Merged PR 667573: Sign assemblies and .exe files

Sign .exe file

Related work items: #1958785

Public/Sdk/Public/Managed/Tools/AppHostPatcher/AppHostPatcher.dsc

@@ -83,9 +83,9 @@ export function patchBinary(args: Arguments) : Result {
 
     return {
         contents: [
-            result.getOutputFile(outputPath),
             ...contents.getContent().filter(f => contentFilter(f)),
-        ]
+        ],
+        patchOutputFile: result.getOutputFile(outputPath)
     };
 }
 
@@ -95,7 +95,13 @@ export interface Arguments {
     targetRuntimeVersion: Managed.RuntimeVersion,
 }
 
+/**
+ * Binary files that AppHostPatcher patched. These files are part of Assembly.runtimeContent
+ * @patchOutputFile: This file is the executable file. Also part of 'contents' as a way to identify the patched output file.
+ */
+@@public
 export interface Result {
     contents: File[],
+    patchOutputFile: File,
 }
 

Public/Sdk/Public/Managed/Tools/BinarySigner/binarySignerSdk.dsc

@@ -22,13 +22,27 @@ export interface SignFileInfo extends Transformer.RunnerArguments {
     signToolAadAuth : File;
 }
 
+/**
+ * ESRP Signer arguments
+ */
+@@public
+export interface ESRPSignArguments {
+
+    /** Sign tool path */
+    signToolPath: File;
+
+    /** Output Directory. binarySignerSdk will create a new output directory if it's not provided*/
+    outputDir?: Directory;
+}
+
 /**
  * Process ESRP Sign requirements
  */
 @@public
-export const esrpSignFileInfoTemplate: SignFileInfo = Environment.getFlag("ENABLE_ESRP") ? {
+export function esrpSignFileInfoTemplate(args: ESRPSignArguments): SignFileInfo {
+    return {
         tool: { 
-        exe : f`${Environment.expandEnvironmentVariablesInString(Environment.getStringValue("SIGN_TOOL_PATH"))}`,
+            exe : args.signToolPath,
             untrackedDirectoryScopes: [
                 ...(Context.getCurrentHost().os === "win" ? [
                     d`${Context.getMount("ProgramData").path}`,
@@ -41,28 +55,24 @@ export const esrpSignFileInfoTemplate: SignFileInfo = Environment.getFlag("ENABL
         signToolConfiguration: Environment.getFileValue("ESRP_SESSION_CONFIG"),
         signToolEsrpPolicy: Environment.getFileValue("ESRP_POLICY_CONFIG"),
         signToolAadAuth: f`${Context.getMount("SourceRoot").path}/Secrets/CodeSign/EsrpAuthentication.json`,
-} : undefined;
+    };
+}
 
 /**
  * Returns a new file for given binary file
  */
 @@public
-export function signBinary(signInfo: SignFileInfo, outputDir?: Directory): File {
-    Contract.requires(
-        Environment.getFlag("ENABLE_ESRP") === true,
-        "Environment Flag ENABLE_ESRP not set, but Binary Signing was called."
-    );
-
+export function signBinary(args: ESRPSignArguments, signInfo: SignFileInfo): File {
     Contract.requires(
         signInfo.file !== undefined,
         `Binary Signing was called for an undefined file. SignInfo: ${signInfo}`
     );
     
     if (signInfo.tool === undefined) {
-        signInfo = signInfo.override<SignFileInfo>(esrpSignFileInfoTemplate);
+        signInfo = signInfo.override<SignFileInfo>(esrpSignFileInfoTemplate(args));
     }
 
-    let outputDirectory = outputDir === undefined ? Context.getNewOutputDirectory("esrpSignOutput") : outputDir;
+    let outputDirectory = args.outputDir === undefined ? Context.getNewOutputDirectory("esrpSignOutput") : args.outputDir;
     let fileListJson = p`${outputDirectory}/bxlEsrpBinarySignerSdk.json`;
 
     let signedFile = f`${outputDirectory.path}/${signInfo.file.name}`;   // Final Output: Signed version of given file

Public/Sdk/Public/Managed/Tools/BinarySigner/module.config.dsc

@@ -2,5 +2,5 @@
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.
 
 module({
-    name: "BuildXL.Tools.BinarySigner"
+    name: "Sdk.Managed.Tools.BinarySigner"
 });

Public/Sdk/Public/Managed/managedSdk.dsc

@@ -9,6 +9,7 @@ import * as ResGen     from "Sdk.Managed.Tools.ResGen.Lite";
 import * as AppPatcher from "Sdk.Managed.Tools.AppHostPatcher";
 import * as Xml        from "Sdk.Xml";
 import * as Crossgen   from "Sdk.Managed.Tools.Crossgen";
+import * as BinarySigner from "Sdk.Managed.Tools.BinarySigner";
 
 @@public
 export * from "Sdk.Managed.Shared";
@@ -348,11 +349,19 @@ function processDeploymentStyle(args: Arguments, targetType: Csc.TargetType, fra
             targetRuntimeVersion: Context.getCurrentHost().os === "win" ? qualifier.targetRuntime : Shared.TargetFrameworks.MachineQualifier.current.targetRuntime
         });
 
+        // When ESRP is enabled, get the patched .exe file and sign it.
+        let patchOutputFile = patchResult.patchOutputFile;
+        if (args.esrpSignArguments && patchOutputFile.extension === a`.exe`) {
+            let signInfo = BinarySigner.esrpSignFileInfoTemplate(args.esrpSignArguments).override<BinarySigner.SignFileInfo>({file: patchOutputFile});
+            patchOutputFile = BinarySigner.signBinary(args.esrpSignArguments, signInfo);
+        }
+
         runtimeContent = [
             ...(runtimeContent || []),
             // Self-Contained .NET Core deployments need a runtime and a patched application host container to be able to run on the target OS
             ...frameworkRuntimeFiles,
             ...patchResult.contents,
+            patchOutputFile,
         ];
 
         // When deploying self-contained dotNetCore executables we prefer to deploy the binaries that come with
@@ -513,6 +522,9 @@ export interface Arguments {
 
     /** Number of heaps to use for ServerGC. */
     gcHeapCount?: number;
+
+    /** ESRP sign arguments */
+    esrpSignArguments?: BinarySigner.ESRPSignArguments;
 }
 
 @@public

Public/Sdk/SelfHost/BuildXL/BuildXLSdk.Signing.dsc

@@ -2,7 +2,7 @@
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.
 
 import * as Shared from "Sdk.Managed.Shared";
-import * as BinarySigner from "BuildXL.Tools.BinarySigner";
+import * as BinarySigner from "Sdk.Managed.Tools.BinarySigner";
 import * as Managed from "Sdk.Managed";
 
 namespace Signing {
@@ -10,33 +10,27 @@ namespace Signing {
     
     /** Build a signed assembly */
     @@public
-    export function esrpSignAssembly(assemblyResult: Managed.Assembly) : Managed.Assembly {
-        if (!Environment.getFlag("ENABLE_ESRP")){
-            return assemblyResult;
-        }
-
-        let modifiedAssembly = assemblyResult.runtime.override<Managed.Binary>({
-            binary: esrpSignFile(assemblyResult.runtime.binary)
+    export function esrpSignAssembly(signArgs: BinarySigner.ESRPSignArguments, assemblyResult: Managed.Assembly) : Managed.Assembly {
+        let signedRuntime = assemblyResult.runtime.override<Managed.Binary>({
+            binary: esrpSignFile(signArgs, assemblyResult.runtime.binary)
+        });
+        return assemblyResult.override<Managed.Assembly>({
+            runtime : signedRuntime
         });
-        return assemblyResult.override<Managed.Assembly>({runtime : modifiedAssembly});
     }
 
     /**
      * Request Binary signature for a given file via ESRPClient
      */
     @@public
-    export function esrpSignFile(file: File) : File { 
+    export function esrpSignFile(signArgs: BinarySigner.ESRPSignArguments, file: File) : File { 
         Contract.requires(
             file !== undefined,
             "BuildXLSdk.esrpSignFile file argument must not be undefined."
         );
 
-        if (!Environment.getFlag("ENABLE_ESRP")){
-            return file;
-        }
-
         // A local esrpSignFileInfoTemplate can be introduced for specific applications of signing tool
-        let signInfo = BinarySigner.esrpSignFileInfoTemplate.override<BinarySigner.SignFileInfo>({file: file});
-        return BinarySigner.signBinary(signInfo);
+        let signInfo = BinarySigner.esrpSignFileInfoTemplate(signArgs).override<BinarySigner.SignFileInfo>({file: file});
+        return BinarySigner.signBinary(signArgs, signInfo);
     }
 }

Public/Sdk/SelfHost/BuildXL/BuildXLSdk.dsc

@@ -15,12 +15,12 @@ import * as XUnit from "Sdk.Managed.Testing.XUnit";
 import * as QTest from "Sdk.Managed.Testing.QTest";
 import * as Frameworks from "Sdk.Managed.Frameworks";
 import * as Net472 from "Sdk.Managed.Frameworks.Net472";
+import * as BinarySigner from "Sdk.Managed.Tools.BinarySigner";
 
 import * as ResXPreProcessor from "Sdk.BuildXL.Tools.ResXPreProcessor";
 import * as LogGenerator from "Sdk.BuildXL.Tools.LogGenerator";
 import * as ScriptSdkTestRunner from "Sdk.TestRunner";
 import * as Contracts from "Tse.RuntimeContracts";
-import * as BinarySigner from "BuildXL.Tools.BinarySigner";
 import * as NativeSdk from "Sdk.Native";
 import * as Json from "Sdk.Json";
 
@@ -278,6 +278,12 @@ namespace Flags {
      */
     @@public
     export const enableRoslynAnalyzers = Environment.getFlag("[Sdk.BuildXL]enableRoslynAnalyzers");
+
+    /**
+     * Enable ESRP Signing
+     */
+    @@public
+    export const enableESRP = Environment.getFlag("ENABLE_ESRP");
 }
 
 @@public
@@ -298,7 +304,8 @@ export const dotNetFramework = isDotNetCoreBuild
 @@public
 export function library(args: Arguments): Managed.Assembly {
     args = processArguments(args, "library");
-    return Signing.esrpSignAssembly(Managed.library(args));
+    let result = Managed.library(args);
+    return Flags.enableESRP ? Signing.esrpSignAssembly(args.esrpSignArguments, result) : result;
 }
 
 /**
@@ -375,7 +382,9 @@ export function executable(args: Arguments): Managed.Assembly {
         },
     });
 
-    return Signing.esrpSignAssembly(Managed.executable(args));
+    let result = Managed.executable(args);
+
+    return Flags.enableESRP ? Signing.esrpSignAssembly(args.esrpSignArguments, result) : result;
 }
 
 @@public
@@ -852,6 +861,15 @@ function processArguments(args: Arguments, targetType: Csc.TargetType) : Argumen
         });
     }
 
+    // Add esrp arguments
+    if (Flags.enableESRP) {
+        args = args.merge({
+            esrpSignArguments: {
+                signToolPath: f`${Environment.expandEnvironmentVariablesInString(Environment.getStringValue("SIGN_TOOL_PATH"))}`,
+            }
+        });
+    }
+
     return args;
 }
 
@@ -952,11 +970,15 @@ namespace Native {
         
         let result = NativeSdk.Dll.build(args);
 
+        if (Flags.enableESRP) {
             return result.override<NativeSdk.Dll.NativeDllImage>({
-            binaryFile : Signing.esrpSignFile(result.binaryFile)
+                binaryFile : Signing.esrpSignFile(createSignArguments(), result.binaryFile)
             });
         }
         
+        return result;
+    }
+
     /** Build a native exe. ESRP signs the file if enabled.*/
     @@public
     export function executable(args: NativeSdk.Exe.Arguments): NativeSdk.Exe.NativeExeImage {
@@ -967,8 +989,19 @@ namespace Native {
         
         let result = NativeSdk.Exe.build(args);
 
+        if (Flags.enableESRP) {
             return result.override<NativeSdk.Exe.NativeExeImage>({
-            binaryFile : Signing.esrpSignFile(result.binaryFile)
+                binaryFile : Signing.esrpSignFile(createSignArguments(), result.binaryFile)
             });
         }
+
+        return result;
+    }
+
+    /** Create esrp sign arguments for native dll signing */
+    function createSignArguments() : BinarySigner.ESRPSignArguments {
+        return {
+            signToolPath: f`${Environment.expandEnvironmentVariablesInString(Environment.getStringValue("SIGN_TOOL_PATH"))}`,
+        };
+    }
 }