Remove .py files from being signed

[eerhardt]

Description

Our python starter template has an Authenitcode signature block in its .py files. These aren't wanted because users are meant to change these templates.

Fix #13004

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
• Are you including unit tests for the changes and scenario tests if relevant?
  • No
• Did you add public API?
  • No
• Does the change make any security assumptions or guarantees?
  • No
• Does the change require an update in our Aspire docs?
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 13005

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 13005"

[Copilot]

Pull Request Overview

This PR removes Python files from Authenticode signing to allow users to modify template files without signature validation issues.

• Excludes .py files from the signing configuration
• Preserves PowerShell file signing with the Microsoft400 certificate
• Addresses issue #13004 where template Python files were incorrectly signed

[captainsafia]

Why do we need to remove then re-include the non-.py file extensions?

[eerhardt]

In MSBuild you can't change an "Include" on an Item as that's it's ID. In order to modify the "Include", you need to remove the whole Item, and then readd it with the updated value.

[joperezr]

hmm, I'm a bit worried about this here as we would be potentially exposed to any change of this list in a future arcade update. I wonder if with a bit more code but we could just instead calculate on the fly what the Include value is based on searching for .py, and then adding it back but replacing the .py with empty string would work?

[joperezr]

Let me know if you want me to work on the above

[eerhardt]

I think a more maintainable solution would be for us to get arcade updated to support this scenario. Similar to Do not sign .js files by default (dotnet/arcade#15760).

cc @ellahathaway

[eerhardt]

I've opened Add support to disable signing python files (dotnet/arcade#16319) for this request.

[davidfowl]

What's the SLA for things like this plus us taking a new arcade version (that we frequently revert?)

[radical]

In MSBuild you can't change an "Include" on an Item as that's it's ID. In order to modify the "Include", you need to remove the whole Item, and then readd it with the updated value.

Are you sure about that? AFAIU, with the ; the items will get split up, and they will become individual items. What do you get if you print the items with %(Identity)?

[eerhardt]

Good call @radical. I tested it in an isolated csproj:

    <ItemGroup>
        <FileExtensionSignInfo Include=".ps1;.psd1;.psm1;.psc1;.py" Foo="bar" />
        <FileExtensionSignInfo Remove=".py" />
    </ItemGroup>

    <Target Name="PrintInfo" BeforeTargets="Build">
      <Message Importance="High" Text="FileExtensionSignInfo items:" />
      <Message Importance="High" Text="  @(FileExtensionSignInfo->'%(Identity) - %(Foo)')" />
    </Target>

Produces

[eerhardt]

/backport to release/13.0

[github-actions]

Started backporting to release/13.0: https://github.com/dotnet/aspire/actions/runs/19473676064

[github-actions]

@eerhardt backporting to "release/13.0" failed, the patch most likely resulted in conflicts:

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Patch format detection failed.
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!