
**/mscordaccore*.dll
14+
**/mscordbi*.dll
15+
UseMinimatch:true
16+
signConfigType:'inlineSignParams'
17+
inlineOperation:>-
18+
[
19+
{
20+
"keyCode": "CP-471322",
21+
"operationCode": "SigntoolSign",
22+
"parameters": {
23+
"OpusName": "Microsoft",
24+
"OpusInfo": "http://www.microsoft.com",
25+
"PageHash": "/NPH",
26+
"FileDigest": "/fd sha256",
27+
"TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
28+
},
29+
"toolName": "sign",
30+
"toolVersion": "1.0"
31+
},
32+
{
33+
"KeyCode": "CP-471322",
34+
"OperationCode": "SigntoolVerify",
35+
"Parameters": {},
36+
"ToolName": "sign",
37+
"ToolVersion": "1.0"
38+
}
39+
]
40+
SessionTimeout:${{ parameters.timeoutInMinutes }}
41+
MaxConcurrency:'50'
42+
MaxRetryAttempts:'5'
43+
44+
-powershell:|
45+
$filesToSign = $(Get-ChildItem -Recurse ${{ parameters.basePath }} -Include mscordaccore*.dll, mscordbi*.dll)
46+
foreach ($file in $filesToSign) {
47+
$signingCert = $(Get-AuthenticodeSignature $file).SignerCertificate
48+
if ($signingCert -eq $null)
49+
{
50+
throw "File $file does not contain a signature."
51+
}
52+
53+
if ($signingCert.Subject -ne "CN=.NET DAC, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" `
54+
-or $signingCert.Issuer -ne "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")
55+
{
56+
throw "File $file not in expected trust chain."
57+
}
58+
59+
$certEKU = $signingCert.Extensions.Where({ $_.Oid.FriendlyName -eq "Enhanced Key Usage" }) | Select -First 1
60+
61+
if ($certEKU.EnhancedKeyUsages.Where({ $_.Value -eq "1.3.6.1.4.1.311.84.4.1" }).Count -ne 1)
62+
{
63+
throw "Signature for $file does not contain expected EKU."
64+
}
65+
66+
Write-Host "$file is correctly signed."
67+
}
68+
displayName: Validate diagnostic signatures

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp