Merged PR 667573: Sign assemblies and .exe files

Sign .exe file Related work items: #1958785
2022-06-30 23:03:58 +00:00 · 2022-06-30 23:03:58 +00:00 · 7735b4d384
--- a/Public/Sdk/Public/Managed/Tools/AppHostPatcher/AppHostPatcher.dsc
+++ b/Public/Sdk/Public/Managed/Tools/AppHostPatcher/AppHostPatcher.dsc
@ -83,9 +83,9 @@ export function patchBinary(args: Arguments) : Result {

    return {
        contents: [
-            result.getOutputFile(outputPath),
            ...contents.getContent().filter(f => contentFilter(f)),
-        ]
+        ],
+        patchOutputFile: result.getOutputFile(outputPath)
    };
 }

@ -95,7 +95,13 @@ export interface Arguments {
    targetRuntimeVersion: Managed.RuntimeVersion,
 }

+/**
+ * Binary files that AppHostPatcher patched. These files are part of Assembly.runtimeContent
+ * @patchOutputFile: This file is the executable file. Also part of 'contents' as a way to identify the patched output file.
+ */
+@@public
 export interface Result {
    contents: File[],
+    patchOutputFile: File,
 }

--- a/Public/Sdk/Public/Managed/Tools/BinarySigner/binarySignerSdk.dsc
+++ b/Public/Sdk/Public/Managed/Tools/BinarySigner/binarySignerSdk.dsc
@ -22,47 +22,57 @@ export interface SignFileInfo extends Transformer.RunnerArguments {
    signToolAadAuth : File;
 }

+/**
+ * ESRP Signer arguments
+ */
+@@public
+export interface ESRPSignArguments {
+
+    /** Sign tool path */
+    signToolPath: File;
+
+    /** Output Directory. binarySignerSdk will create a new output directory if it's not provided*/
+    outputDir?: Directory;
+}
+
 /**
 * Process ESRP Sign requirements
 */
@@public
-export const esrpSignFileInfoTemplate: SignFileInfo = Environment.getFlag("ENABLE_ESRP") ? {
-    tool: { 
-        exe : f`${Environment.expandEnvironmentVariablesInString(Environment.getStringValue("SIGN_TOOL_PATH"))}`,
-        untrackedDirectoryScopes: [
-            ...(Context.getCurrentHost().os === "win" ? [
-                d`${Context.getMount("ProgramData").path}`,
-                d`${Context.getMount("UserProfile").path}`
-            ] : [])
-        ],
-        runtimeDependencies : globR(d`${Context.getMount("ESRPClientRoot").path}`, "*"),
-    },
-    file: undefined,
-    signToolConfiguration: Environment.getFileValue("ESRP_SESSION_CONFIG"),
-    signToolEsrpPolicy: Environment.getFileValue("ESRP_POLICY_CONFIG"),
-    signToolAadAuth: f`${Context.getMount("SourceRoot").path}/Secrets/CodeSign/EsrpAuthentication.json`,
-} : undefined;
+export function esrpSignFileInfoTemplate(args: ESRPSignArguments): SignFileInfo {
+    return {
+        tool: { 
+            exe : args.signToolPath,
+            untrackedDirectoryScopes: [
+                ...(Context.getCurrentHost().os === "win" ? [
+                    d`${Context.getMount("ProgramData").path}`,
+                    d`${Context.getMount("UserProfile").path}`
+                ] : [])
+            ],
+            runtimeDependencies : globR(d`${Context.getMount("ESRPClientRoot").path}`, "*"),
+        },
+        file: undefined,
+        signToolConfiguration: Environment.getFileValue("ESRP_SESSION_CONFIG"),
+        signToolEsrpPolicy: Environment.getFileValue("ESRP_POLICY_CONFIG"),
+        signToolAadAuth: f`${Context.getMount("SourceRoot").path}/Secrets/CodeSign/EsrpAuthentication.json`,
+    };
+}

 /**
 * Returns a new file for given binary file
 */
@@public
-export function signBinary(signInfo: SignFileInfo, outputDir?: Directory): File {
-    Contract.requires(
-        Environment.getFlag("ENABLE_ESRP") === true,
-        "Environment Flag ENABLE_ESRP not set, but Binary Signing was called."
-    );
-
+export function signBinary(args: ESRPSignArguments, signInfo: SignFileInfo): File {
    Contract.requires(
        signInfo.file !== undefined,
        `Binary Signing was called for an undefined file. SignInfo: ${signInfo}`
    );
    
    if (signInfo.tool === undefined) {
-        signInfo = signInfo.override<SignFileInfo>(esrpSignFileInfoTemplate);
+        signInfo = signInfo.override<SignFileInfo>(esrpSignFileInfoTemplate(args));
    }

-    let outputDirectory = outputDir === undefined ? Context.getNewOutputDirectory("esrpSignOutput") : outputDir;
+    let outputDirectory = args.outputDir === undefined ? Context.getNewOutputDirectory("esrpSignOutput") : args.outputDir;
    let fileListJson = p`${outputDirectory}/bxlEsrpBinarySignerSdk.json`;

    let signedFile = f`${outputDirectory.path}/${signInfo.file.name}`;   // Final Output: Signed version of given file
--- a/Public/Sdk/Public/Managed/Tools/BinarySigner/module.config.dsc
+++ b/Public/Sdk/Public/Managed/Tools/BinarySigner/module.config.dsc
@ -2,5 +2,5 @@
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.

 module({
-    name: "BuildXL.Tools.BinarySigner"
+    name: "Sdk.Managed.Tools.BinarySigner"
 });
--- a/Public/Sdk/Public/Managed/managedSdk.dsc
+++ b/Public/Sdk/Public/Managed/managedSdk.dsc
@ -9,6 +9,7 @@ import * as ResGen     from "Sdk.Managed.Tools.ResGen.Lite";
 import * as AppPatcher from "Sdk.Managed.Tools.AppHostPatcher";
 import * as Xml        from "Sdk.Xml";
 import * as Crossgen   from "Sdk.Managed.Tools.Crossgen";
+import * as BinarySigner from "Sdk.Managed.Tools.BinarySigner";

@@public
 export * from "Sdk.Managed.Shared";
@ -348,11 +349,19 @@ function processDeploymentStyle(args: Arguments, targetType: Csc.TargetType, fra
            targetRuntimeVersion: Context.getCurrentHost().os === "win" ? qualifier.targetRuntime : Shared.TargetFrameworks.MachineQualifier.current.targetRuntime
        });

+        // When ESRP is enabled, get the patched .exe file and sign it.
+        let patchOutputFile = patchResult.patchOutputFile;
+        if (args.esrpSignArguments && patchOutputFile.extension === a`.exe`) {
+            let signInfo = BinarySigner.esrpSignFileInfoTemplate(args.esrpSignArguments).override<BinarySigner.SignFileInfo>({file: patchOutputFile});
+            patchOutputFile = BinarySigner.signBinary(args.esrpSignArguments, signInfo);
+        }
+
        runtimeContent = [
            ...(runtimeContent || []),
            // Self-Contained .NET Core deployments need a runtime and a patched application host container to be able to run on the target OS
            ...frameworkRuntimeFiles,
            ...patchResult.contents,
+            patchOutputFile,
        ];

        // When deploying self-contained dotNetCore executables we prefer to deploy the binaries that come with
@ -513,6 +522,9 @@ export interface Arguments {

    /** Number of heaps to use for ServerGC. */
    gcHeapCount?: number;
+
+    /** ESRP sign arguments */
+    esrpSignArguments?: BinarySigner.ESRPSignArguments;
 }

@@public
--- a/Public/Sdk/SelfHost/BuildXL/BuildXLSdk.Signing.dsc
+++ b/Public/Sdk/SelfHost/BuildXL/BuildXLSdk.Signing.dsc
@ -2,7 +2,7 @@
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.

 import * as Shared from "Sdk.Managed.Shared";
-import * as BinarySigner from "BuildXL.Tools.BinarySigner";
+import * as BinarySigner from "Sdk.Managed.Tools.BinarySigner";
 import * as Managed from "Sdk.Managed";

 namespace Signing {
@ -10,33 +10,27 @@ namespace Signing {
    
    /** Build a signed assembly */
    @@public
-    export function esrpSignAssembly(assemblyResult: Managed.Assembly) : Managed.Assembly {
-        if (!Environment.getFlag("ENABLE_ESRP")){
-            return assemblyResult;
-        }
-
-        let modifiedAssembly = assemblyResult.runtime.override<Managed.Binary>({
-            binary: esrpSignFile(assemblyResult.runtime.binary)
+    export function esrpSignAssembly(signArgs: BinarySigner.ESRPSignArguments, assemblyResult: Managed.Assembly) : Managed.Assembly {
+        let signedRuntime = assemblyResult.runtime.override<Managed.Binary>({
+            binary: esrpSignFile(signArgs, assemblyResult.runtime.binary)
+        });
+        return assemblyResult.override<Managed.Assembly>({
+            runtime : signedRuntime
        });
-        return assemblyResult.override<Managed.Assembly>({runtime : modifiedAssembly});
    }

    /**
     * Request Binary signature for a given file via ESRPClient
     */
    @@public
-    export function esrpSignFile(file: File) : File { 
+    export function esrpSignFile(signArgs: BinarySigner.ESRPSignArguments, file: File) : File { 
        Contract.requires(
            file !== undefined,
            "BuildXLSdk.esrpSignFile file argument must not be undefined."
        );

-        if (!Environment.getFlag("ENABLE_ESRP")){
-            return file;
-        }
-
        // A local esrpSignFileInfoTemplate can be introduced for specific applications of signing tool
-        let signInfo = BinarySigner.esrpSignFileInfoTemplate.override<BinarySigner.SignFileInfo>({file: file});
-        return BinarySigner.signBinary(signInfo);
+        let signInfo = BinarySigner.esrpSignFileInfoTemplate(signArgs).override<BinarySigner.SignFileInfo>({file: file});
+        return BinarySigner.signBinary(signArgs, signInfo);
    }
 }
--- a/Public/Sdk/SelfHost/BuildXL/BuildXLSdk.dsc
+++ b/Public/Sdk/SelfHost/BuildXL/BuildXLSdk.dsc
@ -15,12 +15,12 @@ import * as XUnit from "Sdk.Managed.Testing.XUnit";
 import * as QTest from "Sdk.Managed.Testing.QTest";
 import * as Frameworks from "Sdk.Managed.Frameworks";
 import * as Net472 from "Sdk.Managed.Frameworks.Net472";
+import * as BinarySigner from "Sdk.Managed.Tools.BinarySigner";

 import * as ResXPreProcessor from "Sdk.BuildXL.Tools.ResXPreProcessor";
 import * as LogGenerator from "Sdk.BuildXL.Tools.LogGenerator";
 import * as ScriptSdkTestRunner from "Sdk.TestRunner";
 import * as Contracts from "Tse.RuntimeContracts";
-import * as BinarySigner from "BuildXL.Tools.BinarySigner";
 import * as NativeSdk from "Sdk.Native";
 import * as Json from "Sdk.Json";

@ -278,6 +278,12 @@ namespace Flags {
     */
    @@public
    export const enableRoslynAnalyzers = Environment.getFlag("[Sdk.BuildXL]enableRoslynAnalyzers");
+
+    /**
+     * Enable ESRP Signing
+     */
+    @@public
+    export const enableESRP = Environment.getFlag("ENABLE_ESRP");
 }

@@public
@ -298,7 +304,8 @@ export const dotNetFramework = isDotNetCoreBuild
@@public
 export function library(args: Arguments): Managed.Assembly {
    args = processArguments(args, "library");
-    return Signing.esrpSignAssembly(Managed.library(args));
+    let result = Managed.library(args);
+    return Flags.enableESRP ? Signing.esrpSignAssembly(args.esrpSignArguments, result) : result;
 }

 /**
@ -375,7 +382,9 @@ export function executable(args: Arguments): Managed.Assembly {
        },
    });

-    return Signing.esrpSignAssembly(Managed.executable(args));
+    let result = Managed.executable(args);
+
+    return Flags.enableESRP ? Signing.esrpSignAssembly(args.esrpSignArguments, result) : result;
 }

@@public
@ -852,6 +861,15 @@ function processArguments(args: Arguments, targetType: Csc.TargetType) : Argumen
        });
    }

+    // Add esrp arguments
+    if (Flags.enableESRP) {
+        args = args.merge({
+            esrpSignArguments: {
+                signToolPath: f`${Environment.expandEnvironmentVariablesInString(Environment.getStringValue("SIGN_TOOL_PATH"))}`,
+            }
+        });
+    }
+
    return args;
 }

@ -952,9 +970,13 @@ namespace Native {
        
        let result = NativeSdk.Dll.build(args);

-        return result.override<NativeSdk.Dll.NativeDllImage>({
-            binaryFile : Signing.esrpSignFile(result.binaryFile)
-        });
+        if (Flags.enableESRP) {
+            return result.override<NativeSdk.Dll.NativeDllImage>({
+                binaryFile : Signing.esrpSignFile(createSignArguments(), result.binaryFile)
+            });
+        }
+        
+        return result;
    }

    /** Build a native exe. ESRP signs the file if enabled.*/
@ -967,8 +989,19 @@ namespace Native {
        
        let result = NativeSdk.Exe.build(args);

-        return result.override<NativeSdk.Exe.NativeExeImage>({
-            binaryFile : Signing.esrpSignFile(result.binaryFile)
-        });
+        if (Flags.enableESRP) {
+            return result.override<NativeSdk.Exe.NativeExeImage>({
+                binaryFile : Signing.esrpSignFile(createSignArguments(), result.binaryFile)
+            });
+        }
+
+        return result;
+    }
+
+    /** Create esrp sign arguments for native dll signing */
+    function createSignArguments() : BinarySigner.ESRPSignArguments {
+        return {
+            signToolPath: f`${Environment.expandEnvironmentVariablesInString(Environment.getStringValue("SIGN_TOOL_PATH"))}`,
+        };
    }
 }
--- a/secrets/CodeSign/EsrpAuthentication.json
+++ b/secrets/CodeSign/EsrpAuthentication.json
@ -12,7 +12,7 @@
    "RequestSigningCert":
    {
        "SubjectName": "CN=d9cd26d8-6071-4476-8089-af25a8a44e1a",
-        "StoreLocation": "CurrentUser",
+            "StoreLocation": "CurrentUser",
        "StoreName": "Q Secrets"
    }
 }