Code sign all packages in a single batch (#3778)

Changes:
* Sign shared fx zips
* Sign metapackages
* Disable signing on inner repo builds and instead sign all packages at the end
* Add a list of files from other Microsoft teams which can be excluded from signing
* Add a list of 3rd party assemblies which are bundled in the shared frameworks.

build/CodeSign.props

@@ -0,0 +1,278 @@
+<Project>
+
+  <ItemGroup>
+    <!-- Third-party components in Microsoft.AspNetCore.All/App which should be signed.  -->
+    <FilesToSign Include="e_sqlite3.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.All" />
+    <FilesToSign Include="MessagePack.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.All" />
+    <FilesToSign Include="Newtonsoft.Json.Bson.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.All" />
+    <FilesToSign Include="Newtonsoft.Json.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.App" />
+    <FilesToSign Include="Remotion.Linq.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.App" />
+    <FilesToSign Include="SQLitePCLRaw.batteries_green.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.All" />
+    <FilesToSign Include="SQLitePCLRaw.batteries_v2.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.All" />
+    <FilesToSign Include="SQLitePCLRaw.core.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.All" />
+    <FilesToSign Include="SQLitePCLRaw.provider.e_sqlite3.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.All" />
+    <FilesToSign Include="StackExchange.Redis.StrongName.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.All" />
+    <FilesToSign Include="System.Interactive.Async.dll" Certificate="$(AssemblySigning3rdPartyCertName)" Container="Microsoft.AspNetCore.App" />
+
+    <!-- These files came from the aspnet/Extensions build and should already be signed. -->
+    <FilesToExcludeFromSigning Include="Microsoft.Extensions.DiagnosticAdapter.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Extensions.ObjectPool.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Extensions.Primitives.dll" />
+
+    <!-- These files should already be signed already by a different leg of the build. They have to be listed again here because we recreate a redistributable which binaries built in other repos. -->
+    <FilesToExcludeFromSigning Include="libuv.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.AI.DependencyCollector.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.ApplicationInsights.AspNetCore.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.ApplicationInsights.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Azure.KeyVault.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Azure.KeyVault.WebKey.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Azure.Services.AppAuthentication.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Data.Edm.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Data.Edm.resources.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Data.OData.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Data.OData.resources.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.IdentityModel.Clients.ActiveDirectory.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.IdentityModel.JsonWebTokens.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.IdentityModel.Logging.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.IdentityModel.Protocols.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.IdentityModel.Protocols.OpenIdConnect.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.IdentityModel.Protocols.WsFederation.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.IdentityModel.Tokens.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.IdentityModel.Tokens.Saml.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.IdentityModel.Xml.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Rest.ClientRuntime.Azure.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Rest.ClientRuntime.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.WindowsAzure.Storage.dll" />
+
+    <!-- These files should already be signed by the .NET Core team. They have to be listed again here because we recreate a redistributable which includes the Microsoft.NETCore.App runtime. -->
+    <FilesToExcludeFromSigning Include="api-ms-win-core-console-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-datetime-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-debug-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-errorhandling-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-file-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-file-l1-2-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-file-l2-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-handle-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-heap-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-interlocked-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-libraryloader-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-localization-l1-2-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-memory-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-namedpipe-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-processenvironment-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-processthreads-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-processthreads-l1-1-1.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-profile-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-rtlsupport-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-string-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-synch-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-synch-l1-2-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-sysinfo-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-timezone-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-core-util-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-conio-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-convert-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-environment-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-filesystem-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-heap-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-locale-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-math-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-multibyte-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-private-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-process-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-runtime-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-stdio-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-string-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-time-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="api-ms-win-crt-utility-l1-1-0.dll" />
+    <FilesToExcludeFromSigning Include="clrcompression.dll" />
+    <FilesToExcludeFromSigning Include="clretwrc.dll" />
+    <FilesToExcludeFromSigning Include="clrjit.dll" />
+    <FilesToExcludeFromSigning Include="coreclr.dll" />
+    <FilesToExcludeFromSigning Include="dbgshim.dll" />
+    <FilesToExcludeFromSigning Include="dotnet.exe" />
+    <FilesToExcludeFromSigning Include="hostfxr.dll" />
+    <FilesToExcludeFromSigning Include="hostpolicy.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.CSharp.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.DiaSymReader.Native.amd64.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.DotNet.PlatformAbstractions.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Extensions.DependencyModel.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Extensions.PlatformAbstractions.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.VisualBasic.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Win32.Primitives.dll" />
+    <FilesToExcludeFromSigning Include="Microsoft.Win32.Registry.dll" />
+    <FilesToExcludeFromSigning Include="mscordaccore_amd64_amd64_4.6.27023.02.dll" />
+    <FilesToExcludeFromSigning Include="mscordaccore.dll" />
+    <FilesToExcludeFromSigning Include="mscordbi.dll" />
+    <FilesToExcludeFromSigning Include="mscorlib.dll" />
+    <FilesToExcludeFromSigning Include="mscorrc.debug.dll" />
+    <FilesToExcludeFromSigning Include="mscorrc.dll" />
+    <FilesToExcludeFromSigning Include="netstandard.dll" />
+    <FilesToExcludeFromSigning Include="sos_amd64_amd64_4.6.27023.02.dll" />
+    <FilesToExcludeFromSigning Include="sos.dll" />
+    <FilesToExcludeFromSigning Include="SOS.NETCore.dll" />
+    <FilesToExcludeFromSigning Include="System.AppContext.dll" />
+    <FilesToExcludeFromSigning Include="System.Buffers.dll" />
+    <FilesToExcludeFromSigning Include="System.Collections.Concurrent.dll" />
+    <FilesToExcludeFromSigning Include="System.Collections.dll" />
+    <FilesToExcludeFromSigning Include="System.Collections.Immutable.dll" />
+    <FilesToExcludeFromSigning Include="System.Collections.NonGeneric.dll" />
+    <FilesToExcludeFromSigning Include="System.Collections.Specialized.dll" />
+    <FilesToExcludeFromSigning Include="System.ComponentModel.Annotations.dll" />
+    <FilesToExcludeFromSigning Include="System.ComponentModel.DataAnnotations.dll" />
+    <FilesToExcludeFromSigning Include="System.ComponentModel.dll" />
+    <FilesToExcludeFromSigning Include="System.ComponentModel.EventBasedAsync.dll" />
+    <FilesToExcludeFromSigning Include="System.ComponentModel.Primitives.dll" />
+    <FilesToExcludeFromSigning Include="System.ComponentModel.TypeConverter.dll" />
+    <FilesToExcludeFromSigning Include="System.Configuration.dll" />
+    <FilesToExcludeFromSigning Include="System.Console.dll" />
+    <FilesToExcludeFromSigning Include="System.Core.dll" />
+    <FilesToExcludeFromSigning Include="System.Data.Common.dll" />
+    <FilesToExcludeFromSigning Include="System.Data.dll" />
+    <FilesToExcludeFromSigning Include="System.Diagnostics.Contracts.dll" />
+    <FilesToExcludeFromSigning Include="System.Diagnostics.Debug.dll" />
+    <FilesToExcludeFromSigning Include="System.Diagnostics.DiagnosticSource.dll" />
+    <FilesToExcludeFromSigning Include="System.Diagnostics.FileVersionInfo.dll" />
+    <FilesToExcludeFromSigning Include="System.Diagnostics.Process.dll" />
+    <FilesToExcludeFromSigning Include="System.Diagnostics.StackTrace.dll" />
+    <FilesToExcludeFromSigning Include="System.Diagnostics.TextWriterTraceListener.dll" />
+    <FilesToExcludeFromSigning Include="System.Diagnostics.Tools.dll" />
+    <FilesToExcludeFromSigning Include="System.Diagnostics.TraceSource.dll" />
+    <FilesToExcludeFromSigning Include="System.Diagnostics.Tracing.dll" />
+    <FilesToExcludeFromSigning Include="System.dll" />
+    <FilesToExcludeFromSigning Include="System.Drawing.dll" />
+    <FilesToExcludeFromSigning Include="System.Drawing.Primitives.dll" />
+    <FilesToExcludeFromSigning Include="System.Dynamic.Runtime.dll" />
+    <FilesToExcludeFromSigning Include="System.Globalization.Calendars.dll" />
+    <FilesToExcludeFromSigning Include="System.Globalization.dll" />
+    <FilesToExcludeFromSigning Include="System.Globalization.Extensions.dll" />
+    <FilesToExcludeFromSigning Include="System.IdentityModel.Tokens.Jwt.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.Compression.Brotli.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.Compression.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.Compression.FileSystem.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.Compression.ZipFile.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.FileSystem.AccessControl.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.FileSystem.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.FileSystem.DriveInfo.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.FileSystem.Primitives.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.FileSystem.Watcher.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.IsolatedStorage.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.MemoryMappedFiles.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.Pipelines.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.Pipes.AccessControl.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.Pipes.dll" />
+    <FilesToExcludeFromSigning Include="System.IO.UnmanagedMemoryStream.dll" />
+    <FilesToExcludeFromSigning Include="System.Linq.dll" />
+    <FilesToExcludeFromSigning Include="System.Linq.Expressions.dll" />
+    <FilesToExcludeFromSigning Include="System.Linq.Parallel.dll" />
+    <FilesToExcludeFromSigning Include="System.Linq.Queryable.dll" />
+    <FilesToExcludeFromSigning Include="System.Memory.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.Http.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.Http.Formatting.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.HttpListener.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.Mail.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.NameResolution.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.NetworkInformation.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.Ping.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.Primitives.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.Requests.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.Security.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.ServicePoint.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.Sockets.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.WebClient.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.WebHeaderCollection.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.WebProxy.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.WebSockets.Client.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.WebSockets.dll" />
+    <FilesToExcludeFromSigning Include="System.Net.WebSockets.WebSocketProtocol.dll" />
+    <FilesToExcludeFromSigning Include="System.Numerics.dll" />
+    <FilesToExcludeFromSigning Include="System.Numerics.Vectors.dll" />
+    <FilesToExcludeFromSigning Include="System.ObjectModel.dll" />
+    <FilesToExcludeFromSigning Include="System.Private.CoreLib.dll" />
+    <FilesToExcludeFromSigning Include="System.Private.DataContractSerialization.dll" />
+    <FilesToExcludeFromSigning Include="System.Private.Uri.dll" />
+    <FilesToExcludeFromSigning Include="System.Private.Xml.dll" />
+    <FilesToExcludeFromSigning Include="System.Private.Xml.Linq.dll" />
+    <FilesToExcludeFromSigning Include="System.Reflection.DispatchProxy.dll" />
+    <FilesToExcludeFromSigning Include="System.Reflection.dll" />
+    <FilesToExcludeFromSigning Include="System.Reflection.Emit.dll" />
+    <FilesToExcludeFromSigning Include="System.Reflection.Emit.ILGeneration.dll" />
+    <FilesToExcludeFromSigning Include="System.Reflection.Emit.Lightweight.dll" />
+    <FilesToExcludeFromSigning Include="System.Reflection.Extensions.dll" />
+    <FilesToExcludeFromSigning Include="System.Reflection.Metadata.dll" />
+    <FilesToExcludeFromSigning Include="System.Reflection.Primitives.dll" />
+    <FilesToExcludeFromSigning Include="System.Reflection.TypeExtensions.dll" />
+    <FilesToExcludeFromSigning Include="System.Resources.Reader.dll" />
+    <FilesToExcludeFromSigning Include="System.Resources.ResourceManager.dll" />
+    <FilesToExcludeFromSigning Include="System.Resources.Writer.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.CompilerServices.VisualC.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.Extensions.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.Handles.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.InteropServices.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.InteropServices.RuntimeInformation.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.InteropServices.WindowsRuntime.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.Loader.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.Numerics.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.Serialization.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.Serialization.Formatters.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.Serialization.Json.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.Serialization.Primitives.dll" />
+    <FilesToExcludeFromSigning Include="System.Runtime.Serialization.Xml.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.AccessControl.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Claims.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Cryptography.Algorithms.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Cryptography.Cng.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Cryptography.Csp.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Cryptography.Encoding.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Cryptography.OpenSsl.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Cryptography.Pkcs.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Cryptography.Primitives.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Cryptography.X509Certificates.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Cryptography.Xml.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Permissions.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Principal.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.Principal.Windows.dll" />
+    <FilesToExcludeFromSigning Include="System.Security.SecureString.dll" />
+    <FilesToExcludeFromSigning Include="System.ServiceModel.Web.dll" />
+    <FilesToExcludeFromSigning Include="System.ServiceProcess.dll" />
+    <FilesToExcludeFromSigning Include="System.Spatial.dll" />
+    <FilesToExcludeFromSigning Include="System.Spatial.resources.dll" />
+    <FilesToExcludeFromSigning Include="System.Text.Encoding.dll" />
+    <FilesToExcludeFromSigning Include="System.Text.Encoding.Extensions.dll" />
+    <FilesToExcludeFromSigning Include="System.Text.Encodings.Web.dll" />
+    <FilesToExcludeFromSigning Include="System.Text.RegularExpressions.dll" />
+    <FilesToExcludeFromSigning Include="System.Threading.Channels.dll" />
+    <FilesToExcludeFromSigning Include="System.Threading.dll" />
+    <FilesToExcludeFromSigning Include="System.Threading.Overlapped.dll" />
+    <FilesToExcludeFromSigning Include="System.Threading.Tasks.Dataflow.dll" />
+    <FilesToExcludeFromSigning Include="System.Threading.Tasks.dll" />
+    <FilesToExcludeFromSigning Include="System.Threading.Tasks.Extensions.dll" />
+    <FilesToExcludeFromSigning Include="System.Threading.Tasks.Parallel.dll" />
+    <FilesToExcludeFromSigning Include="System.Threading.Thread.dll" />
+    <FilesToExcludeFromSigning Include="System.Threading.ThreadPool.dll" />
+    <FilesToExcludeFromSigning Include="System.Threading.Timer.dll" />
+    <FilesToExcludeFromSigning Include="System.Transactions.dll" />
+    <FilesToExcludeFromSigning Include="System.Transactions.Local.dll" />
+    <FilesToExcludeFromSigning Include="System.ValueTuple.dll" />
+    <FilesToExcludeFromSigning Include="System.Web.dll" />
+    <FilesToExcludeFromSigning Include="System.Web.HttpUtility.dll" />
+    <FilesToExcludeFromSigning Include="System.Windows.dll" />
+    <FilesToExcludeFromSigning Include="System.Xml.dll" />
+    <FilesToExcludeFromSigning Include="System.Xml.Linq.dll" />
+    <FilesToExcludeFromSigning Include="System.Xml.ReaderWriter.dll" />
+    <FilesToExcludeFromSigning Include="System.Xml.Serialization.dll" />
+    <FilesToExcludeFromSigning Include="System.Xml.XDocument.dll" />
+    <FilesToExcludeFromSigning Include="System.Xml.XmlDocument.dll" />
+    <FilesToExcludeFromSigning Include="System.Xml.XmlSerializer.dll" />
+    <FilesToExcludeFromSigning Include="System.Xml.XPath.dll" />
+    <FilesToExcludeFromSigning Include="System.Xml.XPath.XDocument.dll" />
+    <FilesToExcludeFromSigning Include="ucrtbase.dll" />
+    <FilesToExcludeFromSigning Include="WindowsBase.dll" />
+  </ItemGroup>
+
+</Project>

build/CodeSign.targets

@@ -0,0 +1,53 @@
+<Project>
+
+  <PropertyGroup>
+    <CodeSignDependsOn>$(CodeSignDependsOn);CollectFileSignInfo</CodeSignDependsOn>
+  </PropertyGroup>
+
+  <Target Name="CollectFileSignInfo" DependsOnTargets="_PrepareRepositories">
+    <ItemGroup>
+      <_RepositoryProject Remove="@(_RepositoryProject)" />
+      <_RepositoryProject Include="$(MSBuildProjectFullPath)" Condition="'%(Repository.Identity)' != ''">
+        <AdditionalProperties>RepositoryRoot=%(Repository.RootPath)</AdditionalProperties>
+        <Build>%(Repository.Build)</Build>
+      </_RepositoryProject>
+    </ItemGroup>
+
+    <PropertyGroup>
+      <GetFileSignInfoProps>
+        AssemblySigningCertName=$(AssemblySigningCertName);
+        AssemblySigning3rdPartyCertName=$(AssemblySigning3rdPartyCertName);
+        PowerShellSigningCertName=$(PowerShellSigningCertName);
+        PackageSigningCertName=$(PackageSigningCertName);
+        VsixSigningCertName=$(VsixSigningCertName);
+        JarSigningCertName=$(JarSigningCertName);
+        ArtifactsDir=$(ArtifactsDir);
+        BuildDir=$(BuildDir)
+      </GetFileSignInfoProps>
+    </PropertyGroup>
+
+    <MSBuild Projects="@(_RepositoryProject)"
+             Targets="_GetFileSignInfo"
+             Properties="$(GetFileSignInfoProps);$(DesignTimeBuildProps);DesignTimeBuild=true;Configuration=$(Configuration);BuildNumber=$(BuildNumber);CustomAfterKoreBuildTargets=$(MSBuildThisFileFullPath)"
+             BuildInParallel="true">
+      <Output TaskParameter="TargetOutputs" ItemName="_RepoFileSignInfo" />
+    </MSBuild>
+
+    <ItemGroup>
+      <!-- If repos were not built, only use this info to collect the mapping of FileName -> Certificate. Otherwise, include .nupkg and .zips in signing. -->
+      <_FilesToSign Include="@(_RepoFileSignInfo)" Condition="'%(_RepoFileSignInfo.IsFileToSign)' == 'true' AND ('$(_ReposWereBuilt)' == 'true' OR '%(_RepoFileSignInfo.Container)' != '' ) " />
+      <FilesToSign Include="@(_FilesToSign)" />
+
+      <FilesToExcludeFromSigning Include="@(_RepoFileSignInfo->'%(FileName)%(Extension)')" Condition="'%(_RepoFileSignInfo.IsFileToExcludeFromSign)' == 'true'" />
+      <!-- Workaround for the way we have both repo and Universe builds. This prevents duplicate configuration between 'exclude' and 'sign' options. -->
+      <FilesToExcludeFromSigning Remove="@(_FilesToSign->'%(FileName)%(Extension)')" />
+    </ItemGroup>
+  </Target>
+
+  <Target Name="_GetFileSignInfo" DependsOnTargets="GetArtifactInfo" Returns="@(_FileSignInfo)">
+    <ItemGroup>
+      <_FileSignInfo Include="@(FilesToSign)" IsFileToSign="true" />
+      <_FileSignInfo Include="@(FilesToExcludeFromSigning)" IsFileToExcludeFromSign="true" />
+    </ItemGroup>
+  </Target>
+</Project>

build/RepositoryBuild.targets

@@ -35,6 +35,7 @@
       Properties="BuildGroup=%(BatchedRepository.BuildGroup);BuildNumber=$(BuildNumber);IsFinalBuild=$(IsFinalBuild);Configuration=$(Configuration)" />
 
     <PropertyGroup>
+      <_ReposWereBuilt>true</_ReposWereBuilt>
       <_NoBuildRepos>true</_NoBuildRepos>
     </PropertyGroup>
   </Target>
@@ -80,7 +81,8 @@
       <!-- If there are duplicate properties, the properties which are defined later in the order would override the earlier ones -->
       <RepositoryBuildArguments>$(RepositoryBuildArguments) /p:DotNetRestoreSourcePropsPath=$(GeneratedRestoreSourcesPropsPath)</RepositoryBuildArguments>
       <RepositoryBuildArguments>$(RepositoryBuildArguments) /p:DotNetPackageVersionPropsPath=$(GeneratedPackageVersionPropsPath)</RepositoryBuildArguments>
-      <RepositoryBuildArguments>$(RepositoryBuildArguments) /p:SignType=$(SignType)</RepositoryBuildArguments>
+      <!-- Unset 'SignType' because we collect all outputs from repo builds and sign them at the end. -->
+      <RepositoryBuildArguments>$(RepositoryBuildArguments) /p:SignType=</RepositoryBuildArguments>
       <RepositoryBuildArguments>$(RepositoryBuildArguments) /p:BuildNumber=$(BuildNumber)</RepositoryBuildArguments>
       <RepositoryBuildArguments>$(RepositoryBuildArguments) /p:Configuration=$(Configuration)</RepositoryBuildArguments>
       <RepositoryBuildArguments>$(RepositoryBuildArguments) /p:IsFinalBuild=$(IsFinalBuild)</RepositoryBuildArguments>

build/SharedFx.targets

@@ -4,6 +4,9 @@
   <PropertyGroup>
     <UnitTestFxProject>$(RepositoryRoot)src\Framework\Framework.UnitTests\Framework.UnitTests.csproj</UnitTestFxProject>
     <UnitTestFxProject>$([MSBuild]::NormalizePath($(UnitTestFxProject)))</UnitTestFxProject>
+    <CodeSignDependsOn>$(CodeSignDependsOn);GetSharedFxFilesToSign</CodeSignDependsOn>
+    <BuildSharedFxDependsOn>_BuildSharedFxProjects;TestSharedFx</BuildSharedFxDependsOn>
+    <BuildSharedFxDependsOn Condition="'$(TestOnly)' != 'true'">$(BuildSharedFxDependsOn);CodeSign</BuildSharedFxDependsOn>
   </PropertyGroup>
 
   <ItemGroup>
@@ -14,7 +17,19 @@
     <ProjectToBuild Include="$(RepositoryRoot)src\Installers\Archive.Redist\*.*proj" />
   </ItemGroup>
 
-  <Target Name="BuildSharedFx" DependsOnTargets="_BuildSharedFxProjects;TestSharedFx"/>
+  <Target Name="BuildSharedFx" DependsOnTargets="$(BuildSharedFxDependsOn)" />
+
+  <Target Name="GetSharedFxFilesToSign">
+    <ItemGroup>
+      <FilesToSign Include="$(ArtifactsDir)$(Configuration)\installers\*.zip" Certificate="None" />
+      <FilesToSign Include="$(BuildDir)Microsoft.AspNetCore.App.$(PackageVersion).nupkg" Certificate="$(PackageSigningCertName)" />
+      <FilesToSign Include="$(BuildDir)Microsoft.AspNetCore.All.$(PackageVersion).nupkg" Certificate="$(PackageSigningCertName)" />
+      <FilesToSign Include="$(BuildDir)runtime.$(SharedFxRid).Microsoft.AspNetCore.App.$(PackageVersion).nupkg" Certificate="$(PackageSigningCertName)" />
+      <FilesToSign Include="$(BuildDir)runtime.$(SharedFxRid).Microsoft.AspNetCore.All.$(PackageVersion).nupkg" Certificate="$(PackageSigningCertName)" />
+      <FilesToSign Include="$(BuildDir)runtime.$(SharedFxRid).Microsoft.AspNetCore.App.$(PackageVersion).symbols.nupkg" Certificate="$(PackageSigningCertName)" />
+      <FilesToSign Include="$(BuildDir)runtime.$(SharedFxRid).Microsoft.AspNetCore.All.$(PackageVersion).symbols.nupkg" Certificate="$(PackageSigningCertName)" />
+    </ItemGroup>
+  </Target>
 
   <Target Name="_BuildSharedFxProjects" DependsOnTargets="GeneratePropsFiles;ResolveCommitHash">
 

build/repo.props

@@ -57,4 +57,5 @@
   <Import Project="external-dependencies.props" />
   <Import Project="artifacts.props" />
   <Import Project="submodules.props" />
+  <Import Project="CodeSign.props" />
 </Project>

build/repo.targets

@@ -4,6 +4,7 @@
   <Import Project="AzureIntegration.targets" />
   <Import Project="SharedFx.targets" />
   <Import Project="SharedFxInstaller.targets" />
+  <Import Project="CodeSign.targets" />
   <Import Project="Publish.targets" />
   <Import Project="buildorder.props" />
 
@@ -16,7 +17,7 @@
     <CleanDependsOn>$(CleanDependsOn);CleanArtifacts;CleanRepoArtifacts</CleanDependsOn>
     <RestoreDependsOn>$(RestoreDependsOn);InstallDotNet</RestoreDependsOn>
     <CompileDependsOn>$(CompileDependsOn);BuildRepositories;BuildSharedFx</CompileDependsOn>
-    <PackageDependsOn Condition="'$(TestOnly)' != 'true'">$(PackageDependsOn);CheckExpectedPackagesExist</PackageDependsOn>
+    <PackageDependsOn Condition="'$(TestOnly)' != 'true'">$(PackageDependsOn);CheckExpectedPackagesExist;CodeSign</PackageDependsOn>
     <TestDependsOn>$(TestDependsOn);_TestRepositories</TestDependsOn>
     <GetArtifactInfoDependsOn>$(GetArtifactInfoDependsOn);ResolveRepoInfo</GetArtifactInfoDependsOn>
   </PropertyGroup>
@@ -34,11 +35,17 @@
       <DesignTimeBuildProps>$(DesignTimeBuildProps);MicrosoftNETCoreApp20PackageVersion=$(MicrosoftNETCoreApp20PackageVersion);</DesignTimeBuildProps>
     </PropertyGroup>
 
-    <MSBuild Projects="$(MSBuildProjectFullPath)"
+    <ItemGroup>
+      <_RepositoryProject Include="$(MSBuildProjectFullPath)" Condition="'%(Repository.Identity)' != ''">
+        <AdditionalProperties>RepositoryRoot=%(Repository.RootPath)</AdditionalProperties>
+        <Build>%(Repository.Build)</Build>
+      </_RepositoryProject>
+    </ItemGroup>
+
+    <MSBuild Projects="@(_RepositoryProject)"
              Targets="GetArtifactInfo"
-             Properties="$(DesignTimeBuildProps);RepositoryRoot=%(Repository.RootPath);Configuration=$(Configuration);BuildNumber=$(BuildNumber);DesignTimeBuild=true"
-             ContinueOnError="WarnAndContinue"
-             Condition="'%(Repository.Identity)' != ''">
+             Properties="$(DesignTimeBuildProps);Configuration=$(Configuration);BuildNumber=$(BuildNumber);DesignTimeBuild=true;"
+             BuildInParallel="true">
       <Output TaskParameter="TargetOutputs" ItemName="ArtifactInfo" />
     </MSBuild>
 
@@ -46,17 +53,18 @@
              Targets="GetArtifactInfo"
              Properties="$(DesignTimeBuildProps);Configuration=$(Configuration);BuildNumber=$(BuildNumber);DesignTimeBuild=true"
              SkipNonexistentTargets="true"
-             Condition="'@(ProjectToBuild)' != ''">
+             BuildInParallel="true">
       <Output TaskParameter="TargetOutputs" ItemName="ArtifactInfo" />
     </MSBuild>
 
-    <MSBuild Projects="$(MSBuildProjectFullPath)"
+    <MSBuild Projects="@(_RepositoryProject)"
              Targets="ResolveSolutions"
-             Properties="RepositoryRoot=%(Repository.RootPath);Configuration=$(Configuration);BuildNumber=$(BuildNumber)"
+             Properties="$(DesignTimeBuildProps);Configuration=$(Configuration);BuildNumber=$(BuildNumber)"
              ContinueOnError="WarnAndContinue"
-             Condition="'%(Repository.Identity)' != ''">
-      <Output TaskParameter="TargetOutputs" ItemName="Solution" Condition="'%(Repository.Build)' == 'true'" />
-      <Output TaskParameter="TargetOutputs" ItemName="_NoBuildSolution" Condition="'%(Repository.Build)' != 'true'" />
+             BuildInParallel="true"
+             Condition="@(_RepositoryProject->Count()) != 0">
+      <Output TaskParameter="TargetOutputs" ItemName="Solution" Condition="'%(_RepositoryProject.Build)' == 'true'" />
+      <Output TaskParameter="TargetOutputs" ItemName="_NoBuildSolution" Condition="'%(_RepositoryProject.Build)' != 'true'" />
     </MSBuild>
 
     <!--