MicroBuild code signing (#821)

This backports changes made in the 2.2 build tools. This is anticipation of Arcade convergence. We already stopped using signrequest.xml in other parts of the stack. New tools replace this functionality.

* Backport implementation of Arcade code signing
* Remove sign request generation and validation
* Sign .Sources packages by default
* Use built-in dotnet-tool shim generation

Author: natemcmaster

Diff for: Directory.Build.props

@@ -12,8 +12,7 @@
     <GenerateSourceLinkFile>false</GenerateSourceLinkFile>
     <GenerateAssemblyFileVersionAttribute>false</GenerateAssemblyFileVersionAttribute>
     <EnableApiCheck>false</EnableApiCheck>
-    <!-- workaround https://github.com/aspnet/CoreCLR/issues/223 -->
-    <NoWarn>$(NoWarn);NU1603</NoWarn>
+    <NoWarn>$(NoWarn);NU5105</NoWarn>
     <Serviceable>false</Serviceable>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <SuppressNETCoreSdkPreviewMessage>true</SuppressNETCoreSdkPreviewMessage>

Diff for: README.md

@@ -13,11 +13,11 @@ See [docs/README.md](./docs/README.md).
 
 Channel        | Latest Build
 ---------------|:---------------
-dev            | ![badge][dev-badge]
+master         | ![badge][master-badge]
 release/2.1    | ![badge][rel-2.1-badge]
 release/2.0    | ![badge][rel-2.0-badge]
 
-[dev-badge]: https://aspnetcore.blob.core.windows.net/buildtools/korebuild/channels/dev/badge.svg
+[master-badge]: https://aspnetcore.blob.core.windows.net/buildtools/korebuild/channels/master/badge.svg
 [rel-2.1-badge]: https://aspnetcore.blob.core.windows.net/buildtools/korebuild/channels/release/2.1/badge.svg
 [rel-2.0-badge]: https://aspnetcore.blob.core.windows.net/buildtools/korebuild/channels/release/2.0/badge.svg
 

Diff for: build/dependencies.props

@@ -1,8 +1,10 @@
 <Project>
   <PropertyGroup>
     <HtmlAgilityPackPackageVersion>1.5.1</HtmlAgilityPackPackageVersion>
+    <MicroBuildCorePackageVersion>0.3.0</MicroBuildCorePackageVersion>
     <MicrosoftDotNetPlatformAbstractionsVersion>2.0.0</MicrosoftDotNetPlatformAbstractionsVersion>
-    <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
+    <MicrosoftDotNetSignToolPackageVersion>1.0.0-beta.18515.2</MicrosoftDotNetSignToolPackageVersion>
+    <MicrosoftNETTestSdkPackageVersion>15.9.0</MicrosoftNETTestSdkPackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.4.0</MicrosoftWin32RegistryPackageVersion>
     <MonoCecilPackageVersion>0.10.0-beta6</MonoCecilPackageVersion>
     <MoqPackageVersion>4.7.99</MoqPackageVersion>

Diff for: build/sources.props

@@ -5,9 +5,7 @@
     <RestoreSources>$(DotNetRestoreSources)</RestoreSources>
     <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true'">
       $(RestoreSources);
-      https://dotnet.myget.org/F/dotnet-core/api/v3/index.json;
-      https://dotnet.myget.org/F/nuget-build/api/v3/index.json;
-      https://dotnet.myget.org/F/msbuild/api/v3/index.json;
+      https://dotnetfeed.blob.core.windows.net/dotnet-core/index.json;
       https://api.nuget.org/v3/index.json;
     </RestoreSources>
   </PropertyGroup>

Diff for: docs/Signing.md

@@ -1,27 +1,7 @@
 Signing
 =======
 
-KoreBuild supports generating a signing request manfiest. This includes a list of all files that should be signed
-and information about the strongname or certificate that should be used.
-
-## Format
-
-The signing request manifest supports three element types. A minimal example looks like this. See [Elements](#Elements) below for details
-
-```xml
-<SigningRequest>
-  <File Path="MyAssembly.dll" Certificate="MyCert" StrongName="MyStrongName" />
-  <File Path="build/Another.dll" Certificate="MyCert" />
-  <Container Path="MyLib.1.0.0.nupkg" Type="nupkg" Certificate="NuGetCert">
-    <File Path="lib/netstandard2.0/MyLib.dll" Certificate="MyCert" />
-  </Container>
-  <Container Path="MyVSTool.vsix" Type="vsix" Certificate="VsixCert">
-    <File Path="MyVSTool.dll" Certificate="MyCert" />
-    <!-- excluded from signing, but useful if you want to assert all files in a container are accounted for. -->
-    <ExcludedFile Path="NotMyLib.dll" />
-  </Container>
-</SigningRequest>
-```
+KoreBuild supports code signing files and using MSBuild to configure the list of files which are code-signed.
 
 ## Config via csproj
 
@@ -38,51 +18,38 @@ To sign assemblies, set the AssemblySigningCertName and AssemblySigningStrongNam
 </PropertyGroup>
 ```
 
-This will generate a signing request like this:
-
-```xml
-<SigningRequest>
-  <File Path="MyLib.dll" Certificate="MyCert" StrongName="PrivateStrongName" />
-</SigningRequest>
-```
-
 ### NuGet packages
 
 To sign NuGet packages, set the PackageSigningCertName property in the \*.csproj that produces the nupkg.
 
 ```xml
 <PropertyGroup>
-  <PackageSigningCertName>NuGetCert</PackageSigningCertName>
+  <PackageSigningCertName>MyNuGetCert</PackageSigningCertName>
 </PropertyGroup>
 ```
 
-This will generate a signing request like this:
-
-```xml
-<SigningRequest>
-  <Container Path="MyLib.1.0.0.nupkg" Type="nupkg" Certificate="NuGetCert" />
-</SigningRequest>
-```
-
 ### NuGet packages with assemblies
 
 For assemblies that ship in a NuGet package, you can specify multiple properties.
 
 ```xml
 <PropertyGroup>
   <AssemblySigningCertName>MyCert</AssemblySigningCertName>
-  <PackageSigningCertName>NuGetCert</PackageSigningCertName>
+  <PackageSigningCertName>MyNuGetCert</PackageSigningCertName>
 </PropertyGroup>
 ```
 
-This will generate a signing request like this:
+### Recommended cert names for Microsoft projects
+
+The following certificate names should be used for Microsoft projects. These MSBuild properties are also available by using Internal.AspNetCore.SDK.
 
 ```xml
-<SigningRequest>
-  <Container Path="MyLib.1.0.0.nupkg" Type="nupkg" Certificate="NuGetCert">
-    <File Path="lib/netstandard2.0/MyLib.dll" Certificate="MyCert" />
-  </Container>
-</SigningRequest>
+    <AssemblySigningCertName>Microsoft400</AssemblySigningCertName>
+    <AssemblySigning3rdPartyCertName>3PartySHA2</AssemblySigning3rdPartyCertName>
+    <PowerShellSigningCertName>Microsoft400</PowerShellSigningCertName>
+    <PackageSigningCertName>NuGet</PackageSigningCertName>
+    <VsixSigningCertName>VsixSHA2</VsixSigningCertName>
+    <JarSigningCertName>MicrosoftJAR</JarSigningCertName>
 ```
 
 ### Projects using nuspec
@@ -108,20 +75,24 @@ Sometimes other signable assemblies end up in a nupkg. Signing for these file ty
 
 ```xml
   <ItemGroup>
-    <!-- Files that come from other ASP.NET Core projects -->
-    <SignedPackageFile Include="$(PublishDir)Microsoft.Extensions.Configuration.Abstractions.dll" Certificate="$(AssemblySigningCertName)" PackagePath="tools/Microsoft.Extensions.Configuration.Abstractions.dll" Visible="false" />
+    <!-- Specifying signing for a file in a package. -->
+    <SignedPackageFile Include="tools/Microsoft.Extensions.Configuration.Abstractions.dll" Certificate="$(AssemblySigningCertName)" Visible="false" />
+
+    <!-- Specifying signing for a file in a package using an explicit path within the NuGet package. -->
+    <SignedPackageFile Include="$(OutputPath)$(TargetFileName)" Certificate="$(AssemblySigningCertName)"
+      PackagePath="tasks/net461/$(TargetFileName)" Visible="false" />
 
     <!-- Third-party cert -->
-    <SignedPackageFile Include="$(PublishDir)Newtonsoft.Json.dll" Certificate="3PartyDual" PackagePath="tools/Newtonsoft.Json.dll" Visible="false" />
+    <SignedPackageFile Include="tools/Newtonsoft.Json.dll" Certificate="3PartySHA2" Visible="false" />
 
     <!-- This should already be signed by the dotnet-core team -->
-    <ExcludePackageFileFromSigning Include="$(PublishDir)System.Runtime.CompilerServices.Unsafe.dll" PackagePath="tools/System.Runtime.CompilerServices.Unsafe.dll" Visible="false" />
+    <ExcludePackageFileFromSigning Include="tools/System.Runtime.CompilerServices.Unsafe.dll" />
   </ItemGroup>
 ```
 
 ### Disabling signing
 
-You can disable sign request generation on an MSBuild project by setting DisableCodeSigning.
+You can disable sign request generation on an MSBuild project by setting DisableCodeSigning, or for an entire repo (via repo.props).
 
 ```xml
 <PropertyGroup>
@@ -137,50 +108,9 @@ these elements to the `build/repo.props` file. (See also [KoreBuild.md](./KoreBu
 ```xml
 <!-- build/repo.props -->
 <ItemGroup>
-  <FilesToSign Include="$(ArtifactsDir)libuv.dll" Certificate="3PartyDual" />
+  <FilesToSign Include="$(ArtifactsDir)libuv.dll" Certificate="3PartySHA2" />
 
   <!-- Files can also be listed as "do not sign", for completeness -->
-  <FilesToExcludeFromSigning Include="$(ArtifactsDir)my.test.dll" Certificate="3PartyDual" />
+  <FilesToExcludeFromSigning Include="$(ArtifactsDir)my.test.dll" Certificate="3PartySHA2" />
 </ItemGroup>
 ```
-
-## Elements
-
-#### `SigningRequest`
-
-Root element. No options.
-
-#### `File`
-
-A file to be signed.
-
-**Path** - file path, relative to the file path. If nested in a `<Container>`, is relative to the organization within the container
-
-**Certificate** - the name of the certificate to use
-
-**StrongName** - for assemblies only. This is used to strong name assemblies that were delay signed in public.
-
-#### `Container`
-
-A container is an archive file, installer, or some kind of bundle that can be signed, or that has files that can be signed
-inside it. Nested elements can be added for `<File>` and `<ExcludedFile>`.
-
-**Path** - file path to the container
-
-**Certificate** - the name of the certificate to use
-
-**Type** - The type of the container. Instructs the consumer how to extract the container. Example values:
-
-  - zip
-  - tar.gz
-  - vsix
-  - nupkg
-  - msi
-
-#### `ExcludedFile`
-
-This is useful when you want to exclude files within a container from being signed, but want to assert that
-all files in a container are accounted for.
-
-**Path** - file path to a file to be ignored by the signing tool
-

Diff for: files/KoreBuild/KoreBuild.Common.props

@@ -39,6 +39,22 @@ Default layout and configuration.
     <BuildDir>$(ArtifactsDir)build\</BuildDir>
     <LogOutputDir>$(ArtifactsDir)logs\</LogOutputDir>
     <IntermediateDir>$([MSBuild]::NormalizeDirectory('$(RepositoryRoot)'))obj\</IntermediateDir>
+
+    <NuGetPackageRoot Condition=" '$(NuGetPackageRoot)' == '' ">$(NUGET_PACKAGES)</NuGetPackageRoot>
+    <NuGetPackageRoot Condition=" '$(NuGetPackageRoot)' == '' AND '$(USERPROFILE)' != '' ">$(USERPROFILE)\.nuget\packages\</NuGetPackageRoot>
+    <NuGetPackageRoot Condition=" '$(NuGetPackageRoot)' == '' AND '$(HOME)' != '' ">$(HOME)\.nuget\packages\</NuGetPackageRoot>
+    <NuGetPackageRoot Condition=" '$(NuGetPackageRoot)' == '' ">$(RepositoryRoot)\.nuget\packages\</NuGetPackageRoot>
+    <NuGetPackageRoot>$([MSBuild]::NormalizeDirectory('$(NuGetPackageRoot)'))</NuGetPackageRoot>
+  </PropertyGroup>
+
+  <!-- Code signing certificate names -->
+  <PropertyGroup Condition=" '$(DisableCodeSigning)' != 'true' ">
+    <AssemblySigningCertName>Microsoft400</AssemblySigningCertName>
+    <AssemblySigning3rdPartyCertName>3PartySHA2</AssemblySigning3rdPartyCertName>
+    <PowerShellSigningCertName>Microsoft400</PowerShellSigningCertName>
+    <PackageSigningCertName>NuGet</PackageSigningCertName>
+    <VsixSigningCertName>VsixSHA2</VsixSigningCertName>
+    <JarSigningCertName>MicrosoftJAR</JarSigningCertName>
   </PropertyGroup>
 
   <!-- Use build number from CI if available -->

Diff for: files/KoreBuild/KoreBuild.sh

@@ -26,6 +26,10 @@ set_korebuildsettings() {
 
     [ -z "${tools_source:-}" ] && tools_source="$default_tools_source"
 
+    # This is required for NuGet and MSBuild
+    if [[ -z "${HOME:-}" ]]; then
+        export HOME="$repo_path/.build/home"
+    fi
 
     if [ "$ci" = true ]; then
         export CI=true
@@ -40,15 +44,15 @@ set_korebuildsettings() {
         mkdir -p "$HOME"
         mkdir -p "$dot_net_home"
         if [[ -z "${NUGET_PACKAGES:-}" ]]; then
-            export NUGET_PACKAGES="$repo_path/.build/.nuget/packages"
+            export NUGET_PACKAGES="$repo_path/.nuget/packages"
         fi
     else
         if [[ -z "${NUGET_PACKAGES:-}" ]]; then
             export NUGET_PACKAGES="$HOME/.nuget/packages"
         fi
     fi
 
-    export DOTNET_ROOT="$DOTNET_HOME"
+    export DOTNET_ROOT="$dot_net_home"
 
     # Workaround perpetual issues in node reuse and custom task assemblies
     export MSBUILDDISABLENODEREUSE=1
@@ -123,6 +127,18 @@ __install_tools() {
 
     # Set environment variables
     export PATH="$install_dir:$PATH"
+
+    # This is a workaround for https://github.com/Microsoft/msbuild/issues/2914.
+    # Currently, the only way to configure the NuGetSdkResolver is with NuGet.config, which is not generally used in aspnet org projects.
+    # This project is restored so that it pre-populates the NuGet cache with SDK packages.
+    local restorerfile="$__korebuild_dir/modules/BundledPackages/BundledPackageRestorer.csproj"
+    local restorerfilelock="$NUGET_PACKAGES/internal.aspnetcore.sdk/$(__get_korebuild_version)/korebuild.sentinel"
+    if [[ -e "$restorerfile" ]] && [[ ! -e "$restorerfilelock" ]]; then
+        mkdir -p "$(dirname $restorerfilelock)"
+        touch "$restorerfilelock"
+        __exec dotnet msbuild -t:restore -v:q "$restorerfile"
+    fi
+    # end workaround
 }
 
 __show_version_info() {

Diff for: files/KoreBuild/modules/sharedsources/module.targets

@@ -26,15 +26,25 @@ that matches "$(RepositoryRoot)/shared/*.Sources".
       Properties="$(_SharedSourcesPackageProperties);NuspecBasePath=$([MSBuild]::NormalizeDirectory('%(SharedSourceDirectories.Identity)'));PackageId=%(FileName)%(Extension)"
       Condition="@(SharedSourceDirectories->Count()) != 0"
       BuildInParallel="true">
-      <Output TaskParameter="TargetOutputs" ItemName="ArtifactInfo" />
-      <Output TaskParameter="TargetOutputs" ItemName="FilesToExcludeFromSigning" Condition="'$(SignSourcesPackages)' != 'true'" />
-      <Output TaskParameter="TargetOutputs" ItemName="FilesToSign" Condition="'$(SignSourcesPackages)' == 'true'" />
+      <Output TaskParameter="TargetOutputs" ItemName="_SharedSrcPkgArtifactInfo" />
     </MSBuild>
+
+    <ItemGroup>
+      <ArtifactInfo Include="@(_SharedSrcPkgArtifactInfo)" />
+      <FilesToExcludeFromSigning Include="@(_SharedSrcPkgArtifactInfo)" Condition="'%(_SharedSrcPkgArtifactInfo.ShouldBeSigned)' != 'true' " />
+      <FilesToSign Include="@(_SharedSrcPkgArtifactInfo)" Condition="'%(_SharedSrcPkgArtifactInfo.ShouldBeSigned)' == 'true' " />
+    </ItemGroup>
   </Target>
 
   <Target Name="_SetSharedSourcesProperties">
     <PropertyGroup>
-      <_SharedSourcesPackageProperties>PackageOutputPath=$(BuildDir);RepositoryRoot=$(RepositoryRoot);ImportDirectoryBuildProps=false;BuildNumber=$(BuildNumber);</_SharedSourcesPackageProperties>
+      <_SharedSourcesPackageProperties>
+        PackageOutputPath=$(BuildDir);
+        RepositoryRoot=$(RepositoryRoot);
+        ImportDirectoryBuildProps=false;
+        BuildNumber=$(BuildNumber);
+        RepositoryCommit=$(RepositoryCommit)
+      </_SharedSourcesPackageProperties>
     </PropertyGroup>
   </Target>
 

Diff for: files/KoreBuild/modules/sharedsources/sharedsources.csproj

@@ -37,6 +37,13 @@
     <ContentTargetFolders>contentFiles</ContentTargetFolders>
     <DisableImplicitFrameworkReferences>true</DisableImplicitFrameworkReferences>
     <DefaultExcludeItems>$(DefaultExcludeItems);$(BaseOutputPath);$(BaseIntermediateOutputPath);</DefaultExcludeItems>
+    <!-- Suppress warnings about using semver 2.0 versions in packages -->
+    <NoWarn>$(NoWarn);NU5105</NoWarn>
+  </PropertyGroup>
+
+  <PropertyGroup Condition=" '$(DisableCodeSigning)' != 'true' ">
+    <!-- Only specify the package signing cert. Do not specify AssemblySigningCertName because .Sources packages should not have binaries. -->
+    <PackageSigningCertName>NuGet</PackageSigningCertName>
   </PropertyGroup>
 
   <ItemGroup Condition="'$(NuspecBasePath)'!=''">
@@ -73,7 +80,7 @@
         <Category>$(PackageArtifactCategory)</Category>
         <IsContainer>true</IsContainer>
         <Certificate>$(PackageSigningCertName)</Certificate>
-        <ShouldBeSigned Condition=" '$(PackageSigningCertName)' != '' ">true</ShouldBeSigned>
+        <ShouldBeSigned Condition=" '$(PackageSigningCertName)' != '' AND '$(DisableCodeSigning)' != 'true' ">true</ShouldBeSigned>
       </ArtifactInfo>
     </ItemGroup>
   </Target>