6 files changed, 88 insertions, 7 deletions
diff --git a/.gitignore b/.gitignore
index c3d1f56b52..7e029112e1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -318,3 +318,8 @@ sandbox
 
 #IL linker for testing
 linker
+
+# Arcade files
+/artifacts/toolset
+/.packages
+/.dotnet
diff --git a/Directory.Build.props b/Directory.Build.props
index 2082362adc..63bb6d6c6e 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -1,4 +1,5 @@
 <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="Sdk.props" Sdk="Microsoft.DotNet.Arcade.Sdk" Condition="'$(ArcadeBuild)' == 'True'"/>
   <PropertyGroup>
     <CL_MPCount>$(NumberOfCores)</CL_MPCount>
   </PropertyGroup>
diff --git a/Directory.Build.targets b/Directory.Build.targets
new file mode 100644
index 0000000000..29123fe77f
--- /dev/null
+++ b/Directory.Build.targets
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project>
+  <Import Project="Sdk.targets" Sdk="Microsoft.DotNet.Arcade.Sdk" Condition="'$(ArcadeBuild)' == 'True'"/>
+</Project>
+\ No newline at end of file
diff --git a/eng/Signing.props b/eng/Signing.props
new file mode 100644
index 0000000000..c51b9d3d41
--- /dev/null
+++ b/eng/Signing.props
@@ -0,0 +1,61 @@
+<Project>
+  <Import Project="..\dir.props"/>
+  <Import Project="..\dir.targets" />
+
+  <PropertyGroup>
+    <!-- The SignFiles target needs OutDir to be defined -->
+    <OutDir>$(BinDir)</OutDir>
+  </PropertyGroup>
+
+  <UsingTask AssemblyFile="$(BuildToolsTaskDir)Microsoft.DotNet.Build.Tasks.dll" TaskName="ReadSigningRequired" />
+
+  <ItemGroup>
+    <WindowsNativeLocation Include="$(BinDir)*.dll" />
+    <WindowsNativeLocation Include="$(BinDir)*.exe" />
+  </ItemGroup>
+
+  <ItemGroup Condition="'$(BuildArch)' == 'x86'">
+    <!-- Sign api-ms-win-core-xstate-l2-1-0 binary as it is only catalog signed in the current SDK. -->
+    <WindowsNativeLocation Condition="'$(BuildType)'=='Release'" Include="$(BinDir)Redist\ucrt\DLLs\$(BuildArch)\api-ms-win-core-xstate-l2-1-0.dll" />
+  </ItemGroup>
+
+  <!-- sign the cross targeted files as well -->
+  <ItemGroup Condition="'$(CrossTargetComponentFolder)' != ''">
+    <WindowsNativeLocation Include="$(BinDir)$(CrossTargetComponentFolder)/*.dll" />
+    <WindowsNativeLocation Include="$(BinDir)$(CrossTargetComponentFolder)/*.exe" />
+  </ItemGroup>
+
+  <Target Name="GenerateSignForWindowsNative">
+    <!--
+      Managed assemblies should already have a requires_signing file dropped so only generate
+      a requires_signing file for ones that don't exist which should leave just native assembies
+    -->
+    <WriteSigningRequired AuthenticodeSig="$(AuthenticodeSig)"
+                          MarkerFile="%(WindowsNativeLocation.Identity).requires_signing"
+                          Condition="!Exists('%(WindowsNativeLocation.Identity).requires_signing')" />
+  </Target>
+
+  <!-- populates item group ItemsToSign with the list of files to sign -->
+  <Target Name="GetFilesToSignItems"
+          DependsOnTargets="GenerateSignForWindowsNative"
+          BeforeTargets="ValidateSignFileListIsNotEmpty">
+    <!-- read all of the marker files and populate the ItemsToSign item group -->
+    <ItemGroup>
+      <SignMarkerFile Include="$(OutDir)**\*.requires_signing" />
+    </ItemGroup>
+    <ReadSigningRequired MarkerFiles="@(SignMarkerFile)">
+      <Output TaskParameter="SigningMetadata" ItemName="ItemsToSign" />
+    </ReadSigningRequired>
+
+    <!-- Temporarily disable signing CoreLib due to https://github.com/dotnet/arcade/issues/1582 -->
+    <ItemGroup>
+      <ItemsToSign Remove="$(BinDir)System.Private.CoreLib.dll" />
+    </ItemGroup>
+
+    <Message Importance="High" Text="Attempting to sign %(ItemsToSign.Identity) with authenticode='%(ItemsToSign.Authenticode)' and strongname='%(ItemsToSign.StrongName)'" />
+  </Target>
+
+  <Target Name="ValidateSignFileListIsNotEmpty" BeforeTargets="Sign">
+    <Error Condition="'@(ItemsToSign)' == ''" Text="List of files to sign is empty" />
+  </Target>
+</Project>
+\ No newline at end of file
diff --git a/eng/build-job.yml b/eng/build-job.yml
index d8a5f61102..064db098ed 100644
--- a/eng/build-job.yml
+++ b/eng/build-job.yml
@@ -14,6 +14,7 @@ jobs:
     archType: ${{ parameters.archType }}
     osGroup: ${{ parameters.osGroup }}
     osIdentifier: ${{ parameters.osIdentifier }}
+    enableMicrobuild: true
 
     # Compute job name from template parameters
     name: ${{ format('build_{0}_{1}_{2}', parameters.osIdentifier, parameters.archType, parameters.buildConfig) }}
@@ -68,6 +69,19 @@ jobs:
       - script: set __TestIntermediateDir=int&&build.cmd $(buildConfig) $(archType) -skiptests -skipbuildpackages
         displayName: Build product
 
+    # Sign on Windows
+    - ${{ if and(ne(variables['System.TeamProject'], 'public'), ne(variables['Build.Reason'], 'PullRequest'), eq(parameters.osGroup, 'Windows_NT')) }}:
+      - script: powershell eng\common\build.ps1 -ci -sign -restore -configuration:$(buildConfig) -warnaserror:0 /p:ArcadeBuild=true /p:OfficialBuild=true /p:BuildOS=$(osGroup) /p:BuildArch=$(archType) /p:BuildType=$(buildConfig) /p:DotNetSignType=%_SignType%
+        displayName: Sign Binaries
+
+      - task: PublishBuildArtifacts@1
+        displayName: Publish Signing Logs to VSTS
+        inputs:
+          PathtoPublish: '$(Build.SourcesDirectory)/artifacts/'
+          PublishLocation: Container
+          ArtifactName: $(Agent.Os)_$(Agent.JobName)_$(archType)
+        continueOnError: true
+        condition: always()
 
     # Upload build as pipeline artifact
     - ${{ if ne(parameters.osGroup, 'Windows_NT') }}:
@@ -83,13 +97,6 @@ jobs:
           artifactName: ${{ format('{0}_{1}_{2}_build', parameters.osIdentifier, parameters.archType, parameters.buildConfig) }}
           targetPath: $(Build.SourcesDirectory)\bin\Product\$(osGroup).$(archType).$(buildConfigUpper)
 
-
-    # TODO: Sign
-    - ${{ if and(ne(variables['System.TeamProject'], 'public'), ne(variables['Build.Reason'], 'PullRequest')) }}:
-      - script: echo Sign!
-        displayName: Sign Binaries (empty for now)
-
-
     # Get key vault secrets for publishing
     - ${{ if and(ne(variables['System.TeamProject'], 'public'), ne(variables['Build.Reason'], 'PullRequest')) }}:
       - task: AzureKeyVault@1
diff --git a/eng/xplat-job.yml b/eng/xplat-job.yml
index 8b251751c1..a59dcefefd 100644
--- a/eng/xplat-job.yml
+++ b/eng/xplat-job.yml
@@ -11,6 +11,7 @@ parameters:
   timeoutInMinutes: ''
   helixType: ''
   crossrootfsDir: ''
+  enableMicrobuild: ''
 
   # arcade-specific parameters
   gatherAssetManifests: false
@@ -31,6 +32,8 @@ jobs:
     helixRepo: 'dotnet/coreclr'
     helixType: ${{ parameters.helixType }}
 
+    enableMicrobuild: ${{ parameters.enableMicrobuild }}
+
     pool:
       ${{ if and(eq(parameters.osGroup, 'Linux'), eq(variables['System.TeamProject'], 'public')) }}:
         name: Hosted Ubuntu 1604