Enable Unpacking, repacking, signing, and notarization of .pkg files and .app bundles #15206

ellahathaway · 2024-10-29T17:03:38Z

Related to #14438

This is the second part of #14438. This PR integrates the pkg tool, introduced in #15205, into SignTool. More specifically, this PR enables the unpacking and repacking of .pkgs and nested .app bundles within SignTool & adds tests & test data for this functionality into SignTool.Tests.

This is a rather large change, including quite a lot of refactoring as SignTool is becoming a bit bloated. Highlights

Removed the use of ITaskItem in the signtool sources, aside from the task. It made no sense to have some data passed around as MSBuild items, and others passed around formalized types. Introduce new types where needed.
Notarization is supported via a "dual sign" mechanism similar to a dual sign certificate. At some point, we may want to change this model and make notarization a separate concept (a new signing information type). For now, I deemed that approach too invasive. Right now, there are special certs for Mac that represent both notarization and signing. When those certs are used. Signtool will both sign and notarize the file, in separate passes.
Rework the pkg tooling to use the command line API
Minimally tweak the build manifest model to support the new signing data. I think this should be removed altogether in Remove signing information from the build manifest models #15415
Add various tests for new pkg tooling, corner case tests for old bugs.
If files did not have a matching extension or strong name sign info, they wouldn't get signed even if they had an explicit cert specified. Fix this.

There is more follow on work to be done here. Signtool is due for a major refactor to deal with all the various archive types it now supports. There is far too much "If ".

…-unpack-repack-pkg

Co-authored-by: Ella Hathaway <[email protected]>

…ol-unpack-repack-pkg

src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj

src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props

src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs

src/Microsoft.DotNet.SignTool/src/FileSignInfo.cs

src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props

…athaway/arcade into signtool-unpack-repack-pkg

…ack-pkg

mmitche · 2025-01-14T22:01:54Z

Readddy for review!

ViktorHofer · 2025-01-15T11:52:16Z

src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj

@@ -20,6 +20,7 @@
  </PropertyGroup>

  <Import Project="BuildStep.props" />
+  <Import Project="TargetFrameworkDefaults.props" />


I don't see this import being used anywhere below. I don't think that the Arcade TFM properties can be used.

I think I had this in there to use NetToolCurrent for the command line tools. Updated

…ack-pkg

ellahathaway · 2025-01-15T19:02:53Z

src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj

@@ -57,6 +58,9 @@

      <!-- SN is only available on Windows -->
      <SNBinaryPath Condition="$([MSBuild]::IsOSPlatform('Windows'))">$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe</SNBinaryPath>
+
+      <!-- .pkgs and .app bundle tooling is only available on MacOS -->
+      <PkgToolPath Condition="$([MSBuild]::IsOSPlatform('OSX'))">$(NuGetPackageRoot)microsoft.dotnet.macospkg\$(MicrosoftDotNetMacOsPkgVersion)\tools\net10.0\any\Microsoft.Dotnet.MacOsPkg.dll</PkgToolPath>


Is there a way to use a prop for net10.0? I think the hardcoded version will cause issues when we eventually update the target framework.

$(NetToolCurrent). I'll try it.

src/Microsoft.DotNet.MacOsPkg/AppBundle.cs

src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs

src/Microsoft.DotNet.SignTool/src/ZipData.cs

src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props

Co-authored-by: Ella Hathaway <[email protected]>

src/Microsoft.DotNet.SignTool/ItemToSign.cs

…athaway/arcade into signtool-unpack-repack-pkg

ellahathaway

I cannot approve because I’m technically the author of the PR, but the changes look good to me. Thanks for all the work you did on this, Matt.

src/Microsoft.DotNet.SignTool/src/Configuration.cs

mmitche · 2025-01-16T15:12:30Z

Test build with mac signing enabled: https://dev.azure.com/dnceng/internal/_build/results?buildId=2622013&view=results
aspnetcore build with new sign tool: https://dev.azure.com/dnceng/internal/_build/results?buildId=2622014&view=results
sdk build with new sign tool: https://dev.azure.com/dnceng/internal/_build/results?buildId=2622037&view=results

Integrate Pkg Tool into SignTool

404f889

ellahathaway changed the title ~~Integrate Pkg Tool into SignTool~~ Enable Unpacking and Repacking of .pkg files and .app bundles Oct 29, 2024

This was referenced Oct 29, 2024

Enable unpack/repack of .pkg containers #14438

Closed

Enable signing and notarization of .pkg files using SignTool #14435

Closed

ellahathaway added a commit to ellahathaway/arcade that referenced this pull request Oct 31, 2024

Remove tool from SignTool tests - will be added in dotnet#15206

3e81076

ellahathaway and others added 7 commits November 21, 2024 23:47

Merge branch 'main' of https://github.com/dotnet/arcade into signtool…

764e87f

…-unpack-repack-pkg

Change name to MacOSPkg

e278e73

Rename repack to pack

5bba3de

Re-add netframework targeting for Tools.proj PackageRef compat

73a862d

Update src/Microsoft.DotNet.MacOsPkg/Microsoft.DotNet.MacOsPkg.csproj

4c34a11

Co-authored-by: Ella Hathaway <[email protected]>

Update src/Microsoft.DotNet.MacOsPkg/Microsoft.DotNet.MacOsPkg.csproj

dc7d4aa

Co-authored-by: Ella Hathaway <[email protected]>

Merge remote-tracking branch 'origin/target-netframework' into signto…

c545ecc

…ol-unpack-repack-pkg

mmitche marked this pull request as ready for review November 22, 2024 18:22