[release/5.0] Fix some post-build signing issues (#26506)

* Fix some post-build signing issues
This fixes some post-build signing issues that are present in the aspnetcore repo
1. Add the .msi extension to be signed by Microsoft400 - Msis must be signed. With in-build signing these get handled explicitly by the wixproj infrastructure. When we do post build signing, we must sign these files.
2. Remove the strong name exclusions. These exclusions are incorrect when applied in post-build and unnecessary for in-build signing. Most importantly, the aspnetcore PKT would not end up re-strong named (it doesn't need to be strong name signed by ESRP since it's strong named in-build) because the PKT doesn't match any of the StrongNameSignInfo specified in arcade. The rest of the entries seem to be mostly about optimization. I could not find any performance difference between these entries being present and not. I am not sure whether they actually even apply to any assets. Moreover, when doing post-build signing, they would conflict with the entries in runtime and other places.

Verification - I have a tool that I wrote which unpacks every file between two directories and compares the strong name, nuget, and authenticode certs between equivalent files. This is the same tool being used to verify post-build signing. This tool shows no difference in any aspnetcore produced asset.

Baseline: https://dev.azure.com/dnceng/internal/_build/results?buildId=836183&view=results
Diff: https://dev.azure.com/dnceng/internal/_build/results?buildId=837176&view=results

* Do not push VS packages for installers when PostBuildSign == true

* Output wix command packages to the installers output path

* Don't import microbuild signing targets from wix when PostBuildSign=true

* Tweaks:
- Don't sign wixpacks when not in post-build signing
- Generate a wixpack for both the original msi name (which the wixproj generates) AND the name we use in the final outputs. This is because while these files are the same, signing differentiates the certificate based on the file name, and wixpack lookup is also based on the file names. Aspnetcore and other repos have uses the final outputs (e.g. dotnet-aspnetcore-runtime-123.5..) as well as the internal names (e.g. AspNetCoreSharedFramework_x64.msi).
- Don't sign msi's when not post-build signing.

* Avoid generating sha512 files for wixpack zips

* Don't run xplat code sign jobs if PostBuildSign == true

* Change original target names

* Conditionalize codesign operations

* Add publishing flag for linux x64 and add deb sha512 generation

* Do not push the x64 linux runtime archive more than once

.azure/pipelines/ci.yml

@@ -32,6 +32,8 @@ variables:
   value: .NETCORE
 - name: _DotNetValidationArtifactsCategory
   value: .NETCORE
+- name: PostBuildSign
+  value: false
 - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
   - name: _BuildArgs
     value: /p:TeamName=$(_TeamName)
@@ -349,9 +351,11 @@ stages:
         includeForks: true
       - name: MacOS_x64_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: MacOS_x64
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: MacOS_x64
 
   # Build Linux x64
   - template: jobs/default-build.yml
@@ -369,7 +373,9 @@ stages:
             --no-build-nodejs
             --no-build-java
             -p:OnlyPackPlatformSpecificPackages=true
+            -p:AssetManifestFileName=aspnetcore-Linux_x64.xml
             $(_BuildArgs)
+            $(_PublishArgs)
             $(_InternalRuntimeDownloadArgs)
         displayName: Run build.sh
       - script: |
@@ -399,7 +405,7 @@ stages:
             -p:OnlyPackPlatformSpecificPackages=true \
             -p:BuildRuntimeArchive=false \
             -p:LinuxInstallerType=rpm \
-            -p:AssetManifestFileName=aspnetcore-Linux_x64.xml \
+            -p:AssetManifestFileName=aspnetcore-Linux_x64-installers.xml \
             $(_BuildArgs) \
             $(_PublishArgs) \
             $(_InternalRuntimeDownloadArgs)
@@ -413,9 +419,11 @@ stages:
         includeForks: true
       - name: Linux_x64_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: Linux_x64
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: Linux_x64
 
   # Build Linux ARM
   - template: jobs/default-build.yml
@@ -443,9 +451,11 @@ stages:
         includeForks: true
       - name: Linux_arm_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: Linux_arm
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: Linux_arm
 
   # Build Linux ARM64
   - template: jobs/default-build.yml
@@ -473,9 +483,11 @@ stages:
         includeForks: true
       - name: Linux_arm64_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: Linux_arm64
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: Linux_arm64
 
   # Build Linux Musl x64
   - template: jobs/default-build.yml
@@ -507,9 +519,11 @@ stages:
         includeForks: true
       - name: Linux_musl_x64_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: Linux_musl_x64
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: Linux_musl_x64
 
   # Build Linux Musl ARM64
   - template: jobs/default-build.yml
@@ -541,9 +555,11 @@ stages:
         includeForks: true
       - name: Linux_musl_arm64_Packages
         path: artifacts/packages/
-  - template: jobs/codesign-xplat.yml
-    parameters:
-      inputName: Linux_musl_arm64
+
+  - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+    - template: jobs/codesign-xplat.yml
+      parameters:
+        inputName: Linux_musl_arm64
 
   - ${{ if or(eq(variables['System.TeamProject'], 'public'), in(variables['Build.Reason'], 'PullRequest')) }}:
     # Test jobs
@@ -734,12 +750,13 @@ stages:
           - Windows_build
           - Windows_arm_build
           - Windows_arm64_build
-          - CodeSign_Xplat_MacOS_x64
-          - CodeSign_Xplat_Linux_x64
-          - CodeSign_Xplat_Linux_arm
-          - CodeSign_Xplat_Linux_arm64
-          - CodeSign_Xplat_Linux_musl_x64
-          - CodeSign_Xplat_Linux_musl_arm64
+          - ${{ if ne(variables['PostBuildSign'], 'true') }}:
+            - CodeSign_Xplat_MacOS_x64
+            - CodeSign_Xplat_Linux_x64
+            - CodeSign_Xplat_Linux_arm
+            - CodeSign_Xplat_Linux_arm64
+            - CodeSign_Xplat_Linux_musl_x64
+            - CodeSign_Xplat_Linux_musl_arm64
           # In addition to the dependencies above, ensure the build was successful overall.
           - Source_Build
         pool:

eng/AfterSigning.targets

@@ -13,9 +13,10 @@
     <ItemGroup>
       <InstallerFiles Include="$(InstallersOutputPath)**\*.msi" />
       <InstallerFiles Include="$(InstallersOutputPath)**\*.exe" />
-      <InstallerFiles Include="$(InstallersOutputPath)**\*.zip" />
+      <InstallerFiles Include="$(InstallersOutputPath)**\*.zip" Exclude="$(InstallersOutputPath)**\*.wixpack.zip" />
       <InstallerFiles Include="$(InstallersOutputPath)**\*.tar.gz" />
       <InstallerFiles Include="$(InstallersOutputPath)**\*.wixlib" />
+      <InstallerFiles Include="$(InstallersOutputPath)**\*.deb" />
       <InstallerFiles Include="$(InstallersOutputPath)**\*.rpm" />
       <GenerateChecksumItems Include="%(InstallerFiles.Identity)" >
         <DestinationPath>%(FullPath).sha512</DestinationPath>

eng/Publishing.props

@@ -50,8 +50,14 @@
     </PropertyGroup>
 
     <ItemGroup>
-      <!-- Do not push .nupkg files from Linux and macOS builds. They'll be packed up separately and signed on Windows. -->
-      <ItemsToPushToBlobFeed Remove="@(ItemsToPushToBlobFeed)" Condition="'$(OS)' != 'Windows_NT'" />
+      <!-- Do not push .nupkg files from Linux and macOS builds. They'll be packed up separately and signed on Windows.
+           Do not remove if post build sign is true, as we avoid the xplat codesign jobs, and need to have
+           the nupkgs pushed. -->
+      <ItemsToPushToBlobFeed Remove="@(ItemsToPushToBlobFeed)" Condition="'$(OS)' != 'Windows_NT' and '$(PostBuildSign)' != 'true'" />
+      <!-- Linux x64 is built in 3 stages: Build the base packages, layout, and archive. Then build deb and rpm installers.
+           The first and last segments will both publish the layout (they share artifacts). Only publish this during the first pass. -->
+      <_InstallersToPublish Remove="$(ArtifactsDir)installers\**\*.tar.gz" Condition="'$(BuildRuntimeArchive)' == 'false'" />
+      <_ChecksumsToPublish Remove="$(ArtifactsDir)installers\**\*.tar.gz.sha512" Condition="'$(BuildRuntimeArchive)' == 'false'" />
 
       <ItemsToPushToBlobFeed Include="@(_ChecksumsToPublish)">
         <PublishFlatContainer>true</PublishFlatContainer>
@@ -60,14 +66,9 @@
 
       <ItemsToPushToBlobFeed Include="@(_InstallersToPublish)">
         <IsShipping>true</IsShipping>
-        <ManifestArtifactData>ShipInstaller=dotnetcli</ManifestArtifactData>
         <PublishFlatContainer>true</PublishFlatContainer>
         <RelativeBlobPath>$(_UploadPathRoot)/%(_InstallersToPublish.UploadPathSegment)/$(_PackageVersion)/%(Filename)%(Extension)</RelativeBlobPath>
       </ItemsToPushToBlobFeed>
-
-      <!-- Set up ItemsToSign for the push task to pick up. -->
-      <ItemsToSign Remove="@(ItemsToSign)" />
-      <ItemsToSign Include="@(ItemsToSignPostBuild)" />
     </ItemGroup>
   </Target>
 </Project>

eng/Signing.props

@@ -5,7 +5,6 @@
   <ItemGroup>
     <!-- Reset Arcade's defaults. -->
     <ItemsToSign Remove="@(ItemsToSign)" />
-    <StrongNameSignInfo Remove="@(StrongNameSignInfo)" />
     <FileExtensionSignInfo Remove="@(FileExtensionSignInfo)" />
   </ItemGroup>
 
@@ -15,6 +14,7 @@
     <CommonFilesToSign Include="$(VisualStudioSetupOutputPath)**\*.vsix" />
     <CommonFilesToSign Include="$(ArtifactsPackagesDir)**\*.jar"  />
     <CommonFilesToSign Include="$(ArtifactsDir)installers\$(Configuration)\**\*.zip" />
+    <CommonFilesToSign Remove="$(ArtifactsDir)installers\$(Configuration)\**\*.wixpack.zip" Condition="'$(PostBuildSign)' != 'true'" />
   </ItemGroup>
   <Choose>
     <!-- When post build signing is false - Sign as normal.
@@ -57,24 +57,10 @@
     <FileExtensionSignInfo Include=".vsix" CertificateName="VsixSHA2" />
     <FileExtensionSignInfo Include=".zip" CertificateName="None" />
     <FileExtensionSignInfo Include=".cab" CertificateName="None" />
-    <FileExtensionSignInfo Include=".msi" CertificateName="None" />
-
-    <!--
-      Use the PublicKeyToken of .NET assemblies to determine which authenticode cert to use.
-      'None' is required to ensure code signing does not attempt to re-sign them or submit
-      to ESPR for strong-naming signing. We don't delay sign, so we only need to authenticode sign.
-      See https://github.com/dotnet/arcade/issues/1911 for context.
-    -->
-    <!-- The AspNetCore strong name. -->
-    <StrongNameSignInfo Include="None" PublicKeyToken="adb9793829ddae60" CertificateName="Microsoft400" />
-    <!-- The MsSharedLib72 strong name. -->
-    <StrongNameSignInfo Include="None" PublicKeyToken="31bf3856ad364e35" CertificateName="Microsoft400" />
-    <!-- The MsftStrongName strong name. -->
-    <StrongNameSignInfo Include="None" PublicKeyToken="b03f5f7f11d50a3a" CertificateName="Microsoft400" />
-    <!-- The MsftStrongName2 strong name. -->
-    <StrongNameSignInfo Include="None" PublicKeyToken="b77a5c561934e089" CertificateName="Microsoft400" />
-    <!-- The MsftOpenStrongName strong name. -->
-    <StrongNameSignInfo Include="None" PublicKeyToken="cc7b13ffcd2ddd51" CertificateName="Microsoft400" />
+    <!-- If doing post build sign, explicitly give MSIs a cert. If doing in build signing,
+         this is handled by the wix targets, and .msi should be "None" -->
+    <FileExtensionSignInfo Include=".msi" CertificateName="Microsoft400" Condition="'$(PostBuildSign)' == 'true'" />
+    <FileExtensionSignInfo Include=".msi" CertificateName="None" Condition="'$(PostBuildSign)' != 'true'" />
 
     <!-- Native .dll's. These don't have a public key token, but are from Microsoft and should be signed. -->
     <FileSignInfo Include="aspnetcore.dll" CertificateName="Microsoft400" />

eng/targets/Cpp.Common.targets

@@ -5,7 +5,7 @@
 
   <Target Name="GetVcxprojFilesToSign" BeforeTargets="SignFiles">
     <ItemGroup>
-      <FilesToSign Include="$(TargetPath)" Condition="'$(ConfigurationType)' == 'DynamicLibrary'" Authenticode="Microsoft400" />
+      <FilesToSign Include="$(TargetPath)" Condition="'$(ConfigurationType)' == 'DynamicLibrary' AND '$(PostBuildSign)' != 'true'" Authenticode="Microsoft400" />
     </ItemGroup>
   </Target>
 

eng/targets/Wix.Common.targets

@@ -39,5 +39,8 @@
   <Import Project="$(NuGetRestoreTargets)" />
   <Import Project="$(MSBuildProjectExtensionsPath)$(MSBuildProjectFile).*.targets" />
   <Import Project="$(WixTargetsPath)" Condition="'$(WixTargetsPath)' != '' " />
-  <Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.*\**\build\MicroBuild.Plugins.*.targets" Condition="'$(DisableMicroBuild)' != 'true' AND '$(MicroBuildPluginDirectory)' != ''" />
+  <!-- Don't import the Microbuild signing targets when post build sign is enabled. They override the
+       standard Wix targets for signing, and call ESRP directly (rather than through SignTool). So without this,
+       ASPNetCore will sign even when PostbuildSign == true -->
+  <Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.*\**\build\MicroBuild.Plugins.*.targets" Condition="'$(DisableMicroBuild)' != 'true' AND '$(MicroBuildPluginDirectory)' != '' AND '$(PostBuildSign)' != 'true'" />
 </Project>

src/Installers/Windows/AspNetCoreModule-Setup/ANCMIISExpressV2/AncmIISExpressV2.wixproj

@@ -7,7 +7,7 @@
     <IsShipping>true</IsShipping>
     <ProjectGuid>17c76489-4c09-4e14-b81c-7a86cd937144</ProjectGuid>
     <OutputType>Package</OutputType>
-    <OutputName>ancm_iis_express_$(Platform)_en_v2</OutputName>
+    <OutputName>$(Name)_$(Platform)</OutputName>
     <SuppressIces>ICE03</SuppressIces>
     <DisableGuidGeneration>true</DisableGuidGeneration>
     <SchemaVersion>2.0</SchemaVersion>
@@ -67,6 +67,6 @@
   <Import Project="..\build\settings.props" />
 
   <PropertyGroup>
-    <PackageFileName>$(TargetName)_$(PackageVersion)$(TargetExt)</PackageFileName>
+    <PackageFileName>ancm_iis_express_$(Platform)_en_v2_$(PackageVersion)$(TargetExt)</PackageFileName>
   </PropertyGroup>
 </Project>

src/Installers/Windows/AspNetCoreModule-Setup/ANCMV2/AncmV2.wixproj

@@ -7,7 +7,7 @@
     <IsShipping>true</IsShipping>
     <ProjectGuid>f9bacb48-3bd7-4ec2-ae31-664e8703ec12</ProjectGuid>
     <OutputType>Package</OutputType>
-    <OutputName>aspnetcoremodule_$(Platform)_en_v2</OutputName>
+    <OutputName>$(Name)_$(Platform)</OutputName>
     <GenerateRandomNamespaceGuid>true</GenerateRandomNamespaceGuid>
     <SchemaVersion>2.0</SchemaVersion>
     <DisableGuidGeneration>true</DisableGuidGeneration>
@@ -55,6 +55,6 @@
   <Import Project="..\build\settings.props" />
 
   <PropertyGroup>
-    <PackageFileName>$(TargetName)_$(PackageVersion)$(TargetExt)</PackageFileName>
+    <PackageFileName>aspnetcoremodule_$(Platform)_en_v2_$(PackageVersion)$(TargetExt)</PackageFileName>
   </PropertyGroup>
 </Project>

src/Installers/Windows/SharedFrameworkLib/SharedFrameworkLib.wixproj

@@ -43,13 +43,19 @@
 
   <!-- Overwrite the wix package drop creation target to create a lit
        package instead. -->
-  <Target Name="CreateWixPackageDrop" AfterTargets="Build">
+  <Target Name="CreateWixPackageDrop" AfterTargets="CopyToArtifactsDirectory">
+    <ItemGroup>
+      <WixInstallerFilesToProcess Include="$(InstallersOutputPath)$(OutputName).wixlib" />
+      <WixInstallerFilesToProcess Include="$(InstallersOutputPath)$(PackageFileName)"
+        Condition=" '$(SkipCopyToArtifactsDirectory)' != 'true' " />
+    </ItemGroup>
+
     <CreateLitCommandPackageDrop
       LitCommandWorkingDir="$(WixCommandObjDir)"
       OutputFolder="$(WixCommandPackagesDir)"
       WixExtensions="@(WixExtension)"
       Bf="true"
-      InstallerFile="$(InstallersOutputPath)$(OutputName).wixlib"
+      InstallerFile="%(WixInstallerFilesToProcess.Identity)"
       WixSrcFiles="@(CompileObjOutput);@(WixObject);@(WixLibProjects);@(WixLibrary)">
       <Output TaskParameter="OutputFile" PropertyName="_LitCommandPackageNameOutput" />
     </CreateLitCommandPackageDrop>

src/Installers/Windows/Wix.props

@@ -32,8 +32,8 @@
   <PropertyGroup>
     <!-- Directory for the unzipped directory -->
     <WixCommandObjDir>$(ArtifactsObjDir)/WixCommandPackages</WixCommandObjDir>
-    <!-- Directory for the zipped up light/lit command package -->
-    <WixCommandPackagesDir>$(ArtifactsNonShippingPackagesDir)</WixCommandPackagesDir>
+    <!-- Directory for the zipped up wixpack command package -->
+    <WixCommandPackagesDir>$(InstallersOutputPath)</WixCommandPackagesDir>
   </PropertyGroup>
 
 </Project>

src/Installers/Windows/Wix.targets

@@ -32,7 +32,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.DotNet.Build.Tasks.Installers" Version="$(MicrosoftDotNetBuildTasksInstallersPackageVersion)" />
   </ItemGroup>
-  
+
   <PropertyGroup>
     <MicrosoftDotNetBuildTasksInstallersTaskAssembly Condition="'$(MSBuildRuntimeType)' == 'Core'">$(NuGetPackageRoot)microsoft.dotnet.build.tasks.installers\$(MicrosoftDotNetBuildTasksInstallersPackageVersion)\tools\netcoreapp2.1\Microsoft.DotNet.Build.Tasks.Installers.dll</MicrosoftDotNetBuildTasksInstallersTaskAssembly>
     <MicrosoftDotNetBuildTasksInstallersTaskAssembly Condition="'$(MSBuildRuntimeType)' != 'Core'">$(NuGetPackageRoot)microsoft.dotnet.build.tasks.installers\$(MicrosoftDotNetBuildTasksInstallersPackageVersion)\tools\net472\Microsoft.DotNet.Build.Tasks.Installers.dll</MicrosoftDotNetBuildTasksInstallersTaskAssembly>
@@ -89,14 +89,19 @@
     <Copy SourceFiles="@(_cabs)" DestinationFolder="$(InstallersOutputPath)" />
   </Target>
 
-  <Target Name="CreateWixPackageDrop" AfterTargets="Build">
+  <Target Name="CreateWixPackageDrop" AfterTargets="CopyToArtifactsDirectory">
     <MakeDir Directories="$(WixCommandPackagesDir)" />
+    <ItemGroup>
+      <WixInstallerFilesToProcess Include="$(TargetPath)" />
+      <WixInstallerFilesToProcess Include="$(InstallersOutputPath)$(PackageFileName)"
+        Condition=" '$(IsShipping)' == 'true' AND '$(SkipCopyToArtifactsDirectory)' != 'true' " />
+    </ItemGroup>
     <CreateLightCommandPackageDrop
       LightCommandWorkingDir="$(WixCommandObjDir)"
       OutputFolder="$(WixCommandPackagesDir)"
       NoLogo="true"
       Cultures="en-us"
-      InstallerFile="$(InstallersOutputPath)$(PackageFileName)"
+      InstallerFile="%(WixInstallerFilesToProcess.Identity)"
       AdditionalBasePaths="$(MSBuildProjectDirectory)"
       WixExtensions="@(WixExtension)"
       Loc="@(EmbeddedResource)"