Signing support for VMR builds

[mmitche]

Products that Microsoft ships must be signed, of course.

We sign in a number of ways today:

• Post-build signing (signing in staging). This includes
  • Signing of most binaries in 6.0
  • Signing and notarization of Mac binaries in staging (all versions)
  • Signing of Linux installers in staging (all versions)
• Signing in-build (7.0 and 8.0, plus some repos in 6.0)
• Signing the DAC during the runtime build.

Some of the multiple ways of post-build signing have been driven by technical limitations. Linux and Mac signing could not occur within the same infra as typical MIcrobuild signing infra.

We need to work on improving this for the 9.0 VMR builds.

Objectives

• Signing is simpler, and in alignment with the Vertical build philosophies. Few machines, if any. They may be on separate machines as required by infra limitations (e.g. must sign mac on a mac?)
• We still sign the DAC in build.
• We need not sign every build (aside from DAC, which is critical for debugging)
• Signing infra should be aligned across platforms. Right now we have 3-4 different technologies.

Depends On

• Design for signing in Unified Build #3933

Work Items

• Enable use of SignTool using .NET Core MSBuild arcade#14430
• Align SignTool MSBuild Usage on Windows with Current Execution Environment arcade#15046
• Enable signing on Mac and Linux machines arcade#14431
• Enable signing of .deb files using SignTool arcade#14432
• Enable signing of .rpm files using SignTool arcade#14433
• Enable signing and notarization of MacOS executables using SignTool arcade#14434
• Enable signing and notarization of .pkg files using SignTool arcade#14435
• Enable unpack/repack of .deb containers arcade#14436
• Enable unpack/repack of .rpm containers arcade#14437
• Enable unpack/repack of .pkg containers arcade#14438
• Enable signing in the VMR official pipeline #4062
• Enable signing for arcade repos in the VMR build #4064
• Ensure that repos that do not need to sign in the VMR (e.g. arcade) have empty ItemsToSign lists #4063
• Ensure that files from NuGet.Client (non-arcade repo) gets signed when building SDK #4065
• Enable signing at join points #4066
• Enable signing of DAC in VMR build #4067
• Enable signing validation on shipping VMR outputs #4068
• Unpack/repack support for signtool for Wix5 arcade#15078

T-Shirt Size: XL

[mmitche]

T-Shirt Size: XL

There is a lot to do here:

• Decide on a signing design (in-build after each repo builds, after-build?)
• Expand signing support to other platforms (may not be critical)

[mmitche]

https://microsoft-my.sharepoint.com/:w:/p/mmitche/ERcEQy4Xex9CpRyTiGx9HrkBqf4iGDjDjwSk98QsczcROw?e=I6sfYl contains the deisgn.

See the rough implementation plan in the doc for some more info, but it's important to recognize the independent tracks of work available here. This work is highly parallelizable. We can work on signtool support for different containers without actually being able to submit them for signing. Similarly, you can work on enabling signing infra in the vertical builds before you have the ability to sign all containers. The areas where there may be blocking issues are cases where support for unpacking a container requires running on a Mac or Linux machine, and we can't yet run SignTool on that machine.

[tkapin]

Matt is about to work on this, needs the aspnetcore build in the VMR as the prerequisite.