CI check signatures (#382)

* Fix signing on Windows and macOS
* Added signing verification steps to CI

Author: edvilme

.vsts-ci.yml

@@ -41,6 +41,7 @@ extends:
     stages:
     - stage: build
       displayName: Build
+
       jobs:
       - template: /eng/common/templates-official/jobs/jobs.yml@self
         parameters:
@@ -99,8 +100,6 @@ extends:
               - name: _OfficialBuildArgs
                 value: ''
             steps:
-            - checkout: self
-              clean: true
             - script: eng\common\cibuild.cmd
                 -configuration $(_BuildConfig)
                 -prepareMachine
@@ -112,11 +111,16 @@ extends:
               inputs:
                 sourceFolder: 'artifacts/packages/$(_BuildConfig)/Shipping/'
                 contents: '*.msi'
-                targetFolder: '$(Build.ArtifactStagingDirectory)'
+                targetFolder: '$(Build.ArtifactStagingDirectory)\artifacts'
+            - task: MicroBuildCodesignVerify@3
+              inputs:
+                TargetFolders: '$(Build.ArtifactStagingDirectory)\artifacts'
+                ExcludeSNVerify: true
+                ApprovalListPathForCerts: eng\SignVerifyIgnore.txt
             - task: 1ES.PublishBuildArtifacts@1
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:
-                PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+                PathtoPublish: '$(Build.ArtifactStagingDirectory)\artifacts'
                 ArtifactName: 'drop-windows'
                 publishLocation: 'Container'
                 parallel: true
@@ -132,28 +136,35 @@ extends:
                   _RID: osx-arm64
                 X64:
                   _RID: osx-x64
+            variables:
+            - name: _BuildConfig
+              value: Release
+            - name: _SignType
+              value: real
             steps:
-            - checkout: self
-              clean: true
             - script: eng/common/cibuild.sh
-                --sign
-                --configuration Release
+                -sign
+                --configuration $(_BuildConfig)
                 --prepareMachine
-                -p:RID=$(_RID) -p:DotNetSignType=real -p:TeamName=$(TeamName) -p:OfficialBuildId=$(Build.BuildNumber)
+                -p:RID=$(_RID) -p:DotNetSignType=$(_SignType) -p:TeamName=$(TeamName) -p:OfficialBuildId=$(Build.BuildNumber)
               displayName: Build
+            - script: |
+                codesign -dv --verbose=4 artifacts/layout/dotnet-core-uninstall/dotnet-core-uninstall
+              name: VerifySignature
+              displayName: Verify Signature
             - task: ArchiveFiles@2
               condition: eq(variables['system.pullrequest.isfork'], false)
               inputs:
                 rootFolderOrFile: 'artifacts/layout/dotnet-core-uninstall/'
                 includeRootFolder: false
                 archiveType: 'tar'
                 tarCompression: 'gz'
-                archiveFile: '$(Build.ArtifactStagingDirectory)/dotnet-core-uninstall.tar.gz'
+                archiveFile: '$(Build.ArtifactStagingDirectory)/artifacts/dotnet-core-uninstall.tar.gz'
                 replaceExistingArchive: true
             - task: 1ES.PublishBuildArtifacts@1
               condition: eq(variables['system.pullrequest.isfork'], false)
               inputs:
-                PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+                PathtoPublish: '$(Build.ArtifactStagingDirectory)/artifacts'
                 ArtifactName: 'drop-$(_RID)'
                 publishLocation: 'Container'
                 parallel: true

eng/SignVerifyIgnore.txt

@@ -0,0 +1,2 @@
+**\*.xml,ignore unsigned .xml
+**\cab*.cab.cab,ignore unsigned .cab

eng/Signing.props

@@ -1,12 +1,13 @@
 <Project>
   <PropertyGroup>
+    <DotNetCertificateName>MicrosoftDotNet500</DotNetCertificateName>
     <UseDotNetCertificate>true</UseDotNetCertificate>
   </PropertyGroup>
 
   <ItemGroup Condition="'$(RID)' == 'win-x86'">
     <FileExtensionSignInfo Include=".wixpdb" CertificateName="MicrosoftDotNet500" />
     <ItemsToSign Include="$(ArtifactsShippingPackagesDir)**\*.wixpack.zip;
-      $(ArtifactsDir)packages\**\dotnet-core-uninstall*.msi;" />
+      $(ArtifactsDir)packages\**\dotnet-core-uninstall*.msi" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(RID)' == 'osx-x64' OR '$(RID)' == 'osx-arm64'">

src/redist/targets/MacEntitlements/AddMacEntitlements.targets

@@ -1,7 +1,12 @@
 <Project>
     <!-- Entitlements are needed but not automatically added for macOS. See https://github.com/dotnet/runtime/issues/113707 -->
     <!-- This generates an ad-hoc signature that will later be resigned, but keeps the entitlements. -->
-    <Target Name="AddMacEntitlements" AfterTargets="GenerateLayout">
+    <ItemGroup>
+        <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="$(MicrosoftVisualStudioEngMicroBuildCoreVersion)" />
+    </ItemGroup>
+    <Target Name="AddMacEntitlements" 
+        BeforeTargets="SignFiles" 
+        AfterTargets="GenerateLayout">
         <Exec Command="codesign -s - -f --entitlements $(MSBuildThisFileDirectory)entitlements.plist $(ArtifactsDir)layout/dotnet-core-uninstall/dotnet-core-uninstall" />
     </Target>
 </Project>