Do you have a binlog from an arcade-validation (or some equivalent repo) build with these changes? Wondering if you've done e2e testing and also curious to see what the SignTool output looks like.

Do you have a binlog from an arcade-validation (or some equivalent repo) build with these changes? Wondering if you've done e2e testing and also curious to see what the SignTool output looks like.

Working on this validation right now.

Binlog from local validation in arcade-validation repo:
msbuild.zip

Debian signing log entries:

File /src/git/arcade-validation/artifacts/packages/Debug/NonShipping/test.deb is not signed.
Extracting file 'data.tar.gz' from '/src/git/arcade-validation/artifacts/packages/Debug/NonShipping/test.deb' to '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz'.
Tracking file '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz' isNested=True
Extracting file 'hello' from '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz' to '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello'.
Tracking file '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello' isNested=True
Ignoring non-signable file: /src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello
Caching file hello 036E707FF7B4A823E1182FE6DF81E90A93AE44EA17A8B2F0044A11CDE169342E
Caching file data.tar.gz 57989E84E7AFBDE7A3396AC35B47F4F3553B0EF68ADC6652C70507814FA45BA2
Caching file test.deb EC14B84B6074AF3A402E8CA7AF2381373705D121EDEAC5310425FD659E23EDC2

This is with current test.deb package in arcade-validation repo. I will recheck with newer version of the package that I've prepared for this PR.

Here's the binlog from signing test that includes the updated test.deb (with signable binary, mscorlib.dll):
msbuild.zip

Log shows additional entries for this binary, i.e.:

Extracting file 'mscorlib.dll' from '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz' to '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/39/./usr/local/bin/mscorlib.dll'.
Tracking file '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/39/./usr/local/bin/mscorlib.dll' isNested=True

Can you add another test or two that validates that the repacked deb has the expected content?

• Correct checksums/metadata
• Correct files/layout

Otherwise looks great aside from some questions/nits.

Certainly. Will do.

Binlog from local validation in arcade-validation repo: msbuild.zip

Debian signing log entries:

File /src/git/arcade-validation/artifacts/packages/Debug/NonShipping/test.deb is not signed.
Extracting file 'data.tar.gz' from '/src/git/arcade-validation/artifacts/packages/Debug/NonShipping/test.deb' to '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz'.
Tracking file '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz' isNested=True
Extracting file 'hello' from '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/data.tar.gz' to '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello'.
Tracking file '/src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello' isNested=True
Ignoring non-signable file: /src/git/arcade-validation/artifacts/tmp/Debug/ContainerSigning/38/./usr/local/bin/hello
Caching file hello 036E707FF7B4A823E1182FE6DF81E90A93AE44EA17A8B2F0044A11CDE169342E
Caching file data.tar.gz 57989E84E7AFBDE7A3396AC35B47F4F3553B0EF68ADC6652C70507814FA45BA2
Caching file test.deb EC14B84B6074AF3A402E8CA7AF2381373705D121EDEAC5310425FD659E23EDC2

This is with current test.deb package in arcade-validation repo. I will recheck with newer version of the package that I've prepared for this PR.

Binlog looks great. Thanks for validating that.

Can you add another test or two that validates that the repacked deb has the expected content?

• Correct checksums/metadata
• Correct files/layout

Otherwise looks great aside from some questions/nits.

Fixed with 3172fe5

One test is still failing: MissingCertificateNameButExtensionIsIgnored for extension: *.deb -

At first, this failed due to a missing deb entry in needContent Dictionary - causing the creation of dummy DEB package, which doesn't work with real unpacking code.

It is now failing due to a presence of the the signable file, since we're using the same test package for all DEB tests. New DEB package has a signable file, to be able to better test the DEB unpack/repack code.

If I put back the old test.deb file (without a signable file), this test succeeds.

I can add another test DEB package, to be used by this test, but is that the right option?

One test is still failing: MissingCertificateNameButExtensionIsIgnored for extension: *.deb -

arcade/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs

Line 2297 in 06ecc3c

public void MissingCertificateNameButExtensionIsIgnored(string extension)

At first, this failed due to a missing deb entry in needContent Dictionary - causing the creation of dummy DEB package, which doesn't work with real unpacking code.

It is now failing due to a presence of the the signable file, since we're using the same test package for all DEB tests. New DEB package has a signable file, to be able to better test the DEB unpack/repack code.

If I put back the old test.deb file (without a signable file), this test succeeds.

I can add another test DEB package, to be used by this test, but is that the right option?

Can we have two test deb packages? One called SignableDeb.deb and the other called UnsignableDeb.deb? I don't see harm in having two test packages.

One test is still failing: MissingCertificateNameButExtensionIsIgnored for extension: *.deb -

arcade/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs

Line 2297 in 06ecc3c

public void MissingCertificateNameButExtensionIsIgnored(string extension)

At first, this failed due to a missing deb entry in needContent Dictionary - causing the creation of dummy DEB package, which doesn't work with real unpacking code.
It is now failing due to a presence of the the signable file, since we're using the same test package for all DEB tests. New DEB package has a signable file, to be able to better test the DEB unpack/repack code.
If I put back the old test.deb file (without a signable file), this test succeeds.
I can add another test DEB package, to be used by this test, but is that the right option?

Can we have two test deb packages? One called SignableDeb.deb and the other called UnsignableDeb.deb? I don't see harm in having two test packages.

Yeah, that is an option. But, we first need to understand why this is failing and if it's a real issue. We don't want to add a test package for the sake of passing a test-case. @mmitche is going to investigate this.

Hmm, not sure why NuGet.Packaging was added - will remove.

Two commits were not reviewed so this is still blocked. Checks are now passing.