dotnet · pjcollins · Jul 16, 2024 · Jul 9, 2024 · Jul 9, 2024 · Jul 10, 2024
@@ -468,7 +468,7 @@ extends:
       condition: and(eq(dependencies.mac_build.result, 'Succeeded'), eq(dependencies.linux_build.result, 'Succeeded'), eq(variables['MicroBuildSignType'], 'Real'))
       jobs:
       # Check - "Xamarin.Android (Prepare .NET Release Sign Archives)"
-      - template: sign-artifacts/jobs/v2.yml@yaml-templates
+      - template: sign-artifacts/jobs/v3.yml@yaml-templates
         parameters:
           name: sign_net_mac_win
           poolName: $(VSEngMicroBuildPool)
@@ -477,9 +477,12 @@ extends:
           signedArtifactName: nuget-signed
           usePipelineArtifactTasks: true
           use1ESTemplate: true
+          uploadPrefix: sign-mac-win
+          handleUnmappedFiles: fail
+          timeoutInMinutes: 240
 
       # Check - "Xamarin.Android (Prepare .NET Release Sign Linux Archive)"
-      - template: sign-artifacts/jobs/v2.yml@yaml-templates
+      - template: sign-artifacts/jobs/v3.yml@yaml-templates
         parameters:
           name: sign_net_linux
           displayName: Sign Linux Archive
@@ -489,6 +492,9 @@ extends:
           signedArtifactName: nuget-linux-signed
           usePipelineArtifactTasks: true
           use1ESTemplate: true
+          uploadPrefix: sign-linux
+          handleUnmappedFiles: fail
+          timeoutInMinutes: 120
 
       # Check - "Xamarin.Android (Prepare .NET Release Convert NuGet to MSI)"
       - template: nuget-msi-convert/job/v3.yml@yaml-templates

@@ -66,58 +66,15 @@ steps:
   displayName: CodeQL 3000 Finalize
   condition: and(succeededOrFailed(), eq(variables['Codeql.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
 
-- template: /build-tools/automation/yaml-templates/install-microbuild-tooling.yaml
-  parameters:
-    condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
-
-# Restore needs to be executed first or MicroBuild targets won't be imported in time
 - task: DotNetCoreCLI@2
-  displayName: msbuild /t:Restore sign-content.proj
-  condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
-  inputs:
-    projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
-    arguments: /t:Restore /p:Configuration=$(XA.Build.Configuration) -v:n /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/restore-sign-content.binlog
-
-- task: DotNetCoreCLI@2
-  displayName: PKG signing - add entitlements and sign
+  displayName: macOS signing - add runtime entitlements
   condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
   inputs:
     projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
     arguments: >-
-      /t:AddMachOEntitlements;AddMSBuildFilesUnixSign;AddMSBuildFilesUnixSignAndHarden;Build
-      /p:Configuration=$(XA.Build.Configuration) -v:n
-      /p:SignType=$(MicroBuildSignType)
-      /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins
+      /t:AddMachOEntitlements /p:Configuration=$(XA.Build.Configuration)
       /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-content.binlog
 
-- task: DotNetCoreCLI@2
-  displayName: PKG signing - sign binutils libraries
-  condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
-  inputs:
-    projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
-    arguments: >-
-      /t:AddBinUtilsFilesUnixSign;Build
-      /p:Configuration=$(XA.Build.Configuration) -v:n
-      /p:SignType=$(MicroBuildSignType)
-      /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins
-      /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-bu-lib.binlog
-
-- task: DotNetCoreCLI@2
-  displayName: PKG signing - sign binutils executables
-  condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real'))
-  inputs:
-    projects: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
-    arguments: >-
-      /t:AddBinUtilsFilesUnixSignAndHarden;Build
-      /p:Configuration=$(XA.Build.Configuration) -v:n
-      /p:SignType=$(MicroBuildSignType)
-      /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins
-      /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-bu-ex.binlog
-
-- template: /build-tools/automation/yaml-templates/remove-microbuild-tooling.yaml
-  parameters:
-    condition: and(succeededOrFailed(), eq(variables['MicroBuildSignType'], 'Real'))
-
 - script: make create-installers CONFIGURATION=$(XA.Build.Configuration) MSBUILD_ARGS='${{ parameters.makeMSBuildArgs }}'
   workingDirectory: ${{ parameters.xaSourcePath }}
   displayName: make create-installers

@@ -26,5 +26,12 @@
     <FirstParty Include="*.exe" />
     <!-- First and third party .jar files use the same Authenticode -->
     <FirstParty Include="*.jar" />
+    <MacDeveloperSign Include="*.dylib" />
+    <MacDeveloperSignHarden Include="Darwin/aapt2" />
+    <MacDeveloperSignHarden Include="Darwin/binutils/bin/*as" />
+    <MacDeveloperSignHarden Include="Darwin/binutils/bin/*ld" />
+    <MacDeveloperSignHarden Include="Darwin/binutils/bin/llc" />
+    <MacDeveloperSignHarden Include="Darwin/binutils/bin/llvm-mc" />
+    <MacDeveloperSignHarden Include="Darwin/binutils/bin/*strip" />
   </ItemGroup>
 </Project>
@@ -2,8 +2,8 @@
 ***********************************************************************************************
 sign-content.proj
 
-This project file is used to sign and harden all relevent files included in our legacy .vsix
-and .pkg installers.  ESRP signing does not yet support passing a runtime entitlements
+This project file is used to add runtime entitlements to any file that requires macOS signing
+and runtime hardening. ESRP signing does not yet support passing a runtime entitlements
 file alongside a file that needs runtime hardening, so we have to apply the entitlements
 ourself (using an empty signing identity) before passing these files to ESRP.
 ***********************************************************************************************
@@ -12,118 +12,18 @@ ourself (using an empty signing identity) before passing these files to ESRP.
 
   <Import Project="..\..\Configuration.props" />
   <Import Project="create-installers.targets" />
-  <Import Project="$(XamarinAndroidSourcePath)\build-tools\create-packs\SignList.xml" />
 
   <PropertyGroup>
     <TargetFramework>netstandard2.0</TargetFramework>
     <GenerateDependencyFile>false</GenerateDependencyFile>
     <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
     <!-- NOTE: Any file you want to sign must be under either $(OutDir) or $(IntermediateOutputPath). -->
     <OutDir Condition=" '$(OutDir)' == '' ">$(MicrosoftAndroidSdkOutDir)</OutDir>
-    <UnzippedVsixDir>$(OutDir)vsix-unzip\</UnzippedVsixDir>
   </PropertyGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="$(MicroBuildCoreVersion)">
-      <PrivateAssets>all</PrivateAssets>
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
-    </PackageReference>
-  </ItemGroup>
-
   <Target Name="AddMachOEntitlements" >
     <Exec Command="codesign -vvvv -f -s - -o runtime --entitlements &quot;$(DefaultRuntimeEntitlementsPath)&quot; &quot;%(_MSBuildFilesUnixSignAndHarden.Identity)&quot;" />
     <Exec Command="codesign -vvvv -f -s - -o runtime --entitlements &quot;$(DefaultRuntimeEntitlementsPath)&quot; &quot;%(_BinUtilsFilesUnixSignAndHarden.Identity)&quot;" />
   </Target>
 
-  <Target Name="AddMSBuildFilesUnixSign" >
-    <ItemGroup>
-      <FilesToSign Include="@(_MSBuildFilesUnixSign)">
-        <Authenticode>MacDeveloperVNext</Authenticode>
-        <Zip>true</Zip>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="AddMSBuildFilesUnixSignAndHarden" >
-    <ItemGroup>
-      <FilesToSign Include="@(_MSBuildFilesUnixSignAndHarden)">
-        <Authenticode>MacDeveloperVNextHarden</Authenticode>
-        <Zip>true</Zip>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="AddBinUtilsFilesUnixSign" >
-    <ItemGroup>
-      <FilesToSign Include="@(_BinUtilsFilesUnixSign)">
-        <Authenticode>MacDeveloperVNext</Authenticode>
-        <Zip>true</Zip>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="AddBinUtilsFilesUnixSignAndHarden" >
-    <ItemGroup>
-      <FilesToSign Include="@(_BinUtilsFilesUnixSignAndHarden)">
-        <Authenticode>MacDeveloperVNextHarden</Authenticode>
-        <Zip>true</Zip>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="AddVsixContent" >
-    <RemoveDir Directories="$(UnzippedVsixDir)" />
-    <MakeDir Directories="$(UnzippedVsixDir)" />
-    <Unzip
-        SourceFiles="$(VsixPath)"
-        DestinationFolder="$(UnzippedVsixDir)"
-    />
-    <CreateItem Include="@(ThirdParty -> '$(UnzippedVsixDir)**\%(Identity)')">
-      <Output TaskParameter="Include" ItemName="_ThirdPartyAssemblies" />
-    </CreateItem>
-    <CreateItem Include="@(Skip -> '$(UnzippedVsixDir)**\%(Identity)')">
-      <Output TaskParameter="Include" ItemName="_SkipAssemblies" />
-    </CreateItem>
-    <!-- Allow full wildcards in @(FirstParty) by removing any explicitly listed @(ThirdParty) and @(Skip) content -->
-    <CreateItem Include="@(FirstParty -> '$(UnzippedVsixDir)**\%(Identity)')" Exclude="@(_ThirdPartyAssemblies);@(_SkipAssemblies)">
-      <Output TaskParameter="Include" ItemName="_FirstPartyAssemblies" />
-    </CreateItem>
-    <ItemGroup>
-      <FilesToSign Include="@(_FirstPartyAssemblies)" Condition="%(Extension) == '.dll' or %(Extension) == '.exe'">
-        <Authenticode>Microsoft400</Authenticode>
-      </FilesToSign>
-      <FilesToSign Include="@(_FirstPartyAssemblies)" Condition="%(Extension) == '.jar'">
-        <Authenticode>MicrosoftJARSHA2</Authenticode>
-      </FilesToSign>
-      <FilesToSign Include="@(_ThirdPartyAssemblies)" Condition="%(Extension) == '.dll' or %(Extension) == '.exe'">
-        <Authenticode>3PartySHA2</Authenticode>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="ZipVsixContent" >
-    <Delete Files="$(VsixPath)" />
-    <ZipDirectory
-        SourceDirectory="$(UnzippedVsixDir)"
-        DestinationFile="$(VsixPath)"
-    />
-  </Target>
-
-  <Target Name="SignVsix" >
-    <ItemGroup>
-      <FilesToSign Include="$(OutDir)\Xamarin.Android.Sdk-*.vsix">
-        <Authenticode>VsixSHA2</Authenticode>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
-  <Target Name="SignPkg" >
-    <ItemGroup>
-      <FilesToSign Include="$(OutDir)\xamarin.android-*.pkg">
-        <Authenticode>MacDeveloperVNext</Authenticode>
-        <Zip>true</Zip>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
 </Project>