Fix generate sign request to only include assemblies

2017-12-28 13:59:08 -08:00 · 2017-12-28 13:59:08 -08:00 · e1e6980df0
--- a/docs/Signing.md
+++ b/docs/Signing.md
@ -23,7 +23,9 @@ The signing request manifest supports three element types. A minimal example loo
 </SigningRequest>
 ```

-## Config
+## Config via csproj
+
+KoreBuild can generate the sign request using information from MSBuild projects. The following options can be set.

 ### Assemblies

@ -83,6 +85,64 @@ This will generate a signing request like this:
 </SigningRequest>
 ```

+### Projects using nuspec
+
+When creating a NuGet package via nuspec + csproj, KoreBuild cannot detect which assemblies
+end up in the nuget package. You must explicitly declare which assemblies inside the nupkg
+should be signed.
+
+```xml
+<PropertyGroup>
+  <NuspecFile>MyPackage.nuspec<NuspecFile/>
+</PropertyGroup>
+
+<ItemGroup>
+  <!-- TargetFileName is a well-known MSBuild property that is set to MyPackage.dll -->
+  <SignedPackageFile Include="$(TargetPath)" PackagePath="tools/$(TargetFileName)" Visible="false" />
+</ItemGroup>
+```
+
+### NuGet packages with signable files
+
+Sometimes other signable assemblies end up in a nupkg. Signing for these file types can be controlled with `SignedPackageFile`, and `ExcludePackageFileFromSigning` items.
+
+```xml
+  <ItemGroup>
+    <!-- Files that come from other ASP.NET Core projects -->
+    <SignedPackageFile Include="$(PublishDir)Microsoft.Extensions.Configuration.Abstractions.dll" Certificate="$(AssemblySigningCertName)" PackagePath="tools/Microsoft.Extensions.Configuration.Abstractions.dll" Visible="false" />
+
+    <!-- Third-party cert -->
+    <SignedPackageFile Include="$(PublishDir)Newtonsoft.Json.dll" Certificate="3PartyDual" PackagePath="tools/Newtonsoft.Json.dll" Visible="false" />
+
+    <!-- This should already be signed by the dotnet-core team -->
+    <ExcludePackageFileFromSigning Include="$(PublishDir)System.Runtime.CompilerServices.Unsafe.dll" PackagePath="tools/System.Runtime.CompilerServices.Unsafe.dll" Visible="false" />
+  </ItemGroup>
+```
+
+### Disabling signing
+
+You can disable sign request generation on an MSBuild project by setting DisableCodeSigning.
+
+```xml
+<PropertyGroup>
+  <DisableCodeSigning>true</DisableCodeSigning>
+</PropertyGroup>
+```
+
+## Additional signing files
+
+KoreBuild targets may produce additional artifacts that should be signed by methods not detected from MSBuild project files. These files can be added to the sign request by adding
+these elements to the `build/repo.props` file. (See also [KoreBuild.md](./KoreBuild.md#repo-props))
+
+```xml
+<!-- build/repo.props -->
+<ItemGroup>
+  <FilesToSign Include="$(ArtifactsDir)libuv.dll" Certificate="3PartyDual" />
+
+  <!-- Files can also be listed as "do not sign", for completeness -->
+  <FilesToExcludeFromSigning Include="$(ArtifactsDir)my.test.dll" Certificate="3PartyDual" />
+</ItemGroup>
+```

 ## Elements

--- a/files/KoreBuild/modules/solutionbuild/Project.Inspection.targets
+++ b/files/KoreBuild/modules/solutionbuild/Project.Inspection.targets
@ -25,6 +25,7 @@
        <Category>$(PackageArtifactCategory)</Category>
        <Certificate>$(PackageSigningCertName)</Certificate>
        <ShouldBeSigned Condition="'$(PackageSigningCertName)' != '' OR @(SignedPackageFile->Count()) != 0 ">true</ShouldBeSigned>
+        <ShouldBeSigned Condition=" '$(DisableCodeSigning)' == 'true' ">false</ShouldBeSigned>
        <IsContainer>true</IsContainer>
      </ArtifactInfo>

@ -41,10 +42,11 @@
        <Category>$(PackageArtifactCategory)</Category>
        <Certificate>$(PackageSigningCertName)</Certificate>
        <ShouldBeSigned Condition="'$(PackageSigningCertName)' != '' OR @(SignedPackageFile->Count()) != 0 ">true</ShouldBeSigned>
+        <ShouldBeSigned Condition=" '$(DisableCodeSigning)' == 'true' ">false</ShouldBeSigned>
        <IsContainer>true</IsContainer>
      </ArtifactInfo>

-      <ArtifactInfo Include="@(SignedPackageFile)">
+      <ArtifactInfo Include="@(SignedPackageFile)" Condition=" '$(DisableCodeSigning)' != 'true' ">
        <ShouldBeSigned>true</ShouldBeSigned>
        <Container>$(FullPackageOutputPath)</Container>
      </ArtifactInfo>
@ -54,7 +56,7 @@
        <Container>$(FullPackageOutputPath)</Container>
      </ArtifactInfo>

-      <ArtifactInfo Include="@(SignedPackageFile)" Condition="'$(IncludeSymbols)' == 'true' AND '$(NuspecFile)' == ''">
+      <ArtifactInfo Include="@(SignedPackageFile)" Condition=" '$(DisableCodeSigning)' != 'true' AND '$(IncludeSymbols)' == 'true' AND '$(NuspecFile)' == ''">
        <ShouldBeSigned>true</ShouldBeSigned>
        <Container>$(SymbolsPackageOutputPath)</Container>
      </ArtifactInfo>
@ -106,13 +108,13 @@ Items:
          DependsOnTargets="BuiltProjectOutputGroup;SatelliteDllsProjectOutputGroup">

    <ItemGroup Condition=" '$(NuspecFile)' == '' AND '$(IncludeBuildOutput)' != 'false' AND ('$(AssemblySigningCertName)' != '' OR '$(AssemblySigningStrongName)' != '') ">
-      <SignedPackageFile Include="@(BuiltProjectOutputGroupOutput)">
+      <SignedPackageFile Include="@(BuiltProjectOutputGroupOutput)" Condition="'%(BuiltProjectOutputGroupOutput.Extension)' == '.dll' OR '%(BuiltProjectOutputGroupOutput.Extension)' == '.exe'">
        <PackagePath>$(BuildOutputTargetFolder)/$(TargetFramework)/%(BuiltProjectOutputGroupOutput.FileName)%(BuiltProjectOutputGroupOutput.Extension)</PackagePath>
        <Certificate>$(AssemblySigningCertName)</Certificate>
        <StrongName>$(AssemblySigningStrongName)</StrongName>
      </SignedPackageFile>

-      <SignedPackageFile Include="@(SatelliteDllsProjectOutputGroupOutput)">
+      <SignedPackageFile Include="@(SatelliteDllsProjectOutputGroupOutput)" Condition="'%(SatelliteDllsProjectOutputGroupOutput.Extension)' == '.dll' OR '%(SatelliteDllsProjectOutputGroupOutput.Extension)' == '.exe'">
        <PackagePath>$(BuildOutputTargetFolder)/$(TargetFramework)/%(SatelliteDllsProjectOutputGroupOutput.FileName)%(SatelliteDllsProjectOutputGroupOutput.Extension)</PackagePath>
        <Certificate>$(AssemblySigningCertName)</Certificate>
        <StrongName>$(AssemblySigningStrongName)</StrongName>
--- a/files/KoreBuild/modules/solutionbuild/module.targets
+++ b/files/KoreBuild/modules/solutionbuild/module.targets
@ -161,8 +161,8 @@ Executes /t:Pack on all projects matching src/*/*.csproj.
      <!-- Nupkgs or assemblies in the nupkg that should be signed -->
      <FilesToSign Include="@(_Temp)" Condition=" '%(_Temp.ShouldBeSigned)' == 'true' " />

-      <!-- Assemblies inside a nupkg that should not be signed -->
-      <FilesToExcludeFromSigning Include="@(_Temp)" Condition=" '%(_Temp.ShouldBeSigned)' == 'false' AND '%(_Temp.Container)' != ''" />
+      <!-- Nupkgs or assemblies in the nupkg that should not be signed -->
+      <FilesToExcludeFromSigning Include="@(_Temp)" Condition=" '%(_Temp.ShouldBeSigned)' != 'true' " />
    </ItemGroup>
  </Target>

--- a/test.ps1
+++ b/test.ps1
@ -11,6 +11,8 @@ param(
    [string[]]$Arguments
 )

+$ErrorActionPreference = 'Stop'
+
 if (!$NoBuild) {
    & .\build.ps1 /p:SkipTests=$true
 }
@ -22,11 +24,14 @@ foreach ($line in Get-Content $latestFile) {
    $toolsVersion = $line.Split(":")[1]
    break
 }
-$packageDir = Join-Path $toolsSource "build\"
-$versionPropsPath = Join-Path $toolsSource "dotnetpackageversion.props"
-$sourcePropsPath = Join-Path $toolsSource "source.props"
+
+mkdir "$PSScriptRoot\obj\testbuild\" -ErrorAction Ignore
+$versionPropsPath = "$PSScriptRoot\obj\testbuild\dotnetpackageversion.props"
+$sourcePropsPath = "$PSScriptRoot\obj\testbuild\source.props"

 $versionPropsValue = "<Project><PropertyGroup><InternalAspNetCoreSdkPackageVersion>$toolsVersion</InternalAspNetCoreSdkPackageVersion></PropertyGroup></Project>"
+
+$packageDir = Join-Path $toolsSource "build\"
 $sourcePropsValue = "<Project><PropertyGroup><DotNetRestoreSources>$packageDir</DotNetRestoreSources></PropertyGroup></Project>"

 Out-File -FilePath $versionPropsPath -InputObject $versionPropsValue