Sign almost all the things (#870)

* Rework signing exclusions to sign everything but js Co-authored-by: Alexander Köplinger <[email protected]> * Update eng/Signing.props Co-authored-by: Alexander Köplinger <[email protected]> --------- Co-authored-by: Alexander Köplinger <[email protected]>
dotnet · Aug 14, 2024 · f5ca0b7 · f5ca0b7
1 parent 03757bf
commit f5ca0b7
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 9 deletions.
diff --git a/eng/SignCheckExclusionsFile.txt b/eng/SignCheckExclusionsFile.txt
@@ -2,7 +2,4 @@
 ;; Format: https://github.com/dotnet/arcade/blob/397316e195639450b6c76bfeb9823b40bee72d6d/src/SignCheck/Microsoft.SignCheck/Verification/Exclusion.cs#L23-L35
 ;;
 ;; This issue tracks a way to implement exclusions via Signing.props and avoid this extra file: https://github.com/dotnet/arcade/issues/2888
-
-*.js;;Can't dual sign .js files, https://github.com/dotnet/runtime/issues/53252
-*.ps1;;Can't dual sign .ps1 files, https://github.com/dotnet/runtime/issues/53252
-*.exe;*.whl;The .whl files are not supported by ESRP, https://github.com/dotnet/runtime/issues/53252
+*.js;;We don't need to code sign .js files because they are not used in Windows Script Host
diff --git a/eng/Signing.props b/eng/Signing.props
@@ -12,12 +12,18 @@
     <FileExtensionSignInfo Include=".cat" CertificateName="MicrosoftDotNet500" />
 
     <!--
-      These files can't be dual-signed with 3PartySHA2, don't try to sign them.
+      Script files need to be signed with 3PartyScriptsSHA2 not the dual-signed certificate.
     -->
-    <FileExtensionSignInfo Update=".py" CertificateName="None" />
-    <FileExtensionSignInfo Update=".ps1" CertificateName="None" />
+    <FileExtensionSignInfo Update=".py" CertificateName="3PartyScriptsSHA2" />
+    <FileExtensionSignInfo Update=".ps1" CertificateName="3PartyScriptsSHA2" />
+    <!-- We don't need to code sign .js files because they are not used in Windows Script Host. -->
     <FileExtensionSignInfo Update=".js" CertificateName="None" />
-    <FileExtensionSignInfo Include=".vbs" CertificateName="None" />
+
+    <!--
+      Zero length files should not be signed because it breaks signing/ESRP.
+    -->
+    <FileSignInfo Include="__init__.py" CertificateName="None" />
+    <FileSignInfo Include="eggs.py" CertificateName="None" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/eng/azure-pipelines.yml b/eng/azure-pipelines.yml
@@ -362,6 +362,6 @@ extends:
     - template: /eng/common/templates-official/post-build/post-build.yml@self
       parameters:
         enableSourceLinkValidation: false
-        enableSigningValidation: false
+        enableSigningValidation: true
         enableSymbolValidation: false
         enableNugetValidation: true
diff --git a/eng/emsdk.proj b/eng/emsdk.proj
@@ -291,6 +291,7 @@
     <RemoveDir Directories="$(ArtifactsObjDir)upstream\emscripten\node_modules\google-closure-compiler-osx" />
     <RemoveDir Directories="$(ArtifactsObjDir)upstream\emscripten\node_modules\google-closure-compiler-windows" />
     <RemoveDir Directories="$(ArtifactsObjDir)upstream\emscripten\node_modules\google-closure-compiler-linux" />
+    <RemoveDir Directories="$(ArtifactsObjDir)upstream\emscripten\node_modules\resolve\test" /> <!-- contains zero length .js files -->
     <RemoveDir Directories="$(ArtifactsObjDir)upstream\emscripten\third_party\closure-compiler" />
     <RemoveDir Directories="$(ArtifactsObjDir)upstream\emscripten\third_party\jni" />
     <RemoveDir Directories="$(ArtifactsObjDir)upstream\emscripten\third_party\ply" />