-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microbuild signing #47
Changes from 6 commits
839ffe9
1f183d8
6faa640
81f142e
a79efd7
919e694
bcf56fc
f257431
ea97bdf
589f228
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,6 +6,7 @@ | |
param( | ||
[string]$Configuration="Debug", | ||
[string]$Platform="Any CPU", | ||
[switch]$RealSign, | ||
[switch]$Help) | ||
|
||
if($Help) | ||
|
@@ -15,6 +16,7 @@ if($Help) | |
Write-Host "Options:" | ||
Write-Host " -Configuration <CONFIGURATION> Build the specified Configuration (Debug or Release, default: Debug)" | ||
Write-Host " -Platform <PLATFORM> Build the specified Platform (Any CPU)" | ||
Write-Host " -RealSign Sign the output DLLs" | ||
Write-Host " -Help Display this help message" | ||
exit 0 | ||
} | ||
|
@@ -47,5 +49,19 @@ $env:PATH = "$env:DOTNET_INSTALL_DIR;$env:PATH" | |
# Disable first run since we want to control all package sources | ||
$env:DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 | ||
|
||
dotnet build3 $RepoRoot\build\build.proj /m /nologo /p:Configuration=$Configuration /p:Platform=$Platform | ||
if($LASTEXITCODE -ne 0) { throw "Failed to build" } | ||
$logPath = ".\bin\log" | ||
if (!(Test-Path -Path $logPath)) { | ||
New-Item -Path $logPath -Force -ItemType 'Directory' | Out-Null | ||
} | ||
|
||
$msbuildSummaryLog = Join-Path -path $logPath -childPath "sdk.log" | ||
$msbuildWarningLog = Join-Path -path $logPath -childPath "sdk.wrn" | ||
$msbuildFailureLog = Join-Path -path $logPath -childPath "sdk.err" | ||
|
||
$signType = 'public' | ||
if ($RealSign) { | ||
$signType = 'real' | ||
} | ||
|
||
dotnet build3 $RepoRoot\build\build.proj /m /nologo /p:Configuration=$Configuration /p:Platform=$Platform /p:SignType=$signType /v:m /flp1:Summary`;Verbosity=diagnostic`;Encoding=UTF-8`;LogFile=$msbuildSummaryLog /flp2:WarningsOnly`;Verbosity=diagnostic`;Encoding=UTF-8`;LogFile=$msbuildWarningLog /flp3:ErrorsOnly`;Verbosity=diagnostic`;Encoding=UTF-8`;LogFile=$msbuildFailureLog | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there a way to get these log files in Jenkins and VSO? I'm concerned that if we only get minimal build output to the console, debugging build failures in Jenkins is going to be hard. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Are we concerned that our Windows build looks a lot different than our Unix build? /cc @livarcocc In reply to: 74856449 [](ancestors = 74856449) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'll re-increase the command line verbosity again, I didn't mean to include that in the change. |
||
if($LASTEXITCODE -ne 0) { throw "Failed to build" } |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
<Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), 'Directory.Build.props'))\Directory.Build.props" /> | ||
|
||
<PropertyGroup> | ||
<SignTool>$(NuGet_Packages)\roslyntools.microsoft.signtool\0.2.0-beta\tools\SignTool.exe</SignTool> | ||
</PropertyGroup> | ||
|
||
<ItemGroup> | ||
<SigningConfig Include="$(MSBuildThisFileDirectory)SignToolConfig.json"/> | ||
|
||
<!-- Make note, without actually knowing what's included in the SigningConfig, | ||
we just assume that everything in the output dir is, and treat them | ||
as inputs so that we rerun packaging if they change. --> | ||
<PackageAssets Include="$(OutDir)\*.*" Exclude="*.log" /> | ||
</ItemGroup> | ||
|
||
<Target Name="Build" Inputs="@(SigningConfig);$(PackageAssets)" Outputs="@(PackageAssets)"> | ||
<!-- If not RealSigning --> | ||
<Message Text="Skipping Real Signing" Condition="'$(SignType)'!='real'"/> | ||
|
||
<!-- If RealSigning --> | ||
<Message Text="Performing Real Signing" Condition="'$(SignType)'=='real'"/> | ||
<Exec Command="$(SignTool) -nugetPackagesPath "$(NuGet_Packages)" -config "@(SigningConfig)" "$(OutDir.TrimEnd('\'))"" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This change sort of conflicts with my latest PR #46. Basically, the output assembly is getting placed into the PackagesLayout folder during build of the tasks assembly. That's the assembly that needs to be signed. What do you think about hooking the signing tool up during the Build of the tasks assembly, instead of in an outside project? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The part that tells MicroBuild what to sign is a combination of the path at the end and SignToolConfig.json. I'm not sure how this conflicts with that PR, we'll just have to pass There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The tasks assembly is located in 2 places in |
||
Condition="'$(SignType)'=='real'"/> | ||
</Target> | ||
</Project> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
{ | ||
sign: [ | ||
{ | ||
"certificate": "Microsoft402", | ||
"strongName": "MsSharedLib72", | ||
"values": [ | ||
"Microsoft.DotNet.Core.Build.Tasks.dll" | ||
] | ||
} | ||
], | ||
exclude: [ | ||
"Microsoft.DotNet.PlatformAbstractions.dll", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think we need to list these anymore. These assemblies will only be in the |
||
"Microsoft.Extensions.DependencyModel.dll", | ||
"Newtonsoft.Json.dll", | ||
"NuGet.Common.dll", | ||
"Nuget.DependencyResolver.Core.dll", | ||
"NuGet.Frameworks.dll", | ||
"NuGet.LibraryModel.dll", | ||
"NuGet.Packaging.dll", | ||
"NuGet.Protocol.Core.Types.dll", | ||
"NuGet.Protocol.Core.v3.dll", | ||
"NuGet.Repositories.dll", | ||
"NuGet.RuntimeModel.dll", | ||
"NuGet.Versioning.dll", | ||
"System.Runtime.Serialization.Primitives.dll" | ||
] | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Instead of "Settings.Targets" is it more correct to call this a ".props" file? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What's the difference? I was going off the Roslyn repos. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The difference is that .targets files contain logic while .props files contain only properties. It helps people understand the intention of the file, just like any other file extension. See And see page 23 of https://microsoft.sharepoint.com/sites/mslibrary/books/Microsoft%20Press/9780735645240.pdf
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Right, but the last part of that SO answer is about .Settings.Targets, which it seems to me this falls under. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why would we use 2 conventions? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 Let's stick to a convention |
||
<Import Project="..\..\Directory.Build.props" /> | ||
<PropertyGroup> | ||
<TargetFrameworkIdentifier>.NETCoreApp</TargetFrameworkIdentifier> | ||
<TargetFrameworkVersion>v1.0</TargetFrameworkVersion> | ||
<CopyBuildOutputToOutputDirectory>false</CopyBuildOutputToOutputDirectory> | ||
<CopyOutputSymbolsToOutputDirectory>false</CopyOutputSymbolsToOutputDirectory> | ||
<OutputType>Library</OutputType> | ||
<GenerateDependencyFile>false</GenerateDependencyFile> | ||
<ResolvePackageDependenciesForBuild>false</ResolvePackageDependenciesForBuild> | ||
<NonShipping>true</NonShipping> | ||
</PropertyGroup> | ||
</Project> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
<PropertyGroup> | ||
<ShouldSignBuild Condition="'$(RunningInMicroBuild)' == 'true' AND '$(SignType)' == 'real'">true</ShouldSignBuild> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yep, that's the correct variable name. |
||
<StrongNameCertificate Condition="'$(StrongNameCertificate)' == ''">MicrosoftShared</StrongNameCertificate> | ||
<BuildDirPath Condition="'$(BuildDirPath)'==''">$(MSBuildThisFileDirectory)\..\</BuildDirPath> | ||
<RoslynInternalKey>002400000480000094000000060200000024000052534131000400000100010055e0217eb635f69281051f9a823e0c7edd90f28063eb6c7a742a19b4f6139778ee0af438f47aed3b6e9f99838aa8dba689c7a71ddb860c96d923830b57bbd5cd6119406ddb9b002cf1c723bf272d6acbb7129e9d6dd5a5309c94e0ff4b2c884d45a55f475cd7dba59198086f61f5a8c8b5e601c0edbf269733f6f578fc8579c2</RoslynInternalKey> | ||
</PropertyGroup> | ||
|
||
<Choose> | ||
<When Condition="'$(SignAssembly)' == 'true'"> | ||
<Choose> | ||
<!-- Shipping binaries in an "official" build are delay-signed with the MS key; later, the signing | ||
system will finish the strong-name signing. --> | ||
<When Condition="'$(NonShipping)' != 'true'"> | ||
|
||
<Choose> | ||
<!-- DelaySign if we're real signing, otherwise public sign --> | ||
<When Condition="'$(ShouldSignBuild)' == 'true'"> | ||
<PropertyGroup> | ||
<DelaySign>true</DelaySign> | ||
</PropertyGroup> | ||
</When> | ||
<Otherwise> | ||
<PropertyGroup> | ||
<PublicSign>true</PublicSign> | ||
</PropertyGroup> | ||
</Otherwise> | ||
</Choose> | ||
|
||
<Choose> | ||
<When Condition="'$(StrongNameCertificate)' == 'Microsoft'"> | ||
<PropertyGroup> | ||
<AssemblyOriginatorKeyFile>$(BuildDirPath)Strong Name Keys\MSFT.snk</AssemblyOriginatorKeyFile> | ||
<PublicKey>002400000480000094000000060200000024000052534131000400000100010007d1fa57c4aed9f0a32e84aa0faefd0de9e8fd6aec8f87fb03766c834c99921eb23be79ad9d5dcc1dd9ad236132102900b723cf980957fc4e177108fc607774f29e8320e92ea05ece4e821c0a5efe8f1645c4c0c93c1ab99285d622caa652c1dfad63d745d6f2de5f17e5eaf0fc4963d261c8a12436518206dc093344d5ad293</PublicKey> | ||
<PublicKeyToken>b03f5f7f11d50a3a</PublicKeyToken> | ||
<StrongNameCertificateFriendlyId>67</StrongNameCertificateFriendlyId> | ||
</PropertyGroup> | ||
</When> | ||
|
||
<When Condition="'$(StrongNameCertificate)' == 'MicrosoftShared'"> | ||
<PropertyGroup> | ||
<AssemblyOriginatorKeyFile>$(BuildDirPath)Strong Name Keys\35MSSharedLib1024.snk</AssemblyOriginatorKeyFile> | ||
<PublicKey>0024000004800000940000000602000000240000525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f45def46b2a2b1247adc3652bf5c308055da9</PublicKey> | ||
<PublicKeyToken>31BF3856AD364E35</PublicKeyToken> | ||
<StrongNameCertificateFriendlyId>72</StrongNameCertificateFriendlyId> | ||
</PropertyGroup> | ||
</When> | ||
|
||
</Choose> | ||
|
||
</When> | ||
|
||
<!-- Non-shipping binaries are simply signed with the Roslyn internal key. --> | ||
<Otherwise> | ||
<PropertyGroup> | ||
<AssemblyOriginatorKeyFile>$(BuildDirPath)Strong Name Keys\RoslynInternalKey.Private.snk</AssemblyOriginatorKeyFile> | ||
<DelaySign>false</DelaySign> | ||
<PublicKey>$(RoslynInternalKey)</PublicKey> | ||
<PublicKeyToken>fc793a00266884fb</PublicKeyToken> | ||
</PropertyGroup> | ||
</Otherwise> | ||
</Choose> | ||
</When> | ||
</Choose> | ||
|
||
<!-- Because https://github.com/dotnet/roslyn/issues/7812 is not yet fixed, the IDE doesn't know if we set the PublicSign | ||
flag. As a result, all design-time builds will thing we're real-signing, which causes semantics to get all screwed up. | ||
The workaround for now is, for design-time builds only, to pass the DelaySign flag since that's "good enough". This | ||
must be done in a target versus conditioning on BuildingProject, since BuildingProject itself is correctly set in a | ||
target. --> | ||
<Target Name="FixPublicSignFlagForDesignTimeBuilds" BeforeTargets="CoreCompile" Condition="'$(PublicSign)' == 'true'"> | ||
<PropertyGroup Condition="'$(BuildingProject)' == 'false'"> | ||
<!-- Turn off PublicSign, because leaving both to true will make the Csc task unhappy --> | ||
<PublicSign>false</PublicSign> | ||
<DelaySign>true</DelaySign> | ||
</PropertyGroup> | ||
</Target> | ||
|
||
</Project> |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,13 +14,14 @@ | |
|
||
<ItemGroup> | ||
<SolutionFile Include="$(RepositoryRootDirectory)core-sdk.sln" /> | ||
<SigningProjectFile Include="$(RepositoryRootDirectory)build\Signing\Microsoft.DotNet.Core.Signing.proj"/> | ||
<NuGetProjectFile Include="$(RepositoryRootDirectory)build\Nuget\Microsoft.DotNet.Core.Nuget.proj" /> | ||
</ItemGroup> | ||
|
||
<Target Name="RestorePackages"> | ||
|
||
<Message Text="Restoring packages for %(SolutionFile.Filename)" Importance="high" /> | ||
|
||
<Exec Command="$(DotNetTool) restore --verbosity Minimal" | ||
WorkingDirectory="$(RepositoryRootDirectory)" | ||
/> | ||
|
@@ -29,7 +30,7 @@ | |
<Target Name="BuildSolution"> | ||
|
||
<Message Text="Building %(SolutionFile.Filename) [$(Configuration)]" Importance="high" /> | ||
|
||
<MSBuild BuildInParallel="true" | ||
Projects="@(SolutionFile)" | ||
Targets="Build" | ||
|
@@ -47,7 +48,16 @@ | |
Properties="$(CommonMSBuildGlobalProperties)" | ||
/> | ||
</Target> | ||
|
||
|
||
<Target Name="SignPackages"> | ||
|
||
<MSBuild BuildInParallel="true" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should ensure that |
||
Projects="@(SigningProjectFile)" | ||
Targets="Build" | ||
Properties="$(CommonMSBuildGlobalProperties)" | ||
/> | ||
</Target> | ||
|
||
<Target Name="BuildNuGetPackages"> | ||
|
||
<MSBuild BuildInParallel="true" | ||
|
@@ -76,14 +86,14 @@ | |
<ItemGroup> | ||
<ProductAssets Include="$(OutDir)\*" /> | ||
</ItemGroup> | ||
|
||
<Message Text="Running tests for %(SolutionFile.Filename) [$(Configuration)]" Importance="high" /> | ||
|
||
<!-- Copy all the product assemblies to the test directory, so the tests can load them. --> | ||
<Copy SourceFiles="@(ProductAssets)" | ||
DestinationFolder="$(TestsDirectory)" | ||
/> | ||
|
||
<Exec Command="$(DotNetTool) "$(TestsDirectory)\xunit.console.netcore.exe" "@(TestAssembly, '" "')" -xml "@(XmlTestFile)"" | ||
LogStandardErrorAsError="true" | ||
WorkingDirectory="$(TestsDirectory)" | ||
|
@@ -96,7 +106,7 @@ | |
|
||
</Target> | ||
|
||
<Target Name="Build" DependsOnTargets="RestorePackages;BuildSolution;BuildNuGetPackages;Test" /> | ||
<Target Name="Rebuild" DependsOnTargets="RestorePackages;RebuildSolution;RebuildNuGetPackages;Test" /> | ||
<Target Name="Build" DependsOnTargets="RestorePackages;BuildSolution;SignPackages;BuildNuGetPackages;Test" /> | ||
<Target Name="Rebuild" DependsOnTargets="RestorePackages;RebuildSolution;SignPackages;RebuildNuGetPackages;Test" /> | ||
|
||
</Project> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
<Import Project="..\..\..\build\Targets\ProducesNoOutput.Settings.targets" /> | ||
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" /> | ||
<PropertyGroup> | ||
<ProjectGuid>{98883ACD-BE3A-4533-953D-1BE25981BA02}</ProjectGuid> | ||
<ProjectTypeGuids>{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}</ProjectTypeGuids> | ||
</PropertyGroup> | ||
<ItemGroup> | ||
<Content Include="project.json" /> | ||
</ItemGroup> | ||
<Import Project="..\..\..\build\Targets\ProducesNoOutput.Imports.targets" /> | ||
</Project> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
{ | ||
"dependencies": { | ||
"RoslynTools.Microsoft.SignTool": "0.2.0-beta", | ||
"Microbuild.Core" : "0.2.0" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Are we using Microbuild or plain VSO? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. MicroBuild. Signtool shells out to the native MSBuild (that's not xplat) and signs that way. |
||
}, | ||
"frameworks": { | ||
".netcoreapp1.0": {} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you should use $RepoRoot here, so the script can be run from anywhere.