Signing support for VMR builds

[mmitche]

Products that Microsoft ships must be signed, of course.

We sign in a number of ways today:

• Post-build signing (signing in staging). This includes
  • Signing of most binaries in 6.0
  • Signing and notarization of Mac binaries in staging (all versions)
  • Signing of Linux installers in staging (all versions)
• Signing in-build (7.0 and 8.0, plus some repos in 6.0)
• Signing the DAC during the runtime build.

Some of the multiple ways of post-build signing have been driven by technical limitations. Linux and Mac signing could not occur within the same infra as typical MIcrobuild signing infra.

We need to work on improving this for the 9.0 VMR builds.

Objectives

• Signing is simpler, and in alignment with the Vertical build philosophies. Few machines, if any. They may be on separate machines as required by infra limitations (e.g. must sign mac on a mac?)
• We still sign the DAC in build.
• We need not sign every build (aside from DAC, which is critical for debugging)
• Signing infra should be aligned across platforms. Right now we have 3-4 different technologies.

Depends On

• Design for signing in Unified Build #3933

Work Items

• Enable use of SignTool using .NET Core MSBuild arcade#14430
• Align SignTool MSBuild Usage on Windows with Current Execution Environment arcade#15046
• Enable signing on Mac and Linux machines arcade#14431
• Enable arcade -sign functionality across arcade-validation builds arcade#15181
• Signing Validation Failing for Non-Windows Artifacts due to Strong-Name Signing arcade#15117
• Enable signing of .deb files using SignTool arcade#14432
• Enable signing of .rpm files using SignTool arcade#14433
• Enable signing and notarization of MacOS executables using SignTool arcade#14434
• Enable signing and notarization of .pkg files using SignTool arcade#14435
• Enable unpack/repack of .deb containers arcade#14436
• Enable unpack/repack of .rpm containers arcade#14437
• Enable unpack/repack of .pkg containers arcade#14438
• Enable unpack/repack of .tar.gz containers arcade#15132
• Enable signing in the VMR official pipeline #4062
• Enable signing for arcade repos in the VMR build #4064
• Ensure that repos that do not need to sign in the VMR (e.g. arcade) have empty ItemsToSign lists #4063
• Ensure that files from NuGet.Client (non-arcade repo) gets signed when building SDK #4065
• Enable signing at join points #4066
• Enable signing of DAC in VMR build #4067
• Enable signing validation on shipping VMR outputs #4068
• Enable arcade -sign functionality in runtime runtime#108605
• Replace the FPM-based RPM package building tooling with our own tooling arcade#15143
• Enable arcade -sign functionality across aspnetcore's build aspnetcore#58445
• Remove ForceDryRunSigning=true #4678
• Compare VMR Signed Artifacts to MSFT Signed Artifacts arcade#15192
• Default to not sign source-build VMR legs #4685
• SignTool should not attempt to sign 0 length files arcade#15001
• Investigate checksum diff between original and repacked .pkg files arcade#15219
• Add -sign action to build script fsharp#18011

T-Shirt Size: XL

[mmitche]

T-Shirt Size: XL

There is a lot to do here:

• Decide on a signing design (in-build after each repo builds, after-build?)
• Expand signing support to other platforms (may not be critical)