From face4257dd8656bc6c336130a5f8743b0a1cc1d7 Mon Sep 17 00:00:00 2001
From: Matt Mitchell <mmitche@microsoft.com>
Date: Wed, 5 May 2021 13:24:44 -0700
Subject: [PATCH 1/2] Add the ability to use the .NET certificate with a switch
 A subset of arcade repositories will ship .NET 6 using a different
 certificate for most executable files. This leads to a question: How to
 specify that this cert should be used rather than Microsoft400? There are a
 number of options: 1. Use certificate replacement in post-build signing to
 switch all uses of Microsoft400 to MicrosoftDotNet500 - This has the
 disadvantage that if there are any binaries that still need to ship to
 end-customers with Microsoft400, they would get the new cert. It's also a
 little hacky, and certificate replacement was only intended for limited use
 by internal customers in specific scenarios. 2. Update default metadata in
 each repo that needs to switch to specify MicrosoftDotNet500 instead of
 Microsoft400 - This is easy to do for explicit specifications in a repo's
 eng/Signing.props file, but the arcade defaults are still present. They can
 be replaced with something like:    ```    <!-- Update existing defaults from
 arcade that were using Microsoft400 to use the .NET-specific cert -->   
 <ItemGroup>      <FileExtensionSignInfo
 Update="@(FileExtensionSignInfo->WithMetadataValue('CertificateName','Microsoft400'))"
 CertificateName="MicrosoftDotNet500" />      <StrongNameSignInfo
 Update="@(StrongNameSignInfo->WithMetadataValue('CertificateName','Microsoft400'))"
 CertificateName="MicrosoftDotNet500" />    </ItemGroup>    ```    However,
 this bit of code isn't entirely easy to understand, would have to be inserted
 into every repo. 3. Change the arcade default to MicrosoftDotNet500 - This
 has wide-ranging implications for repos that we don't want to change, at
 least not now. I think this will eventually be an option, but is too risky
 with too many unknowns right now. 4. Introduce a new property
 `UseDotNetCertificate` which can be set in eng/Signing.props. This causes all
 existing use of Microsoft400 in the repo to switch to MicrosoftDotNet500.
 This is the preferable for repos repos that use arcade defaults for most
 things (use Sign.proj and Publish.proj). The certificate metadata update
 happens prior to signing or encoding of the signing metadata in the
 manifests.

Repos should use a combination of 4 and 2 for now to update to the .NET cert
---
 Documentation/CorePackages/Signing.md         | 24 +++++++++++++++++++
 .../tools/Publish.proj                        | 10 ++++++++
 .../tools/Sign.proj                           | 10 ++++++++
 .../tools/Sign.props                          |  8 +++++++
 4 files changed, 52 insertions(+)

diff --git a/Documentation/CorePackages/Signing.md b/Documentation/CorePackages/Signing.md
index d65de76c097..f2e8f96cdb5 100644
--- a/Documentation/CorePackages/Signing.md
+++ b/Documentation/CorePackages/Signing.md
@@ -223,6 +223,30 @@ Click [here](../../src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj) to see how t
 ...
 ```
 
+#### 8. How can I use the .NET specific certificate for executable files?
+
+By default, `Microsoft400` is the cert used by default for most executable files (e.g .dll, .js, .exe). To use the .NET specific cert (`MicrosoftDotNet500`),
+use one of the following approaches:
+
+1. Update the existing `FileExtensionSignInfo` and `StrongNameSignInfo` metadata in [Sign.props](../../src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props)
+to use `MicrosoftDotNet500`. This approach must be used if some files still need to be signed with `Microsoft400`.
+   ```
+   <ItemGroup>
+     <FileExtensionSignInfo Update=".js;.ps1;.psd1;.psm1;.psc1;.py;.dll;.exe" CertificateName="MicrosoftDotNet500" />
+     <StrongNameSignInfo Update="MsSharedLib72" PublicKeyToken="31bf3856ad364e35" CertificateName="MicrosoftDotNet500" />
+     <StrongNameSignInfo Update="SilverlightCert121" PublicKeyToken="7cec85d7bea7798e" CertificateName="MicrosoftDotNet500" />
+     <StrongNameSignInfo Update="StrongName" PublicKeyToken="b77a5c561934e089" CertificateName="MicrosoftDotNet500" />
+     <StrongNameSignInfo Update="StrongName" PublicKeyToken="b03f5f7f11d50a3a" CertificateName="MicrosoftDotNet500" />
+     <StrongNameSignInfo Update="$(MSBuildThisFileDirectory)snk\Open.snk" PublicKeyToken="cc7b13ffcd2ddd51" CertificateName="MicrosoftDotNet500" />
+   </ItemGroup>
+   ```
+2. Specify the property `UseDotNetCertificate` with value `true` in your `eng/Signing.props` file. This **replaces** all existing use of `Microsoft400` with `MicrosoftDotNet500`.
+   ```
+   <PropertyGroup>
+     <UseDotNetCertificate>f</UseDotNetCertificate>
+   </PropertyGroup>
+   ```
+
 ## Logs & MicroBuild configuration files
 
 The log messages from the SignToolTask itself will be included in the log (+.binlog) of the original build process. The binary log of executing the MicroBuild signing plugin will be stored in files named `SigningX.binlog` in the `LogDir` folder. The project files used to call the MicroBuild plugin will be stored in files named `RoundX.proj` in the `TempDir` folder. In both cases the `X` in the name refers to a signing round.
diff --git a/src/Microsoft.DotNet.Arcade.Sdk/tools/Publish.proj b/src/Microsoft.DotNet.Arcade.Sdk/tools/Publish.proj
index 558205ec53f..cdb129ad0a1 100644
--- a/src/Microsoft.DotNet.Arcade.Sdk/tools/Publish.proj
+++ b/src/Microsoft.DotNet.Arcade.Sdk/tools/Publish.proj
@@ -47,6 +47,16 @@
     <PublishDependsOnTargets>BeforePublish;$(PublishDependsOnTargets)</PublishDependsOnTargets>
   </PropertyGroup>
 
+  <!-- Update sign infos that were using Microsoft400 to use the .NET-specific cert if UseDotNetCertificate is present.
+       This will update any use, even if explicitly specified.
+       NOTE: This is outside the target on purpose, as Update will not correctly evaluate in the target. See
+       https://github.com/dotnet/msbuild/issues/1618. -->
+  <ItemGroup Condition="$(UseDotNetCertificate)">
+    <FileExtensionSignInfo Update="@(FileExtensionSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
+    <StrongNameSignInfo Update="@(StrongNameSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
+    <FileSignInfo Update="@(FileSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
+  </ItemGroup>
+
   <Import Project="$(NuGetPackageRoot)microsoft.dotnet.build.tasks.feed\$(MicrosoftDotNetBuildTasksFeedVersion)\build\Microsoft.DotNet.Build.Tasks.Feed.targets"/>
   <Import Project="$(NuGetPackageRoot)microsoft.symboluploader.build.task\$(MicrosoftSymbolUploaderBuildTaskVersion)\build\PublishSymbols.targets" Condition="$(PublishToSymbolServer)"/>
 
diff --git a/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj b/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj
index 399d129ea5d..8bd296befef 100644
--- a/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj
+++ b/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj
@@ -6,6 +6,16 @@
 
   <Import Project="Sign.props" />
 
+  <!-- Update sign infos that were using Microsoft400 to use the .NET-specific cert if UseDotNetCertificate is present.
+       This will update any use, even if explicitly specified.
+       NOTE: This is outside the target on purpose, as Update will not correctly evaluate in the target. See
+       https://github.com/dotnet/msbuild/issues/1618. -->
+  <ItemGroup Condition="$(UseDotNetCertificate)">
+    <FileExtensionSignInfo Update="@(FileExtensionSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
+    <StrongNameSignInfo Update="@(StrongNameSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
+    <FileSignInfo Update="@(FileSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
+  </ItemGroup>
+    
   <Target Name="Sign">
     <Error Text="The value of DotNetSignType is invalid: '$(DotNetSignType)'"
            Condition="'$(DotNetSignType)' != 'real' and '$(DotNetSignType)' != 'test' and '$(DotNetSignType)' != ''" />
diff --git a/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props b/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
index d545816a66e..908cb7a9000 100644
--- a/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
+++ b/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
@@ -43,6 +43,14 @@
     <FileExtensionSignInfo Include=".zip" CertificateName="None" />
   </ItemGroup>
 
+  <!-- The name of the .NET specific certificate, which is a general replacement for Microsoft400
+       If UseDotNetCert is specific in a repo's eng/Signing.props, all usage of Microsoft400 is replaced
+       with MicrosoftDotNet500 -->
+  <PropertyGroup>
+    <DotNetCertificateName>MicrosoftDotNet500</DotNetCertificateName>
+    <UseDotNetCertificate>false</UseDotNetCertificate>
+  </PropertyGroup>
+
   <PropertyGroup>
     <!-- Flags for controlling whether empty signing lists are detected for in build and post-build signing.
          These flags are split (rather than just a single check based on PostBuildSign == true/false because

From 4c4044c2bf7ed874ce17493045581790ec9b61e4 Mon Sep 17 00:00:00 2001
From: Matt Mitchell <mmitche@microsoft.com>
Date: Thu, 6 May 2021 14:51:24 -0700
Subject: [PATCH 2/2] Fix location of cert fixups

---
 .../tools/Publish.proj                        | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/Microsoft.DotNet.Arcade.Sdk/tools/Publish.proj b/src/Microsoft.DotNet.Arcade.Sdk/tools/Publish.proj
index cdb129ad0a1..ae754b76748 100644
--- a/src/Microsoft.DotNet.Arcade.Sdk/tools/Publish.proj
+++ b/src/Microsoft.DotNet.Arcade.Sdk/tools/Publish.proj
@@ -47,16 +47,6 @@
     <PublishDependsOnTargets>BeforePublish;$(PublishDependsOnTargets)</PublishDependsOnTargets>
   </PropertyGroup>
 
-  <!-- Update sign infos that were using Microsoft400 to use the .NET-specific cert if UseDotNetCertificate is present.
-       This will update any use, even if explicitly specified.
-       NOTE: This is outside the target on purpose, as Update will not correctly evaluate in the target. See
-       https://github.com/dotnet/msbuild/issues/1618. -->
-  <ItemGroup Condition="$(UseDotNetCertificate)">
-    <FileExtensionSignInfo Update="@(FileExtensionSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
-    <StrongNameSignInfo Update="@(StrongNameSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
-    <FileSignInfo Update="@(FileSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
-  </ItemGroup>
-
   <Import Project="$(NuGetPackageRoot)microsoft.dotnet.build.tasks.feed\$(MicrosoftDotNetBuildTasksFeedVersion)\build\Microsoft.DotNet.Build.Tasks.Feed.targets"/>
   <Import Project="$(NuGetPackageRoot)microsoft.symboluploader.build.task\$(MicrosoftSymbolUploaderBuildTaskVersion)\build\PublishSymbols.targets" Condition="$(PublishToSymbolServer)"/>
 
@@ -274,6 +264,16 @@
 
   <Import Project="Sign.props" />
 
+  <!-- Update sign infos that were using Microsoft400 to use the .NET-specific cert if UseDotNetCertificate is present.
+       This will update any use, even if explicitly specified.
+       NOTE: This is outside the target on purpose, as Update will not correctly evaluate in the target. See
+       https://github.com/dotnet/msbuild/issues/1618. -->
+  <ItemGroup Condition="$(UseDotNetCertificate)">
+    <FileExtensionSignInfo Update="@(FileExtensionSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
+    <StrongNameSignInfo Update="@(StrongNameSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
+    <FileSignInfo Update="@(FileSignInfo->WithMetadataValue('CertificateName','Microsoft400'))" CertificateName="$(DotNetCertificateName)" />
+  </ItemGroup>
+
   <Import Project="SourceBuild/SourceBuildArcadePublish.targets" Condition="'$(ArcadeBuildFromSource)' == 'true'" />
 
 </Project>