Switch to new Microsoft.DotNet.SharedFramework.Sdk and refactor Host/Installer build subsets

Build.proj

@@ -12,16 +12,6 @@
     <ProjectReference Include="@(ProjectToBuild)" />
   </ItemGroup>
 
-  <!--
-    Exclude installer depproj and pkgproj from static graph restore. We restore them below.
-    Remove when https://github.com/NuGet/Home/issues/9398 is fixed.
-  -->
-  <ItemGroup Condition="'$(MSBuildRestoreSessionId)' != ''">
-    <ProjectReference Remove="@(DepprojProjectToBuild)"  />
-    <ProjectReference Remove="@(PkgprojProjectToBuild)" />
-    <ProjectReference Remove="@(BundleProjectToBuild)" />
-  </ItemGroup>
-
   <!-- Custom arcade target which isn't available in Microsoft.Build.Traversal. -->
   <Target Name="Rebuild" DependsOnTargets="Clean;Build" />
 
@@ -36,12 +26,4 @@
     <MSBuild Projects="$(RepoTasksDir)tasks.proj"
              Targets="BuildAndRestoreIncrementally"/>
   </Target>
-
-  <Target Name="RestoreWithoutStaticGraph"
-          BeforeTargets="Restore">
-    <MSBuild Projects="@(DepprojProjectToBuild);@(PkgprojProjectToBuild);@(BundleProjectToBuild)"
-             Properties="MSBuildRestoreSessionId=$([System.Guid]::NewGuid());RestoreUseStaticGraphEvaluation=false"
-             Targets="Restore" />
-  </Target>
-
 </Project>

eng/Signing.props

@@ -1,4 +1,4 @@
-<Project>
+<Project InitialTargets="SetupFilesToSign">
 
   <!-- If this file was pulled in via prepare-artifacts.proj (a non-SDK project, these files are already
        imported. -->
@@ -12,7 +12,7 @@
 
       During post build signing, there are no packages to sign during SignFinalPackages.
     -->
-    <AllowEmptySignList Condition="'$(SignFinalPackages)' != 'true' or '$(PostBuildSign)' == 'true'">true</AllowEmptySignList>
+    <AllowEmptySignList>true</AllowEmptySignList>
   </PropertyGroup>
 
   <ItemGroup>
@@ -22,10 +22,6 @@
     -->
     <ItemsToSign Remove="@(ItemsToSign)" />
 
-    <!-- Find bundle artifacts, which need multiple stages to fully sign. -->
-    <BundleInstallerEngineArtifact Include="$(ArtifactsPackagesDir)**/*engine.exe" />
-    <BundleInstallerExeArtifact Include="$(ArtifactsPackagesDir)**/*.exe" />
-
     <!-- apphost and comhost template files are not signed, by design. -->
     <FileSignInfo Include="apphost.exe;singlefilehost.exe;comhost.dll" CertificateName="None" />
 
@@ -49,126 +45,32 @@
     <FileExtensionSignInfo Include=".deb;.rpm" CertificateName="LinuxSign" />
   </ItemGroup>
 
-  <!-- When doing post build signing, the file containers (e.g. nupkg, msi, etc.) are
-       processed for signing (opened up, individually signed, etc.) and these individual ItemsToSign
-       elements are unnecessary. When signing within the build, we need to individually process
-       dll's, exes, etc. that go into msi's because these containers are not able to be processed
-       by SignTool after they are packed up. What makes this possible for post build signing
-       is that the build will produce a zip file containing the inputs to the Wix light linker
-       which can be used to create the installer later, after the inputs have been signed and replaced. -->
-  <Choose>
-    <When Condition="'$(PostBuildSign)' != 'true'">
-      <ItemGroup Condition="'$(SignBinaries)' == 'true'">
-        <!-- Sign CoreCLR. -->
-        <ItemsToSign Include="$(CoreCLRSharedFrameworkDir)*.dll" />
-        <ItemsToSign Include="$(CoreCLRSharedFrameworkDir)*.exe" />
-
-        <ItemsToSign Include="$(CoreCLRArtifactsPath)System.Private.CoreLib.dll" />
-
-        <ItemsToSign Include="$(CoreCLRCrossgen2Dir)crossgen2.exe" />
-        <ItemsToSign Include="$(CoreCLRCrossgen2Dir)crossgen2.dll" />
-        <ItemsToSign Include="$(CoreCLRCrossgen2Dir)ILCompiler.DependencyAnalysisFramework.dll" />
-        <ItemsToSign Include="$(CoreCLRCrossgen2Dir)ILCompiler.ReadyToRun.dll" />
-        <ItemsToSign Include="$(CoreCLRCrossgen2Dir)ILCompiler.TypeSystem.ReadyToRun.dll" />
-        <ItemsToSign Include="$(CoreCLRCrossgen2Dir)jitinterface_$(TargetArchitecture).dll" />
-
-        <ItemsToSign Include="$(CoreCLRCrossgen2Dir)clrjit_win_x86_$(TargetArchitecture).dll" />
-        <ItemsToSign Include="$(CoreCLRCrossgen2Dir)clrjit_win_arm_$(TargetArchitecture).dll" />
-        <ItemsToSign Include="$(CoreCLRCrossgen2Dir)clrjit_unix_arm_$(TargetArchitecture).dll" />
-        <ItemsToSign Condition="'$(TargetArchitecture)' == 'arm64' or '$(TargetArchitecture)' == 'x64'" Include="$(CoreCLRCrossgen2Dir)clrjit_win_x64_$(TargetArchitecture).dll" />
-        <ItemsToSign Condition="'$(TargetArchitecture)' == 'arm64' or '$(TargetArchitecture)' == 'x64'" Include="$(CoreCLRCrossgen2Dir)clrjit_win_arm64_$(TargetArchitecture).dll" />
-        <ItemsToSign Condition="'$(TargetArchitecture)' == 'arm64' or '$(TargetArchitecture)' == 'x64'" Include="$(CoreCLRCrossgen2Dir)clrjit_unix_x64_$(TargetArchitecture).dll" />
-        <ItemsToSign Condition="'$(TargetArchitecture)' == 'arm64' or '$(TargetArchitecture)' == 'x64'" Include="$(CoreCLRCrossgen2Dir)clrjit_unix_arm64_$(TargetArchitecture).dll" />
-
-        <ItemsToSign Include="$(CoreCLRArtifactsPath)$(CoreCLRCrossTargetComponentDirName)/sharedFramework/*.dll" Condition="'$(CoreCLRCrossTargetComponentDirName)' != ''" />
-        <ItemsToSign Include="$(CoreCLRArtifactsPath)$(CoreCLRCrossTargetComponentDirName)/sharedFramework/*.exe" Condition="'$(CoreCLRCrossTargetComponentDirName)' != ''" />
-
-        <!-- Sign api-ms-win-core-xstate-l2-1-0 binary as it is only catalog signed in the current SDK. -->
-        <ItemsToSign
-          Condition="'$(Configuration)' == 'Release' and '$(TargetArchitecture)' == 'x86'"
-          Include="$(CoreCLRArtifactsPath)Redist\ucrt\DLLs\$(TargetArchitecture)\api-ms-win-core-xstate-l2-1-0.dll" />
-
-        <!-- Sign libraries. -->
-        <ItemsToSign Include="$(LibrariesNativeArtifactsPath)*.dll" />
-        <ItemsToSign Include="$(LibrariesSharedFrameworkRefArtifactsPath)*.dll" />
-        <!-- Most runtime artifacts will be crossgenned, so sign them post-crossgen. mscorlib isn't. -->
-        <ItemsToSign Include="$(LibrariesSharedFrameworkBinArtifactsPath)mscorlib.dll" />
-
-        <!-- Sign the host. -->
-        <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/hostfxr.dll" />
-        <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/hostpolicy.dll" />
-        <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/dotnet.exe" />
-        <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/ijwhost.dll" />
-        <ItemsToSign Include="$(BaseOutputRootPath)corehost/**/nethost.dll" />
-
-        <!-- Sign managed libraries in installer subset. -->
-        <ItemsToSign Include="$(ArtifactsBinDir)Microsoft.NET.HostModel/**/*.dll" />
-      </ItemGroup>
-
-      <!-- Sign ready-to-run binaries after crossgen is applied. -->
-      <ItemGroup Condition="'$(SignR2RBinaries)' == 'true'">
-        <ItemsToSign Include="$(CrossGenRootPath)**/*.dll" />
-      </ItemGroup>
-
-      <ItemGroup Condition="'$(SignMsiFiles)' == 'true'">
-        <ItemsToSign Include="$(ArtifactsPackagesDir)**/*.msi" />
-        <ItemsToSign Include="$(ArtifactsPackagesDir)**/*.cab" />
-      </ItemGroup>
-
-      <ItemGroup Condition="'$(SignBurnEngineFiles)' == 'true'">
-        <ItemsToSign Include="@(BundleInstallerEngineArtifact)" />
-      </ItemGroup>
-
-      <ItemGroup Condition="'$(SignBurnBundleFiles)' == 'true'">
-        <!-- Sign the bundles, now that the engine is reattached. Avoid re-signing the engine. -->
-        <ItemsToSign
-          Include="@(BundleInstallerExeArtifact)"
-          Exclude="@(BundleInstallerEngineArtifact)" />
-        <!-- Note: wixstdba is internal to the engine bundle and does not get signed. -->
-      </ItemGroup>
-
-      <ItemGroup Condition="'$(SignFinalPackages)' == 'true'">
-        <DownloadedSymbolPackages Include="$(DownloadDirectory)**\*.symbols.nupkg" />
-        <ItemsToSign Include="$(DownloadDirectory)**\*.nupkg" Exclude="@(DownloadedSymbolPackages)" />
-
-        <!-- The cross OS diagnostics symbol packages need to be signed as they are the only packages
-        that have a specific version of assets that are only meant to be indexed in symbol servers.
-        Since only *symbols.nupkg get indexed, and installer doesn't produce these, we need to glob them for signing. -->
-        <ItemsToSign Include="$(DownloadDirectory)**\*CrossOsDiag*.symbols.nupkg" />
-
-        <ItemsToSign Include="$(DownloadDirectory)**\*.deb" />
-        <ItemsToSign Include="$(DownloadDirectory)**\*.rpm" />
-      </ItemGroup>
-    </When>
-
-    <!-- When doing post build signing, we sign all artifacts we would push.
-         Symbol packages are included too. -->
-    <When Condition="'$(PostBuildSign)' == 'true'">
-      <ItemGroup>
-        <ItemsToSignWithPaths Include="$(DownloadDirectory)**/*.msi" Condition="'$(PrepareArtifacts)' == 'true'" />
-        <ItemsToSignWithPaths Include="$(DownloadDirectory)**/*.exe" Condition="'$(PrepareArtifacts)' == 'true'" />
-        <ItemsToSignWithPaths Include="$(DownloadDirectory)**/*.nupkg" Condition="'$(PrepareArtifacts)' == 'true'" />
-        <ItemsToSignWithPaths Include="$(DownloadDirectory)**/*.zip" Condition="'$(PrepareArtifacts)' == 'true'" />
-
-        <ItemsToSignWithoutPaths Include="@(ItemsToSignWithPaths->'%(Filename)%(Extension)')" />
-        <ItemsToSignPostBuild Include="@(ItemsToSignWithoutPaths->Distinct())" />
-      </ItemGroup>
-
-      <!-- Even when doing post build signing, sign mscordaccore*.dll and mscordbi.dll -->
-      <ItemGroup Condition="'$(SignBinaries)' == 'true'">
-        <ItemsToSign Include="$(CoreCLRSharedFrameworkDir)mscordaccore*.dll" />
-        <ItemsToSign Include="$(CoreCLRSharedFrameworkDir)mscordbi.dll" />
-        <ItemsToSign Include="$(CoreCLRArtifactsPath)$(CoreCLRCrossTargetComponentDirName)/sharedFramework/mscordaccore*.dll" Condition="'$(CoreCLRCrossTargetComponentDirName)' != ''" />
-        <ItemsToSign Include="$(CoreCLRArtifactsPath)$(CoreCLRCrossTargetComponentDirName)/sharedFramework/mscordbi.dll" Condition="'$(CoreCLRCrossTargetComponentDirName)' != ''" />
-      </ItemGroup>
-
-      <ItemGroup Condition="'$(SignFinalPackages)' == 'true'">
-        <!-- The cross OS diagnostics symbol packages need to be signed as they are the only packages
-        that have a specific version of assets that are only meant to be indexed in symbol servers.
-        Since only *symbols.nupkg get indexed, and installer doesn't produce these, we need to glob them for signing. -->
-        <ItemsToSign Include="$(DownloadDirectory)**\*CrossOsDiag*.nupkg" />
-      </ItemGroup>
-    </When>
-  </Choose>
+  <Target Name="SetupFilesToSign">
+    <!-- Ensure that we don't miss the DAC or DBI with the globbing below -->
+    <PropertyGroup Condition="'$(SignDiagnostics)' == 'true'">
+      <AllowEmptySignList>false</AllowEmptySignList>
+    </PropertyGroup>
+
+    <ItemGroup Condition="'$(SignDiagnostics)' == 'true'">
+      <ItemsToSign Include="$(DiagnosticsFilesRoot)/**/mscordaccore*.dll" />
+      <ItemsToSign Include="$(DiagnosticsFilesRoot)/**/mscordbi.dll" />
+      <!--
+        The DAC should be signed with the SHA2 cert (both long and short name).
+        We already add the short-name DAC above, so add the long-name DAC here.
+      -->
+      <DacFileSignInfo Include="@(ItemsToSign->'%(FileName)%(Extension)')"
+                    Condition="$([System.String]::new('%(FileName)').StartsWith('mscordaccore'))" />
+      <FileSignInfo Include="@(DacFileSignInfo->ClearMetadata()->Distinct())"
+                    Exclude="mscordaccore.dll"
+                    CertificateName="MicrosoftSHA2" />
+    </ItemGroup>
+
+    <ItemGroup Condition="'$(SignFinalPackages)' == 'true'">
+      <!-- The cross OS diagnostics symbol packages need to be signed as they are the only packages
+      that have a specific version of assets that are only meant to be indexed in symbol servers.
+      Since only *symbols.nupkg get indexed, and installer doesn't produce these, we need to glob them for signing. -->
+      <ItemsToSign Include="$(DownloadDirectory)**\*CrossOsDiag*.nupkg" />
+    </ItemGroup>
+  </Target>
 
 </Project>