Add Azure DevOps signing support (#21545)

Add signing support for Azure DevOps pipelines. This uses the arcade signing step, but with custom logic to find files to sign while we're not using arcade for the rest of the build.

6 files changed, 88 insertions, 7 deletions

diff --git a/.gitignore b/.gitignore
index c3d1f56b52..7e029112e1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -318,3 +318,8 @@ sandbox
 
 #IL linker for testing
 linker
+
+# Arcade files
+/artifacts/toolset
+/.packages
+/.dotnet
diff --git a/Directory.Build.props b/Directory.Build.props
index 2082362adc..63bb6d6c6e 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -1,4 +1,5 @@
 <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="Sdk.props" Sdk="Microsoft.DotNet.Arcade.Sdk" Condition="'$(ArcadeBuild)' == 'True'"/>
   <PropertyGroup>
     <CL_MPCount>$(NumberOfCores)</CL_MPCount>
   </PropertyGroup>
diff --git a/Directory.Build.targets b/Directory.Build.targets
new file mode 100644
index 0000000000..29123fe77f
--- /dev/null
+++ b/Directory.Build.targets
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project>
+  <Import Project="Sdk.targets" Sdk="Microsoft.DotNet.Arcade.Sdk" Condition="'$(ArcadeBuild)' == 'True'"/>
+</Project>
\ No newline at end of file
diff --git a/eng/Signing.props b/eng/Signing.props
new file mode 100644
index 0000000000..c51b9d3d41
--- /dev/null
+++ b/eng/Signing.props
@@ -0,0 +1,61 @@
+<Project>
+  <Import Project="..\dir.props"/>
+  <Import Project="..\dir.targets" />
+
+  <PropertyGroup>
+    <!-- The SignFiles target needs OutDir to be defined -->
+    <OutDir>$(BinDir)</OutDir>
+  </PropertyGroup>
+
+  <UsingTask AssemblyFile="$(BuildToolsTaskDir)Microsoft.DotNet.Build.Tasks.dll" TaskName="ReadSigningRequired" />
+
+  <ItemGroup>
+    <WindowsNativeLocation Include="$(BinDir)*.dll" />
+    <WindowsNativeLocation Include="$(BinDir)*.exe" />
+  </ItemGroup>
+
+  <ItemGroup Condition="'$(BuildArch)' == 'x86'">
+    <!-- Sign api-ms-win-core-xstate-l2-1-0 binary as it is only catalog signed in the current SDK. -->
+    <WindowsNativeLocation Condition="'$(BuildType)'=='Release'" Include="$(BinDir)Redist\ucrt\DLLs\$(BuildArch)\api-ms-win-core-xstate-l2-1-0.dll" />
+  </ItemGroup>
+
+  <!-- sign the cross targeted files as well -->
+  <ItemGroup Condition="'$(CrossTargetComponentFolder)' != ''">
+    <WindowsNativeLocation Include="$(BinDir)$(CrossTargetComponentFolder)/*.dll" />
+    <WindowsNativeLocation Include="$(BinDir)$(CrossTargetComponentFolder)/*.exe" />
+  </ItemGroup>
+
+  <Target Name="GenerateSignForWindowsNative">
+    <!--
+      Managed assemblies should already have a requires_signing file dropped so only generate
+      a requires_signing file for ones that don't exist which should leave just native assembies
+    -->
+    <WriteSigningRequired AuthenticodeSig="$(AuthenticodeSig)"
+                          MarkerFile="%(WindowsNativeLocation.Identity).requires_signing"
+                          Condition="!Exists('%(WindowsNativeLocation.Identity).requires_signing')" />
+  </Target>
+
+  <!-- populates item group ItemsToSign with the list of files to sign -->
+  <Target Name="GetFilesToSignItems"
+          DependsOnTargets="GenerateSignForWindowsNative"
+          BeforeTargets="ValidateSignFileListIsNotEmpty">
+    <!-- read all of the marker files and populate the ItemsToSign item group -->
+    <ItemGroup>
+      <SignMarkerFile Include="$(OutDir)**\*.requires_signing" />
+    </ItemGroup>
+    <ReadSigningRequired MarkerFiles="@(SignMarkerFile)">
+      <Output TaskParameter="SigningMetadata" ItemName="ItemsToSign" />
+    </ReadSigningRequired>
+
+    <!-- Temporarily disable signing CoreLib due to https://github.com/dotnet/arcade/issues/1582 -->
+    <ItemGroup>
+      <ItemsToSign Remove="$(BinDir)System.Private.CoreLib.dll" />
+    </ItemGroup>
+
+    <Message Importance="High" Text="Attempting to sign %(ItemsToSign.Identity) with authenticode='%(ItemsToSign.Authenticode)' and strongname='%(ItemsToSign.StrongName)'" />
+  </Target>
+
+  <Target Name="ValidateSignFileListIsNotEmpty" BeforeTargets="Sign">
+    <Error Condition="'@(ItemsToSign)' == ''" Text="List of files to sign is empty" />
+  </Target>
+</Project>
\ No newline at end of file
diff --git a/eng/build-job.yml b/eng/build-job.yml
index d8a5f61102..064db098ed 100644
--- a/eng/build-job.yml
+++ b/eng/build-job.yml
@@ -14,6 +14,7 @@ jobs:
     archType: ${{ parameters.archType }}
     osGroup: ${{ parameters.osGroup }}
     osIdentifier: ${{ parameters.osIdentifier }}
+    enableMicrobuild: true
 
     # Compute job name from template parameters
     name: ${{ format('build_{0}_{1}_{2}', parameters.osIdentifier, parameters.archType, parameters.buildConfig) }}
@@ -68,6 +69,19 @@ jobs:
       - script: set __TestIntermediateDir=int&&build.cmd $(buildConfig) $(archType) -skiptests -skipbuildpackages
         displayName: Build product
 
+    # Sign on Windows
+    - ${{ if and(ne(variables['System.TeamProject'], 'public'), ne(variables['Build.Reason'], 'PullRequest'), eq(parameters.osGroup, 'Windows_NT')) }}:
+      - script: powershell eng\common\build.ps1 -ci -sign -restore -configuration:$(buildConfig) -warnaserror:0 /p:ArcadeBuild=true /p:OfficialBuild=true /p:BuildOS=$(osGroup) /p:BuildArch=$(archType) /p:BuildType=$(buildConfig) /p:DotNetSignType=%_SignType%
+        displayName: Sign Binaries
+
+      - task: PublishBuildArtifacts@1
+        displayName: Publish Signing Logs to VSTS
+        inputs:
+          PathtoPublish: '$(Build.SourcesDirectory)/artifacts/'
+          PublishLocation: Container
+          ArtifactName: $(Agent.Os)_$(Agent.JobName)_$(archType)
+        continueOnError: true
+        condition: always()
 
     # Upload build as pipeline artifact
     - ${{ if ne(parameters.osGroup, 'Windows_NT') }}:
@@ -83,13 +97,6 @@ jobs:
           artifactName: ${{ format('{0}_{1}_{2}_build', parameters.osIdentifier, parameters.archType, parameters.buildConfig) }}
           targetPath: $(Build.SourcesDirectory)\bin\Product\$(osGroup).$(archType).$(buildConfigUpper)
 
-
-    # TODO: Sign
-    - ${{ if and(ne(variables['System.TeamProject'], 'public'), ne(variables['Build.Reason'], 'PullRequest')) }}:
-      - script: echo Sign!
-        displayName: Sign Binaries (empty for now)
-
-
     # Get key vault secrets for publishing
     - ${{ if and(ne(variables['System.TeamProject'], 'public'), ne(variables['Build.Reason'], 'PullRequest')) }}:
       - task: AzureKeyVault@1
diff --git a/eng/xplat-job.yml b/eng/xplat-job.yml
index 8b251751c1..a59dcefefd 100644
--- a/eng/xplat-job.yml
+++ b/eng/xplat-job.yml
@@ -11,6 +11,7 @@ parameters:
   timeoutInMinutes: ''
   helixType: ''
   crossrootfsDir: ''
+  enableMicrobuild: ''
 
   # arcade-specific parameters
   gatherAssetManifests: false
@@ -31,6 +32,8 @@ jobs:
     helixRepo: 'dotnet/coreclr'
     helixType: ${{ parameters.helixType }}
 
+    enableMicrobuild: ${{ parameters.enableMicrobuild }}
+
     pool:
       ${{ if and(eq(parameters.osGroup, 'Linux'), eq(variables['System.TeamProject'], 'public')) }}:
         name: Hosted Ubuntu 1604