Updated signature verification to include DLLs

microsoft · Sep 1, 2021 · eacdf8f · eacdf8f
1 parent 483b34b
commit eacdf8f
Show file tree

Hide file tree

Showing 9 changed files with 204 additions and 54 deletions.
diff --git a/scripts/build/TestFx.Sign.props b/scripts/build/TestFx.Sign.props
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0">
+  <PropertyGroup>
+    <RepoRoot Condition=" '$(RepoRoot)' == '' ">$([MSBuild]::NormalizeDirectory('$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), 'LICENSE'))'))</RepoRoot>
+    <NuGetPackageRoot Condition=" '$(NuGetPackageRoot)' == '' ">$(RepoRoot)packages</NuGetPackageRoot>
+    <BuildConfiguration Condition=" '$(BuildConfiguration)' == '' ">Release</BuildConfiguration>
+
+    <TestFxSigningPropsImported>true</TestFxSigningPropsImported>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)key.snk</AssemblyOriginatorKeyFile>
+    <SignAssembly>true</SignAssembly>
+    <SignType Condition=" '$(SignType)' == '' ">Test</SignType>
+    <PublicSign Condition=" '$(IsLocalizedBuild)' == '' or '$(IsLocalizedBuild)' != 'true'">true</PublicSign>
+
+    <!-- Temporarily turning on Delay signing for Localized builds because publickey = true is not passed on to the assembler to create resource assmblies.-->
+    <DelaySign Condition=" '$(IsLocalizedBuild)' == 'true' ">true</DelaySign>
+    <OutputPath Condition=" '$(OutputPath)' == '' ">$(RepoRoot)artifacts\$(Configuration)\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+</Project>
diff --git a/scripts/build/TestFx.Sign.targets b/scripts/build/TestFx.Sign.targets
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project>
+  <PropertyGroup>
+    <TestFxSigningTargetsImported>true</TestFxSigningTargetsImported>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <None Include="$(MSBuildThisFileDirectory)key.snk">
+      <!-- Do not have this show up in Solution Explorer in VS -->
+      <InProject>false</InProject>
+    </None>
+  </ItemGroup>
+
+  <!-- Signing and Localization. -->
+  <ItemGroup Condition=" '$(IsTest)' == '' or '$(IsTest)' == 'false' ">
+    <FilesToSign Include="$(OutDir)\$(AssemblyName).dll" Condition=" '$(IsVsixProj)' == '' or '$(IsVsixProj)' != 'true' ">
+      <Authenticode>Microsoft400</Authenticode>
+      <StrongName>StrongName</StrongName>
+    </FilesToSign>
+
+    <SignFilesDependsOn Include="GatherLocalizedOutputsForSigning">
+      <!-- Do not have this show up in Solution Explorer in VS -->
+      <InProject>false</InProject>
+    </SignFilesDependsOn>
+  </ItemGroup>
+
+  <Target Name="GatherLocalizedOutputsForSigning" DependsOnTargets="TestFxLocalization">
+    <ItemGroup>
+      <FilesToSign Include="$(OutDir)\**\$(AssemblyName).resources.dll">
+        <Authenticode>Microsoft400</Authenticode>
+        <StrongName>StrongName</StrongName>
+      </FilesToSign>
+    </ItemGroup>
+  </Target>
+</Project>
diff --git a/scripts/build/TestFx.props b/scripts/build/TestFx.props
@@ -7,19 +7,14 @@
   </PropertyGroup>
 
   <Import Project="$(RepoRoot)eng\Versions.props" />
+  <Import Project="$(RepoRoot)scripts\build\TestFx.Sign.props" Condition=" '$(TestFxSigningPropsImported)' != 'true' " />
 
   <PropertyGroup>
     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
     <DefaultLanguage>en-US</DefaultLanguage>
     <FileAlignment>512</FileAlignment>
     <GenerateLCE>true</GenerateLCE>
-    <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)key.snk</AssemblyOriginatorKeyFile>
-    <SignAssembly>true</SignAssembly>
-    <PublicSign Condition=" '$(IsLocalizedBuild)' == '' or '$(IsLocalizedBuild)' != 'true'">true</PublicSign>
-    <!-- Temporarily turning on Delay signing for Localized builds because publickey = true is not passed on to the assembler to create resource assmblies.-->
-    <DelaySign Condition=" '$(IsLocalizedBuild)' == 'true' ">true</DelaySign>
-    <OutputPath Condition=" '$(OutputPath)' == '' ">$(RepoRoot)artifacts\$(Configuration)\$(MSBuildProjectName)\</OutputPath>
     <IntermediatePath Condition=" '$(IntermediatePath)' == '' ">$(RepoRoot)artifacts\$(Configuration)\$(MSBuildProjectName)\obj\</IntermediatePath>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>

diff --git a/scripts/build/TestFx.targets b/scripts/build/TestFx.targets
@@ -2,13 +2,7 @@
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <!-- Import localization specific Targets if enabled. -->
   <Import Project="$(MSBuildThisFileDirectory)TestFx.Loc.props" Condition=" ('$(IsTest)' == '' or '$(IsTest)' == 'false') and '$(IsLocalizationEnabled)' == 'true' "/>
-
-  <ItemGroup>
-    <None Include="$(MSBuildThisFileDirectory)key.snk">
-      <!-- Do not have this show up in Solution Explorer in VS -->
-      <InProject>false</InProject>
-    </None>
-  </ItemGroup>
+  <Import Project="$(RepoRoot)scripts\build\TestFx.Sign.targets" Condition=" '$(TestFxSigningTargetsImported)' != 'true' " />
 
   <!-- StyleCop settings. -->
   <ItemGroup Condition=" '$(ShouldEnableStyleCop)' != 'false' and '$(IsVsixProj)' != 'true'">
@@ -21,28 +15,6 @@
     <Analyzer Include="$(NuGetPackageRoot)\StyleCop.Analyzers\$(StyleCopAnalyzersVersion)\analyzers\dotnet\cs\StyleCop.Analyzers.dll" />
   </ItemGroup> 
 
-  <!-- Signing and Localization. -->
-  <ItemGroup Condition=" '$(IsTest)' == '' or '$(IsTest)' == 'false' ">
-    <FilesToSign Include="$(OutDir)\$(AssemblyName).dll" Condition=" '$(IsVsixProj)' == '' or '$(IsVsixProj)' != 'true' ">
-      <Authenticode>Microsoft400</Authenticode>
-      <StrongName>StrongName</StrongName>
-    </FilesToSign>
-
-    <SignFilesDependsOn Include="GatherLocalizedOutputsForSigning">
-      <!-- Do not have this show up in Solution Explorer in VS -->
-      <InProject>false</InProject>
-    </SignFilesDependsOn>
-  </ItemGroup>
-
-  <Target Name="GatherLocalizedOutputsForSigning" DependsOnTargets="TestFxLocalization">
-    <ItemGroup>
-      <FilesToSign Include="$(OutDir)\**\$(AssemblyName).resources.dll">
-        <Authenticode>Microsoft400</Authenticode>
-        <StrongName>StrongName</StrongName>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
   <!-- Generate AssemblyInfo.cs -->
   <PropertyGroup>
     <TFBuildNumber Condition=" '$(TFBuildNumber)' == '' ">0.1</TFBuildNumber>

diff --git a/scripts/common.lib.ps1 b/scripts/common.lib.ps1
@@ -294,4 +294,11 @@ function Install-DotNetCli {
   }
   catch {}
   Write-Log "Install-DotNetCli: Complete."
+}
+
+function Unzip
+{
+    param([string]$zipfile, [string]$outpath)
+
+    [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
 }
diff --git a/scripts/verify-sign.ps1 b/scripts/verify-sign.ps1
@@ -8,49 +8,155 @@ Param(
     [Parameter(Mandatory=$false)]
     [ValidateSet("Debug", "Release")]
     [Alias("c")]
-    [System.String] $Configuration = "Debug"
+    [string] $Configuration = "Debug",
+    [string] $ArtifactsDirectory = "",
+    [switch] $Force
 )
 
 . $PSScriptRoot\common.lib.ps1
 
 #
 # Variables
 #
-$rootDirectory = (Get-Item (Split-Path $MyInvocation.MyCommand.Path)).Parent.FullName
+if(-not [string]::IsNullOrWhiteSpace($ArtifactsDirectory)) {
+    $TF_OUT_DIR = $ArtifactsDirectory
+}
 
 #
 # Signing configuration
 #
 Write-Verbose "Setup build configuration."
-$TPB_Configuration = $Configuration
 
-function Verify-NugetPackages
+$TF_Configuration = $Configuration
+$TF_AssembliesPattern = @("Microsoft.VisualStudio.TestPlatform.*.dll", "Microsoft.TestPlatform.*.dll")
+$script:ErrorCount = 0
+
+function Test-Assemblies ([string] $Path)
 {
-    Write-Log "Verify-NugetPackages: Start"
+    foreach ($pattern in $TF_AssembliesPattern) {
+    Get-ChildItem -Recurse -Include $pattern $Path 
+        | Where-Object { (!$_.PSIsContainer) }
+        | ForEach-Object {
+            $signature = Get-AuthenticodeSignature -FilePath $_.FullName
 
-    $nugetInstallPath = Locate-NuGet
+            if ($signature.Status -eq "Valid") {
+                if ($signature.SignerCertificate.Subject -eq "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") {
+                    Write-Debug "Valid: $($_.FullName)"
+                }
+                elseif ($signature.SignerCertificate.Subject -eq "CN=Microsoft 3rd Party Application Component, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") {
+                    Write-Debug "Valid (3rd Party): $($_.FullName)"
+                }
+                else {
+                    # For legacy components
+                    # CN=Microsoft Corporation, OU=AOC, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+                    if ($signature.SignerCertificate.Thumbprint -eq "49D59D86505D82942A076388693F4FB7B21254EE") {
+                        Write-Debug "Valid (Prod Signed): $($_.FullName)."
+                    }
+                    else {
+                        Write-FailLog "Incorrect certificate. File: $($_.FullName). Certificate: $($signature.SignerCertificate.Thumbprint)."
+                    }
+                }
+            }
+            else {
+                Write-FailLog "Not signed. File: $($_.FullName)."
+            }
+        } 
+    }
+}
+
+function Test-NugetPackage ([string] $Path) {
+    $packageFolder = [System.IO.Path]::GetDirectoryName($Path)
+    $fileName = [System.IO.Path]::GetFileNameWithoutExtension($Path)
+    $out = Join-Path $packageFolder $fileName
+
+    try {
+        Write-ToCI "Verifing assemblies in $Path" -type "group"
+        Write-Debug "Extracting..."
+        if (Test-Path $out) {
+            if (-not $Force) {
+                Write-FailLog "Folder already exists: $out"
+                return
+            }
+
+            Remove-Item $out -Recurse -Force
+        }
 
-	Write-Log "Using nuget.exe installed at $nugetInstallPath"
+        Unzip $Path $out
+
+        Test-Assemblies $out
+    } finally {
+        if (Test-Path $out) {
+            Remove-Item $out -Recurse -Force
+        }
+        Write-ToCI -type "endgroup"
+    }
+}
+
+function Test-NugetPackages
+{
+    Write-Debug  "Test-NugetPackages"
+
+    $nugetInstallPath = Locate-NuGet
+    Write-Debug  "Using nuget.exe installed at $nugetInstallPath"
 
-    $artifactsDirectory = Join-Path $rootDirectory "artifacts"
-    $artifactsConfigDirectory = Join-Path $artifactsDirectory $TPB_Configuration
+    $artifactsConfigDirectory = Join-Path $TF_OUT_DIR $TF_Configuration
     $packagesDirectory = Join-Path $artifactsConfigDirectory "MSTestPackages"
+
     Get-ChildItem -Filter *.nupkg  $packagesDirectory | ForEach-Object {
-        & $nugetInstallPath verify -signature -CertificateFingerprint "3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE;AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27;" $_.FullName
+        try {
+            Write-ToCI "Verifing $($_.FullName)" -type "group"
+            & $nugetInstallPath verify -signature -CertificateFingerprint "3F9001EA83C560D712C24CF213C3D312CB3BFF51EE89435D3430BD06B5D0EECE;AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27;" $_.FullName    
+            Test-NugetPackage -path $_.FullName
+        } finally {
+            Write-ToCI -type "endgroup"
+        }
     }
 
-    Write-Log "Verify-NugetPackages: Complete"
+    Write-Debug  "Test-NugetPackages: Complete"
+}
+
+function Write-FailLog ([string] $message)
+{
+    $script:ErrorCount = $script:ErrorCount + 1
+    Write-ToCI -message $message -type "error"
+}
+
+function Write-Debug ([string] $message)
+{
+    Write-ToCI -message $message -type "debug"
 }
 
-function Write-Log ([string] $message)
+function Write-ToCI ([string] $message, [string]$type, [switch]$vso)
 {
     $currentColor = $Host.UI.RawUI.ForegroundColor
-    $Host.UI.RawUI.ForegroundColor = "Green"
-    if ($message)
+
+    if($type -eq "error") {
+        $Host.UI.RawUI.ForegroundColor = "Red"
+    }
+
+    if ($message -or $vso -or $type)
     {
-        Write-Output "... $message"
+        $prefix = ""
+        if ($vso) {
+            $prefix = "vso"
+        }
+
+        Write-Output "##$prefix[$type]$message"
     }
     $Host.UI.RawUI.ForegroundColor = $currentColor
 }
 
-Verify-NugetPackages
+try {
+    Write-ToCI "Variables used: " -type "group"
+    Get-ChildItem variable:TF_*
+    Write-Output ""
+    Write-Output ""
+} finally {
+    Write-ToCI -type "endgroup"
+}
+
+Test-NugetPackages
+
+if ($script:ErrorCount -gt 0) {
+    Write-ToCI -message "Verification failed, $($script:ErrorCount) errors found!" -type "task.logissue" -vso
+}
diff --git a/src/Adapter/PlatformServices.NetCore/PlatformServices.NetCore.csproj b/src/Adapter/PlatformServices.NetCore/PlatformServices.NetCore.csproj
@@ -2,6 +2,7 @@
   <PropertyGroup>
     <FrameworkIdentifier>NetCore</FrameworkIdentifier>
   </PropertyGroup>
+
   <PropertyGroup>
     <RootNamespace>Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices</RootNamespace>
     <AssemblyName>Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices</AssemblyName>
@@ -14,6 +15,11 @@
     <SkipAppendingVersion>true</SkipAppendingVersion> <!-- TODO: remove after full arcade transition -->
   </PropertyGroup>
 
+  <ImportGroup>
+    <Import Project="$(NuGetPackageRoot)\Microbuild.Core\$(MicroBuildCoreVersion)\build\Microbuild.Core.targets" />
+    <Import Project="$(NuGetPackageRoot)\Microbuild.Core\$(MicroBuildCoreVersion)\build\Microbuild.Core.props" />
+  </ImportGroup>
+
   <ItemGroup>
     <ProjectReference Include="$(RepoRoot)src\TestFramework\Extension.Core\Extension.Core.csproj" />
     <ProjectReference Include="$(RepoRoot)src\TestFramework\MSTest.Core\MSTest.Core.csproj" />
@@ -77,5 +83,4 @@
       <CustomToolNamespace>Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices</CustomToolNamespace>
     </EmbeddedResource>
   </ItemGroup>
-
 </Project>
diff --git a/src/Adapter/PlatformServices.WinUI/PlatformServices.WinUI.csproj b/src/Adapter/PlatformServices.WinUI/PlatformServices.WinUI.csproj
@@ -2,6 +2,7 @@
   <PropertyGroup>
     <FrameworkIdentifier>NetCore</FrameworkIdentifier>
   </PropertyGroup>
+
   <PropertyGroup>
     <RootNamespace>Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices</RootNamespace>
     <AssemblyName>Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices</AssemblyName>
@@ -18,6 +19,11 @@
     <DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
   </PropertyGroup>
 
+  <ImportGroup>
+    <Import Project="$(NuGetPackageRoot)\Microbuild.Core\$(MicroBuildCoreVersion)\build\Microbuild.Core.targets" />
+    <Import Project="$(NuGetPackageRoot)\Microbuild.Core\$(MicroBuildCoreVersion)\build\Microbuild.Core.props" />
+  </ImportGroup>
+
   <ItemGroup>
     <ProjectReference Include="$(RepoRoot)src\Adapter\PlatformServices.Interface\PlatformServices.Interface.csproj" />
     <ProjectReference Include="$(RepoRoot)src\TestFramework\Extension.Core\Extension.Core.csproj" />
@@ -98,5 +104,4 @@
       <CustomToolNamespace>Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices</CustomToolNamespace>
     </EmbeddedResource>
   </ItemGroup>
-
 </Project>
diff --git a/src/TestFramework/Extension.WinUI/Extension.WinUI.csproj b/src/TestFramework/Extension.WinUI/Extension.WinUI.csproj
@@ -20,6 +20,11 @@
     <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
     <RuntimeIdentifiers>win10-x86;win10-x64;win10-arm64</RuntimeIdentifiers>
   </PropertyGroup>
+
+  <ImportGroup>
+    <Import Project="$(NuGetPackageRoot)\Microbuild.Core\$(MicroBuildCoreVersion)\build\Microbuild.Core.targets" />
+    <Import Project="$(NuGetPackageRoot)\Microbuild.Core\$(MicroBuildCoreVersion)\build\Microbuild.Core.props" />
+  </ImportGroup>
 
   <ItemGroup> 
     <FrameworkReference Update="Microsoft.Windows.SDK.NET.Ref" RuntimeFrameworkVersion="10.0.18362.16" /> 
@@ -43,5 +48,4 @@
     <DocumentationFile>$(OutputPath)\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.XML</DocumentationFile>
     <LocDocumentationSubPath>Extensions\WinUI</LocDocumentationSubPath>
   </PropertyGroup>
-
 </Project>