Skip to content

Sign source-built artifacts #1811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ellahathaway merged 22 commits into from
Sep 4, 2025
Merged

Sign source-built artifacts #1811

ellahathaway merged 22 commits into from
Sep 4, 2025

Conversation

@ellahathaway
Copy link
Member

@ellahathaway ellahathaway commented Aug 10, 2025
edited
Loading

Closes https://github.com/dotnet/release/issues/1417

This PR includes the following changes:

  • prep script now allows downloading multiple SDKs to dotnet/.dotnet. MicroBuild requires .NET 8, and it must be installed in the sources directory (dotnet/.dotnet)
  • VMR signing verification now allows validating files without parsing a manifest first. This is needed because we only sign two source-build artifacts and do not need to parse the entire manifest for the artifacts to validate.
  • Implemented a custom MSBuild task for signing SB artifacts
  • Source-build artifacts can now be signed and validated when the allowSigning parameter is true.

MichaelSimons
MichaelSimons reviewed Aug 11, 2025
View reviewed changes
@ellahathaway ellahathaway force-pushed the sign-sb-artifacts branch 13 times, most recently from c6fca2a to 37a3c5d Compare August 14, 2025 23:35
@ellahathaway ellahathaway mentioned this pull request Aug 18, 2025
Merged
@ellahathaway
Copy link
Member Author

ellahathaway commented Aug 18, 2025

Signing passes but signing validation via SignCheck fails. I looked through the signing binlogs, and based on SignTool's post-signing verification & the output from MicroBuild, it appears that things are being signed correctly.

I pulled the SB artifact, ran SignCheck locally, and confirmed that nothing is signed. I also peeked into some of the NuGet packages and assembles and verified the lack of signatures.

Not exactly sure what is causing this, but I'm investigating the following topics to see whether they are affecting the signing of these artifacts:

  1. Shipping status
  2. Strong naming
  3. Repacking of the tars

@ellahathaway ellahathaway moved this to Blocked in .NET Unified Build Aug 18, 2025
@ellahathaway
Copy link
Member Author

ellahathaway commented Aug 20, 2025
edited
Loading

Not exactly sure what is causing this

The issue was that I needed to sign the artifacts in $(Build.ArtifactStagingDirectory), not $(Build.SourcesDirectory)/artifacts.

@ellahathaway
Copy link
Member Author

ellahathaway commented Aug 20, 2025
edited
Loading

Working through another issue. All artifacts are signed, but not all artifacts are strong named. The issue is related caused by some artifacts using the aspnetcore strong name, which is not imported by arcade's Sign.props: https://github.com/dotnet/arcade/blob/86b53945e6b6b239d68fa465e62fcf4323ff3b7b/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props#L66-L71.

@ellahathaway ellahathaway force-pushed the sign-sb-artifacts branch 2 times, most recently from 6afc7e8 to bf9a52d Compare August 20, 2025 19:59
@ellahathaway
Copy link
Member Author

ellahathaway commented Aug 20, 2025

Waiting on a new signed build, then this is ready to be published :)

@ellahathaway
Copy link
Member Author

ellahathaway commented Aug 20, 2025

Blocked on #2022

@ellahathaway ellahathaway force-pushed the sign-sb-artifacts branch 2 times, most recently from 174d5b8 to 942ccd2 Compare August 21, 2025 21:20
@ellahathaway
Copy link
Member Author

ellahathaway commented Sep 2, 2025

Waiting on #2232 to be merged, then this will be ready for re-review.

MichaelSimons
MichaelSimons reviewed Sep 3, 2025
View reviewed changes
@ellahathaway ellahathaway enabled auto-merge (squash) September 4, 2025 19:02
@ellahathaway ellahathaway merged commit 37e7d4a into dotnet:main Sep 4, 2025
11 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in .NET Unified Build Sep 4, 2025
@ellahathaway
Copy link
Member Author

ellahathaway commented Sep 5, 2025

/backport to release/10.0.1xx

@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2025

Started backporting to release/10.0.1xx: https://github.com/dotnet/dotnet/actions/runs/17498202423

@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2025

@ellahathaway backporting to "release/10.0.1xx" failed, the patch most likely resulted in conflicts:

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: Adjust yamls for signing source-build artifacts
Using index info to reconstruct a base tree...
M	eng/pipelines/templates/jobs/vmr-build.yml
M	eng/pipelines/templates/stages/source-build-and-validate.yml
M	eng/pipelines/templates/stages/source-build-stages.yml
M	eng/pipelines/templates/stages/vmr-build.yml
M	eng/pipelines/templates/variables/vmr-build.yml
M	prep-source-build.sh
Falling back to patching base and 3-way merge...
Auto-merging eng/pipelines/templates/jobs/vmr-build.yml
Auto-merging eng/pipelines/templates/stages/source-build-and-validate.yml
Auto-merging eng/pipelines/templates/stages/source-build-stages.yml
Auto-merging eng/pipelines/templates/stages/vmr-build.yml
Auto-merging eng/pipelines/templates/variables/vmr-build.yml
Auto-merging prep-source-build.sh
Applying: Don't remove MicroBuild binaries in source-only builds
Applying: Prevent MSBuildLocator from signing with MicroBuild
Applying: Don't rely on manifests because we don't always download them
Applying: Infra for signing the source built artifacts
Applying: Remove duplicate sign prop check
Applying: Move signing task to UB.Tasks
Applying: Use ProcessService
Using index info to reconstruct a base tree...
A	eng/tools/tasks/Microsoft.DotNet.UnifiedBuild.Tasks/Services/ProcessService.cs
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): eng/tools/tasks/Microsoft.DotNet.UnifiedBuild.Tasks/Services/ProcessService.cs deleted in HEAD and modified in Use ProcessService.  Version Use ProcessService of eng/tools/tasks/Microsoft.DotNet.UnifiedBuild.Tasks/Services/ProcessService.cs left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0008 Use ProcessService
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

@ellahathaway
Copy link
Member Author

ellahathaway commented Sep 5, 2025

Needs #2291 to be merged first. Then these changes can be backported to release/10.0.1xx

@ellahathaway
Copy link
Member Author

ellahathaway commented Sep 8, 2025

/backport to release/10.0.1xx

@github-actions
Copy link
Contributor

github-actions bot commented Sep 8, 2025

Started backporting to release/10.0.1xx: https://github.com/dotnet/dotnet/actions/runs/17557418416

@github-actions
Copy link
Contributor

github-actions bot commented Sep 8, 2025

@ellahathaway backporting to "release/10.0.1xx" failed, the patch most likely resulted in conflicts:

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: Adjust yamls for signing source-build artifacts
Using index info to reconstruct a base tree...
M	eng/pipelines/templates/jobs/vmr-build.yml
M	eng/pipelines/templates/stages/source-build-and-validate.yml
M	eng/pipelines/templates/stages/source-build-stages.yml
M	eng/pipelines/templates/stages/vmr-build.yml
M	eng/pipelines/templates/stages/vmr-validation.yml
M	eng/pipelines/templates/variables/vmr-build.yml
M	prep-source-build.sh
Falling back to patching base and 3-way merge...
Auto-merging eng/pipelines/templates/jobs/vmr-build.yml
Auto-merging eng/pipelines/templates/stages/source-build-and-validate.yml
CONFLICT (content): Merge conflict in eng/pipelines/templates/stages/source-build-and-validate.yml
Auto-merging eng/pipelines/templates/stages/source-build-stages.yml
CONFLICT (content): Merge conflict in eng/pipelines/templates/stages/source-build-stages.yml
Auto-merging eng/pipelines/templates/stages/vmr-build.yml
Auto-merging eng/pipelines/templates/stages/vmr-validation.yml
Auto-merging eng/pipelines/templates/variables/vmr-build.yml
Auto-merging prep-source-build.sh
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Adjust yamls for signing source-build artifacts
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

ellahathaway added a commit to ellahathaway/dotnet that referenced this pull request Sep 8, 2025
@ellahathaway
Sign source-built artifacts (dotnet#1811)
ecef8b9
@ellahathaway ellahathaway mentioned this pull request Sep 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MichaelSimons MichaelSimons MichaelSimons approved these changes

Assignees

No one assigned

Labels

None yet

Projects

.NET Unified Build
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ellahathaway @MichaelSimons