New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create the Windows.x64 global tool with shim for signing #21559
Create the Windows.x64 global tool with shim for signing #21559
Conversation
Write-Verbose -Verbose -Message "pathForUpload: $pathForUpload" | ||
Copy-Item -Path '${{ parameters.binPath }}\*' -Destination $pathForUpload -Recurse -Force -Verbose | ||
Write-Verbose -Verbose -Message "Files copied to $pathForUpload" | ||
$isGlobalTool = '${{ parameters.globalTool }}' -eq 'true' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not blocking. We should move any PS Script of significant size into a script or module. This does two things, makes sure they are scanned by static analysis tools and reduces total yaml size.
Remove-Item -Path $ridFolder/runtimes/win-arm -Recurse -Force | ||
$toolSettings = $packagingStrings.GlobalToolSettingsFile -f "pwsh.dll" | ||
} | ||
# Due to needing a signed shim for the global tool, we build the global tool in build instead of packaging. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove dead code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to keep the code and document why we don't build Windows.x64 here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved with comments
PR Summary
Fixes #20557
The global tool for Windows.x64 is created using dotnet pack so that shim can be generated during the build for signing.
The tool uses a new csproj with added properties for generating the shim, we added the build to fxdependent stage.
More details about shim are documented here: https://github.com/dotnet/sdk/blob/main/documentation/general/signing-global-tool-packages.md
The way the build works is a bit tricky as when it is built, we cannot add the modules that come from gallery.
We have to use
dotnet pack
to build the nupkg and then expand it as a zip.After expanding we restore the signed files for the modules from the gallery.
We also delete
content
andcontentFiles
folder which are not necessary.After that, we repack using Compress-Archive and rename it back to a nupkg.
PR Context
dotnet-sdk images show that the exe is unsigned and fails compliance requirements.
PR Checklist
.h
,.cpp
,.cs
,.ps1
and.psm1
files have the correct copyright headerWIP:
or[ WIP ]
to the beginning of the title (theWIP
bot will keep its status check atPending
while the prefix is present) and remove the prefix when the PR is ready.(which runs in a different PS Host).