Microbuild signing

Directory.Build.props

@@ -27,4 +27,8 @@
 
     <NuGet_Packages Condition=" '$(NuGet_Packages)' == ''">$(RepositoryRootDirectory)packages\</NuGet_Packages>
   </PropertyGroup>
+
+  <PropertyGroup>
+    <SignAssembly Condition="'$(SignAssembly)'==''">true</SignAssembly>
+  </PropertyGroup>
 </Project>

NuGet.config

@@ -6,6 +6,7 @@
     <add key="nugetbuild" value="https://www.myget.org/F/nugetbuild/api/v3/index.json" />
     <add key="dotnet-buildtools" value="https://dotnet.myget.org/F/dotnet-buildtools/api/v3/index.json" />
     <add key="dotnet-core" value="https://dotnet.myget.org/F/dotnet-core/api/v3/index.json" />
+    <add key="roslyn-tools" value="https://dotnet.myget.org/F/roslyn-tools/api/v3/index.json" />
     <add key="api.nuget.org" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>

build.ps1

@@ -6,6 +6,7 @@
 param(
     [string]$Configuration="Debug",
     [string]$Platform="Any CPU",
+    [switch]$RealSign,
     [switch]$Help)
 
 if($Help)
@@ -15,6 +16,7 @@ if($Help)
     Write-Host "Options:"
     Write-Host "  -Configuration <CONFIGURATION>     Build the specified Configuration (Debug or Release, default: Debug)"
     Write-Host "  -Platform <PLATFORM>               Build the specified Platform (Any CPU)"
+    Write-Host "  -RealSign                          Sign the output DLLs"
     Write-Host "  -Help                              Display this help message"
     exit 0
 }
@@ -47,5 +49,19 @@ $env:PATH = "$env:DOTNET_INSTALL_DIR;$env:PATH"
 # Disable first run since we want to control all package sources
 $env:DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1
 
-dotnet build3 $RepoRoot\build\build.proj /m /nologo /p:Configuration=$Configuration /p:Platform=$Platform
-if($LASTEXITCODE -ne 0) { throw "Failed to build" }
+$logPath = ".\bin\log"
+if (!(Test-Path -Path $logPath)) {
+    New-Item -Path $logPath -Force -ItemType 'Directory' | Out-Null
+}
+
+$msbuildSummaryLog = Join-Path -path $logPath -childPath "sdk.log"
+$msbuildWarningLog = Join-Path -path $logPath -childPath "sdk.wrn"
+$msbuildFailureLog = Join-Path -path $logPath -childPath "sdk.err"
+
+$signType = 'public'
+if ($RealSign) {
+    $signType = 'real'
+}
+
+dotnet build3 $RepoRoot\build\build.proj /m /nologo /p:Configuration=$Configuration /p:Platform=$Platform /p:SignType=$signType /v:m /flp1:Summary`;Verbosity=diagnostic`;Encoding=UTF-8`;LogFile=$msbuildSummaryLog /flp2:WarningsOnly`;Verbosity=diagnostic`;Encoding=UTF-8`;LogFile=$msbuildWarningLog /flp3:ErrorsOnly`;Verbosity=diagnostic`;Encoding=UTF-8`;LogFile=$msbuildFailureLog
+if($LASTEXITCODE -ne 0) { throw "Failed to build" }

build/Signing/Microsoft.DotNet.Core.Signing.proj

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), 'Directory.Build.props'))\Directory.Build.props" />
+
+  <PropertyGroup>
+    <SignTool>$(NuGet_Packages)\roslyntools.microsoft.signtool\0.2.0-beta\tools\SignTool.exe</SignTool>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <SigningConfig Include="$(MSBuildThisFileDirectory)SignToolConfig.json"/>
+
+    <!-- Make note, without actually knowing what's included in the SigningConfig,
+         we just assume that everything in the output dir is, and treat them
+         as inputs so that we rerun packaging if they change. -->
+    <PackageAssets Include="$(OutDir)\*.*" Exclude="*.log" />
+  </ItemGroup>
+
+  <Target Name="Build" Inputs="@(SigningConfig);$(PackageAssets)" Outputs="@(PackageAssets)">
+    <!-- If not RealSigning -->
+    <Message Text="Skipping Real Signing" Condition="'$(SignType)'!='real'"/>
+
+    <!-- If RealSigning -->
+    <Message Text="Performing Real Signing" Condition="'$(SignType)'=='real'"/>
+    <Exec Command="$(SignTool) -nugetPackagesPath &quot;$(NuGet_Packages)&quot; -config &quot;@(SigningConfig)&quot; &quot;$(OutDir.TrimEnd('\'))&quot;"
+          Condition="'$(SignType)'=='real'"/>
+  </Target>
+</Project>

build/Signing/SignToolConfig.json

@@ -0,0 +1,27 @@
+{
+    sign: [
+        {
+            "certificate": "Microsoft402",
+            "strongName": "MsSharedLib72",
+            "values": [
+                "Microsoft.DotNet.Core.Build.Tasks.dll"
+            ]
+        }
+    ],
+    exclude: [
+        "Microsoft.DotNet.PlatformAbstractions.dll",
+        "Microsoft.Extensions.DependencyModel.dll",
+        "Newtonsoft.Json.dll",
+        "NuGet.Common.dll",
+        "Nuget.DependencyResolver.Core.dll",
+        "NuGet.Frameworks.dll",
+        "NuGet.LibraryModel.dll",
+        "NuGet.Packaging.dll",
+        "NuGet.Protocol.Core.Types.dll",
+        "NuGet.Protocol.Core.v3.dll",
+        "NuGet.Repositories.dll",
+        "NuGet.RuntimeModel.dll",
+        "NuGet.Versioning.dll",
+        "System.Runtime.Serialization.Primitives.dll"
+    ]
+}

build/Targets/ProducesNoOutput.Imports.targets

@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="Signing.Imports.targets"/>
   <Choose>
     <When Condition="'$(ProjectLanguage)' == 'CSharp'">
       <PropertyGroup>

build/Targets/ProducesNoOutput.Settings.Targets

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="..\..\Directory.Build.props" />
+  <PropertyGroup>
+    <TargetFrameworkIdentifier>.NETCoreApp</TargetFrameworkIdentifier>
+    <TargetFrameworkVersion>v1.0</TargetFrameworkVersion>
+    <CopyBuildOutputToOutputDirectory>false</CopyBuildOutputToOutputDirectory>
+    <CopyOutputSymbolsToOutputDirectory>false</CopyOutputSymbolsToOutputDirectory>
+    <OutputType>Library</OutputType>
+    <GenerateDependencyFile>false</GenerateDependencyFile>
+    <ResolvePackageDependenciesForBuild>false</ResolvePackageDependenciesForBuild>
+    <NonShipping>true</NonShipping>
+  </PropertyGroup>
+</Project>

build/Targets/Signing.Imports.targets

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <ShouldSignBuild Condition="'$(RunningInMicroBuild)' == 'true' AND '$(SignType)' == 'real'">true</ShouldSignBuild>
+    <StrongNameCertificate Condition="'$(StrongNameCertificate)' == ''">MicrosoftShared</StrongNameCertificate>
+    <BuildDirPath Condition="'$(BuildDirPath)'==''">$(MSBuildThisFileDirectory)\..\</BuildDirPath>
+    <RoslynInternalKey>002400000480000094000000060200000024000052534131000400000100010055e0217eb635f69281051f9a823e0c7edd90f28063eb6c7a742a19b4f6139778ee0af438f47aed3b6e9f99838aa8dba689c7a71ddb860c96d923830b57bbd5cd6119406ddb9b002cf1c723bf272d6acbb7129e9d6dd5a5309c94e0ff4b2c884d45a55f475cd7dba59198086f61f5a8c8b5e601c0edbf269733f6f578fc8579c2</RoslynInternalKey>
+  </PropertyGroup>
+
+  <Choose>
+    <When Condition="'$(SignAssembly)' == 'true'">
+      <Choose>
+        <!-- Shipping binaries in an "official" build are delay-signed with the MS key; later, the signing
+             system will finish the strong-name signing. -->
+        <When Condition="'$(NonShipping)' != 'true'">
+
+          <Choose>
+            <!-- DelaySign if we're real signing, otherwise public sign -->
+            <When Condition="'$(ShouldSignBuild)' == 'true'">
+              <PropertyGroup>
+                <DelaySign>true</DelaySign>
+              </PropertyGroup>
+            </When>
+            <Otherwise>
+              <PropertyGroup>
+                <PublicSign>true</PublicSign>
+              </PropertyGroup>
+            </Otherwise>
+          </Choose>
+
+          <Choose>
+            <When Condition="'$(StrongNameCertificate)' == 'Microsoft'">
+              <PropertyGroup>
+                <AssemblyOriginatorKeyFile>$(BuildDirPath)Strong Name Keys\MSFT.snk</AssemblyOriginatorKeyFile>
+                <PublicKey>002400000480000094000000060200000024000052534131000400000100010007d1fa57c4aed9f0a32e84aa0faefd0de9e8fd6aec8f87fb03766c834c99921eb23be79ad9d5dcc1dd9ad236132102900b723cf980957fc4e177108fc607774f29e8320e92ea05ece4e821c0a5efe8f1645c4c0c93c1ab99285d622caa652c1dfad63d745d6f2de5f17e5eaf0fc4963d261c8a12436518206dc093344d5ad293</PublicKey>
+                <PublicKeyToken>b03f5f7f11d50a3a</PublicKeyToken>
+                <StrongNameCertificateFriendlyId>67</StrongNameCertificateFriendlyId>
+              </PropertyGroup>
+            </When>
+
+            <When Condition="'$(StrongNameCertificate)' == 'MicrosoftShared'">
+              <PropertyGroup>
+                <AssemblyOriginatorKeyFile>$(BuildDirPath)Strong Name Keys\35MSSharedLib1024.snk</AssemblyOriginatorKeyFile>
+                <PublicKey>0024000004800000940000000602000000240000525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f45def46b2a2b1247adc3652bf5c308055da9</PublicKey>
+                <PublicKeyToken>31BF3856AD364E35</PublicKeyToken>
+                <StrongNameCertificateFriendlyId>72</StrongNameCertificateFriendlyId>
+              </PropertyGroup>
+            </When>
+
+          </Choose>
+
+        </When>
+
+        <!-- Non-shipping binaries are simply signed with the Roslyn internal key. -->
+        <Otherwise>
+          <PropertyGroup>
+            <AssemblyOriginatorKeyFile>$(BuildDirPath)Strong Name Keys\RoslynInternalKey.Private.snk</AssemblyOriginatorKeyFile>
+            <DelaySign>false</DelaySign>
+            <PublicKey>$(RoslynInternalKey)</PublicKey>
+            <PublicKeyToken>fc793a00266884fb</PublicKeyToken>
+          </PropertyGroup>
+        </Otherwise>
+      </Choose>
+    </When>
+  </Choose>
+
+  <!-- Because https://github.com/dotnet/roslyn/issues/7812 is not yet fixed, the IDE doesn't know if we set the PublicSign
+       flag. As a result, all design-time builds will thing we're real-signing, which causes semantics to get all screwed up.
+       The workaround for now is, for design-time builds only, to pass the DelaySign flag since that's "good enough". This
+       must be done in a target versus conditioning on BuildingProject, since BuildingProject itself is correctly set in a
+       target. -->
+  <Target Name="FixPublicSignFlagForDesignTimeBuilds" BeforeTargets="CoreCompile" Condition="'$(PublicSign)' == 'true'">
+    <PropertyGroup Condition="'$(BuildingProject)' == 'false'">
+      <!-- Turn off PublicSign, because leaving both to true will make the Csc task unhappy -->
+      <PublicSign>false</PublicSign>
+      <DelaySign>true</DelaySign>
+    </PropertyGroup>
+  </Target>
+
+</Project>

build/build.proj

@@ -14,13 +14,14 @@
 
   <ItemGroup>
     <SolutionFile Include="$(RepositoryRootDirectory)core-sdk.sln" />
+    <SigningProjectFile Include="$(RepositoryRootDirectory)build\Signing\Microsoft.DotNet.Core.Signing.proj"/>
     <NuGetProjectFile Include="$(RepositoryRootDirectory)build\Nuget\Microsoft.DotNet.Core.Nuget.proj" />
   </ItemGroup>
 
   <Target Name="RestorePackages">
 
     <Message Text="Restoring packages for %(SolutionFile.Filename)" Importance="high" />
-    
+
     <Exec Command="$(DotNetTool) restore --verbosity Minimal"
           WorkingDirectory="$(RepositoryRootDirectory)"
           />
@@ -29,7 +30,7 @@
   <Target Name="BuildSolution">
 
     <Message Text="Building %(SolutionFile.Filename) [$(Configuration)]" Importance="high" />
-    
+
     <MSBuild BuildInParallel="true"
              Projects="@(SolutionFile)"
              Targets="Build"
@@ -47,7 +48,16 @@
              Properties="$(CommonMSBuildGlobalProperties)"
              />
   </Target>
-
+
+  <Target Name="SignPackages">
+
+    <MSBuild BuildInParallel="true"
+             Projects="@(SigningProjectFile)"
+             Targets="Build"
+             Properties="$(CommonMSBuildGlobalProperties)"
+             />
+  </Target>
+
   <Target Name="BuildNuGetPackages">
 
     <MSBuild BuildInParallel="true"
@@ -76,14 +86,14 @@
     <ItemGroup>
       <ProductAssets Include="$(OutDir)\*" />
     </ItemGroup>
-    
+
     <Message Text="Running tests for %(SolutionFile.Filename) [$(Configuration)]" Importance="high" />
 
     <!-- Copy all the product assemblies to the test directory, so the tests can load them. -->
     <Copy SourceFiles="@(ProductAssets)"
           DestinationFolder="$(TestsDirectory)"
           />
-    
+
     <Exec Command="$(DotNetTool) &quot;$(TestsDirectory)\xunit.console.netcore.exe&quot; &quot;@(TestAssembly, '&quot; &quot;')&quot; -xml &quot;@(XmlTestFile)&quot;"
           LogStandardErrorAsError="true"
           WorkingDirectory="$(TestsDirectory)"
@@ -96,7 +106,7 @@
 
   </Target>
 
-  <Target Name="Build" DependsOnTargets="RestorePackages;BuildSolution;BuildNuGetPackages;Test" />
-  <Target Name="Rebuild" DependsOnTargets="RestorePackages;RebuildSolution;RebuildNuGetPackages;Test" />
+  <Target Name="Build" DependsOnTargets="RestorePackages;BuildSolution;SignPackages;BuildNuGetPackages;Test" />
+  <Target Name="Rebuild" DependsOnTargets="RestorePackages;RebuildSolution;SignPackages;RebuildNuGetPackages;Test" />
 
 </Project>

core-sdk.sln

@@ -25,12 +25,20 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Nuget", "Nuget", "{13EE1E3C
 		build\Nuget\Microsoft.DotNet.Core.Sdk.nuspec = build\Nuget\Microsoft.DotNet.Core.Sdk.nuspec
 	EndProjectSection
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Signing", "Signing", "{385C3C61-B7FC-4447-A88D-6D018B7CE5E4}"
+	ProjectSection(SolutionItems) = preProject
+		build\Signing\Microsoft.DotNet.Core.Signing.proj = build\Signing\Microsoft.DotNet.Core.Signing.proj
+		build\Signing\SignToolConfig.json = build\Signing\SignToolConfig.json
+	EndProjectSection
+EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.DotNet.Core.Build.Tasks.UnitTests", "src\Tasks\Microsoft.DotNet.Core.Build.Tasks.UnitTests\Microsoft.DotNet.Core.Build.Tasks.UnitTests.csproj", "{6A698C1D-F604-4295-B6FC-7FC726F9FE5F}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Dependencies", "Dependencies", "{3B295650-6CBF-486F-9E25-F96EE03B7CAE}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "xUnit.net", "src\Dependencies\xUnit.net\xUnit.net.csproj", "{94F9B889-635A-48A7-A0CB-BAE5D6C9A91A}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SignTool", "src\Dependencies\SignTool\SignTool.csproj", "{98883ACD-BE3A-4533-953D-1BE25981BA02}"
+EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Targets", "Targets", "{0C1312C0-0A29-4EB2-8294-6D1C54D78F61}"
 	ProjectSection(SolutionItems) = preProject
 		build\Targets\ProducesNoOutput.Imports.targets = build\Targets\ProducesNoOutput.Imports.targets
@@ -54,15 +62,21 @@ Global
 		{94F9B889-635A-48A7-A0CB-BAE5D6C9A91A}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{94F9B889-635A-48A7-A0CB-BAE5D6C9A91A}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{94F9B889-635A-48A7-A0CB-BAE5D6C9A91A}.Release|Any CPU.Build.0 = Release|Any CPU
+		{98883ACD-BE3A-4533-953D-1BE25981BA02}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{98883ACD-BE3A-4533-953D-1BE25981BA02}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{98883ACD-BE3A-4533-953D-1BE25981BA02}.Release|Any CPU.ActiveCfg = Debug|Any CPU
+		{98883ACD-BE3A-4533-953D-1BE25981BA02}.Release|Any CPU.Build.0 = Debug|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
 		{DF7D2697-B3B4-45C2-8297-27245F528A99} = {1FEED16D-E07D-47C1-BB4C-56CD9F42B53B}
 		{13EE1E3C-D7F4-48D3-87AE-94CBCCF574E9} = {50A89C27-BA35-44B2-AC57-E54551791C64}
+		{385C3C61-B7FC-4447-A88D-6D018B7CE5E4} = {50A89C27-BA35-44B2-AC57-E54551791C64}
 		{6A698C1D-F604-4295-B6FC-7FC726F9FE5F} = {1FEED16D-E07D-47C1-BB4C-56CD9F42B53B}
 		{94F9B889-635A-48A7-A0CB-BAE5D6C9A91A} = {3B295650-6CBF-486F-9E25-F96EE03B7CAE}
+		{98883ACD-BE3A-4533-953D-1BE25981BA02} = {3B295650-6CBF-486F-9E25-F96EE03B7CAE}
 		{0C1312C0-0A29-4EB2-8294-6D1C54D78F61} = {50A89C27-BA35-44B2-AC57-E54551791C64}
 	EndGlobalSection
 EndGlobal

src/Dependencies/SignTool/SignTool.csproj

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="..\..\..\build\Targets\ProducesNoOutput.Settings.targets" />
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <ProjectGuid>{98883ACD-BE3A-4533-953D-1BE25981BA02}</ProjectGuid>
+    <ProjectTypeGuids>{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}</ProjectTypeGuids>
+  </PropertyGroup>
+  <ItemGroup>
+    <Content Include="project.json" />
+  </ItemGroup>
+  <Import Project="..\..\..\build\Targets\ProducesNoOutput.Imports.targets" />
+</Project>

src/Dependencies/SignTool/project.json

@@ -0,0 +1,9 @@
+{
+    "dependencies": {
+        "RoslynTools.Microsoft.SignTool": "0.2.0-beta",
+        "Microbuild.Core" : "0.2.0"
+    },
+    "frameworks": {
+        ".netcoreapp1.0": {}
+    }
+}

src/Dependencies/xUnit.net/xUnit.net.csproj

@@ -1,18 +1,12 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="..\..\..\build\Targets\ProducesNoOutput.Settings.targets" />
   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
   <Import Project="..\..\Tasks\Microsoft.DotNet.Core.Build.Tasks\Microsoft.DotNet.Core.Sdk.props" />
   <PropertyGroup>
     <ProjectGuid>{94F9B889-635A-48A7-A0CB-BAE5D6C9A91A}</ProjectGuid>
     <ProjectTypeGuids>{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}</ProjectTypeGuids>
-    <TargetFrameworkIdentifier>.NETCoreApp</TargetFrameworkIdentifier>
-    <TargetFrameworkVersion>v1.0</TargetFrameworkVersion>
     <OutDir>$(OutDir)Tests\</OutDir>
-    <CopyBuildOutputToOutputDirectory>false</CopyBuildOutputToOutputDirectory>
-    <CopyOutputSymbolsToOutputDirectory>false</CopyOutputSymbolsToOutputDirectory>
-    <OutputType>Library</OutputType>
-    <GenerateDependencyFile>false</GenerateDependencyFile>
-    <ResolvePackageDependenciesForBuild>false</ResolvePackageDependenciesForBuild>
   </PropertyGroup>
   <ItemGroup>
     <None Include="project.json" />
@@ -51,7 +45,7 @@
       <CopyLocalAssembly Include="xunit.runner.utility.dotnet">
         <RelativePath>xunit.runner.utility\$(XUnitVersion)\lib\dotnet\xunit.runner.utility.dotnet.dll</RelativePath>
       </CopyLocalAssembly>
-      
+
       <TestCopyLocalAssembly Include="$(NuGet_Packages)\%(CopyLocalAssembly.RelativePath)" />
 
       <FluentAssertionsPackage Include="fluentassertions" />