Enable signing in the VMR official pipeline

eng/pipelines/templates/jobs/vmr-build.yml

@@ -161,6 +161,13 @@ jobs:
   - name: runTestsTimeout
     value: 30
 
+  - ${{ if or(eq(parameters.useDevVersions, 'True'), eq(variables['System.TeamProject'], 'public'), in(variables['Build.Reason'], 'PullRequest')) }}:
+    - name: _SignType
+      value: ''
+  - ${{ else }}:
+    - name: _SignType
+      value: real
+
   - ${{ if parameters.isBuiltFromVmr }}:
     - name: vmrPath
       value: $(Build.SourcesDirectory)
@@ -295,6 +302,12 @@ jobs:
         fi
       displayName: Setup Previously Source-Built SDK
 
+  - ${{ if and(eq(parameters.sign, 'True'), ne(parameters.buildSourceOnly, 'True'), eq(variables['System.TeamProject'], 'internal')) }}:
+    - template: ${{ variables['Build.SourcesDirectory'] }}/eng/common/core-templates/steps/install-microbuild.yml
+      parameters:
+        enableMicrobuild: true
+        enableMicrobuildForMacAndLinux: true
+
   - ${{ if eq(parameters.targetOS, 'windows') }}:
     # Node 20.x is a toolset dependency to build aspnetcore
     # Keep in sync with aspnetcore: https://github.com/dotnet/aspnetcore/blob/7d5309210d8f7bae8fa074da495e9d009d67f1b4/.azure/pipelines/ci.yml#L719-L722
@@ -305,7 +318,12 @@ jobs:
 
     - script: |
         set extraBuildArguments=
-        if /I '${{ parameters.sign }}'=='True' (if /I NOT '${{ parameters.buildSourceOnly }}'=='True' (set extraBuildArguments=%extraBuildArguments% -sign))
+
+        set signArgs=/p:ForceDryRunSigning=true
+        if /I '$(_SignType)'=='real' set signArgs=/p:DotNetSignType=real /p:TeamName=$(_TeamName)
+        if /I '$(_SignType)'=='test' set signArgs=/p:DotNetSignType=test /p:TeamName=$(_TeamName)
+        if /I '${{ parameters.sign }}'=='True' if /I NOT '${{ parameters.buildSourceOnly }}'=='True' set extraBuildArguments=%extraBuildArguments% -sign %signArgs%
+
         if /I '${{ parameters.useDevVersions }}'=='True' set extraBuildArguments=%extraBuildArguments% -dev
         set extraBuildProperties=
         if not [${{ parameters.buildPass }}]==[] set extraBuildProperties=%extraBuildProperties% /p:DotNetBuildPass=${{ parameters.buildPass }}
@@ -397,6 +415,12 @@ jobs:
 
         if [[ '${{ parameters.sign }}' == 'True' ]] && [[ '${{ parameters.buildSourceOnly }}' != 'True' ]]; then
           customBuildArgs="$customBuildArgs --sign"
+          if [[ '$(_SignType)' == 'real' ]] || [[ '$(_SignType)' == 'test' ]]; then
+            # Force dry run signing until https://github.com/dotnet/source-build/issues/4793 is resolved - https://github.com/dotnet/source-build/issues/4678
+            extraBuildProperties="$extraBuildProperties /p:DotNetSignType=$(_SignType) /p:TeamName=$(_TeamName) /p:ForceDryRunSigning=true"
+          else
+            extraBuildProperties="$extraBuildProperties /p:ForceDryRunSigning=true"
+          fi
         fi
 
         if [[ -n "${{ parameters.targetRid }}" ]]; then
@@ -511,6 +535,12 @@ jobs:
         displayName: Run Tests
         timeoutInMinutes: ${{ variables.runTestsTimeout }}
 
+  - ${{ if and(eq(parameters.sign, 'True'), ne(parameters.buildSourceOnly, 'True'), eq(variables['System.TeamProject'], 'internal')) }}:
+    - template: ${{ variables['Build.SourcesDirectory'] }}/eng/common/core-templates/steps/cleanup-microbuild.yml
+      parameters:
+        enableMicrobuild: true
+        enableMicrobuildForMacAndLinux: true
+
   - task: CopyFiles@2
     displayName: Prepare BuildLogs staging directory
     inputs:

eng/pipelines/templates/variables/vmr-build.yml

@@ -12,6 +12,9 @@ variables:
   - name: VmrBranch
     value: ${{ replace(replace(variables['Build.SourceBranch'], 'refs/heads/', ''), 'refs/pull/', '') }}
 
+- name: _TeamName
+  value: DotNetCore
+
 - name: defaultContainerOptions
   value: --privileged
 

src/SourceBuild/content/build.sh

@@ -131,11 +131,6 @@ while [[ $# > 0 ]]; do
       ;;
     -sign)
       properties+=( "/p:Sign=true" )
-      # Force dry run signing for now. In typical VMR builds, the official build ID is set for each repo, which
-      # tells the signing infra that it should expect to see signed bits. This won't be the case in CI builds,
-      # and won't be the case for official builds until more of the real signing infra is functional.
-      # https://github.com/dotnet/source-build/issues/4678
-      properties+=( "/p:ForceDryRunSigning=true" )
       ;;
 
     # Source-only settings

src/SourceBuild/content/eng/build.ps1

@@ -68,11 +68,6 @@ if ($test) {
 
 if ($sign) {
   $arguments += "/p:Sign=true"
-  # Force dry run signing for now. In typical VMR builds, the official build ID is set for each repo, which
-  # tells the signing infra that it should expect to see signed bits. This won't be the case in CI builds,
-  # and won't be the case for official builds until more of the real signing infra is functional.
-  # https://github.com/dotnet/source-build/issues/4678
-  $arguments +=  "/p:ForceDryRunSigning=true"
 }
 
 if ($buildRepoTests) {