[ci] Split up signing for files to be notarized (#7321)

The signing steps that run on macOS to prepare a PKG for notarization have been slow and are frequently failing. Attempt to fix this by splitting up the files we send to ESRP on macOS into multiple batches to hopefully put less pressure on the service. A `signClassicPkgContent` parameter has also been added to allow us to skip these steps while testing, or when building .NET release branches if needed. MicroBuild tooling has also been updated to the latest versions.
dotnet · Aug 30, 2022 · ad187d8 · ad187d8
1 parent 29051d4
commit ad187d8
Show file tree

Hide file tree

Showing 7 changed files with 165 additions and 99 deletions.
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -43,7 +43,7 @@
   <!-- Common <PackageReference/> versions -->
   <PropertyGroup>
     <LibZipSharpVersion>2.0.4</LibZipSharpVersion>
-    <MicroBuildCoreVersion>0.4.1</MicroBuildCoreVersion>
+    <MicroBuildCoreVersion>1.0.0</MicroBuildCoreVersion>
     <MonoCecilVersion>0.11.4</MonoCecilVersion>
     <NewtonsoftJsonPackageVersion>13.0.1</NewtonsoftJsonPackageVersion>
     <NuGetApiPackageVersion>5.4.0</NuGetApiPackageVersion>

diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
@@ -40,6 +40,9 @@ parameters:
 - name: provisionatorChannel
   type: string
   default: latest           # Support for launching a build against a Provisionator PR (e.g., pr/[github-account-name]/[pr-number]) as a means to test in-progress Provisionator changes
+- name: signClassicPkgContent
+  type: boolean
+  default: true             # Queue time variable that can be used to skip classic pkg signing
 
 # Global variables
 variables:
@@ -108,6 +111,7 @@ stages:
     - template: yaml-templates/commercial-build.yaml
       parameters:
         provisionatorChannel: ${{ parameters.provisionatorChannel }}
+        signClassicPkgContent: ${{ parameters.signClassicPkgContent }}
 
     - template: yaml-templates/remove-microbuild-tooling.yaml
       parameters:

diff --git a/build-tools/automation/yaml-templates/commercial-build.yaml b/build-tools/automation/yaml-templates/commercial-build.yaml
@@ -2,6 +2,7 @@ parameters:
   xaSourcePath: $(System.DefaultWorkingDirectory)/xamarin-android
   makeMSBuildArgs: ''
   provisionatorChannel: latest
+  signClassicPkgContent: true
 
 steps:
 - script: echo "##vso[task.setvariable variable=JI_JAVA_HOME]$HOME/android-toolchain/jdk-11"
@@ -63,15 +64,52 @@ steps:
     msbuildArguments: /t:Restore /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/restore-sign-content.binlog
 
 - task: MSBuild@1
-  displayName: sign and harden classic installer content
+  displayName: PKG signing - add entitlements and sign classic libraries
   inputs:
     solution: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
     configuration: $(XA.Build.Configuration)
     msbuildArguments: >-
-      /t:AddMachOEntitlements;Build
+      /t:AddMachOEntitlements;AddMSBuildFilesUnixSign;Build
       /p:SignType=$(MicroBuildSignType)
       /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins
       /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-content.binlog
+  condition: and(succeeded(), eq('${{ parameters.signClassicPkgContent }}', 'true'))
+
+- task: MSBuild@1
+  displayName: PKG signing - sign classic executables
+  inputs:
+    solution: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
+    configuration: $(XA.Build.Configuration)
+    msbuildArguments: >-
+      /t:AddMSBuildFilesUnixSignAndHarden;Build
+      /p:SignType=$(MicroBuildSignType)
+      /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins
+      /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-content.binlog
+  condition: and(succeeded(), eq('${{ parameters.signClassicPkgContent }}', 'true'))
+
+- task: MSBuild@1
+  displayName: PKG signing - sign binutils libraries
+  inputs:
+    solution: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
+    configuration: $(XA.Build.Configuration)
+    msbuildArguments: >-
+      /t:AddBinUtilsFilesUnixSign;Build
+      /p:SignType=$(MicroBuildSignType)
+      /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins
+      /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-content.binlog
+  condition: and(succeeded(), eq('${{ parameters.signClassicPkgContent }}', 'true'))
+
+- task: MSBuild@1
+  displayName: PKG signing - sign binutils executables
+  inputs:
+    solution: ${{ parameters.xaSourcePath }}/build-tools/installers/sign-content.proj
+    configuration: $(XA.Build.Configuration)
+    msbuildArguments: >-
+      /t:AddBinUtilsFilesUnixSignAndHarden;Build
+      /p:SignType=$(MicroBuildSignType)
+      /p:MicroBuildOverridePluginDirectory=$(Build.StagingDirectory)/MicroBuild/Plugins
+      /bl:${{ parameters.xaSourcePath }}/bin/Build$(XA.Build.Configuration)/sign-content.binlog
+  condition: and(succeeded(), eq('${{ parameters.signClassicPkgContent }}', 'true'))
 
 - script: make create-installers CONFIGURATION=$(XA.Build.Configuration) MSBUILD_ARGS='${{ parameters.makeMSBuildArgs }}'
   workingDirectory: ${{ parameters.xaSourcePath }}

diff --git a/build-tools/automation/yaml-templates/install-microbuild-tooling.yaml b/build-tools/automation/yaml-templates/install-microbuild-tooling.yaml
@@ -15,7 +15,7 @@ steps:
     version: '2.8.0'
     condition: and(${{ parameters.condition }}, eq(variables['agent.os'], 'Darwin'))
 
-- task: MicroBuildSigningPlugin@3
+- task: MicroBuildSigningPlugin@4
   displayName: install signing plugin
   condition: ${{ parameters.condition }}
   inputs:

diff --git a/build-tools/installers/create-installers.targets b/build-tools/installers/create-installers.targets
@@ -368,15 +368,12 @@
     <_MSBuildLibHostFilesWin Include="$(MicrosoftAndroidSdkOutDir)lib\host-mxe-Win64\libxa-internal-api.dll" Condition=" '$(HostOS)' != 'Windows' " />
   </ItemGroup>
   <ItemDefinitionGroup>
-    <_MSBuildFilesUnixSign>
-      <CodeSign>True</CodeSign>
-    </_MSBuildFilesUnixSign>
     <_MSBuildFilesUnixSignAndHarden>
-      <CodeSign>True</CodeSign>
-      <HardenRuntime>True</HardenRuntime>
-      <EntitlementsPath>$(DefaultRuntimeEntitlementsPath)</EntitlementsPath>
       <Permission>755</Permission>
     </_MSBuildFilesUnixSignAndHarden>
+    <_BinUtilsFilesUnixSignAndHarden>
+      <Permission>755</Permission>
+    </_BinUtilsFilesUnixSignAndHarden>
   </ItemDefinitionGroup>
   <Import Project="unix-binutils.projitems" />
   <ItemGroup>
@@ -498,7 +495,7 @@
       <LegacyMSBuildItemsWin Include="@(_LegacyJIFiles);@(JIUtilityFile->'$(LegacyMSBuildSrcDir)%(Identity)')">
         <RelativePath>%(Filename)%(Extension)</RelativePath>
       </LegacyMSBuildItemsWin>
-      <MSBuildItemsUnix Include="@(_MSBuildFiles);@(_MSBuildFilesUnix);@(_MSBuildFilesUnixSign);@(_MSBuildFilesUnixSignAndHarden)">
+      <MSBuildItemsUnix Include="@(_MSBuildFiles);@(_MSBuildFilesUnix);@(_MSBuildFilesUnixSign);@(_MSBuildFilesUnixSignAndHarden);@(_BinUtilsFilesUnixSign);@(_BinUtilsFilesUnixSignAndHarden)">
         <RelativePath>$([MSBuild]::MakeRelative($(MicrosoftAndroidSdkOutDir), %(FullPath)))</RelativePath>
       </MSBuildItemsUnix>
       <MSBuildItemsUnix Include="@(_MSBuildTargetsSrcFiles)">

diff --git a/build-tools/installers/sign-content.proj b/build-tools/installers/sign-content.proj
@@ -31,19 +31,46 @@ ourself (using an empty signing identity) before passing these files to ESRP.
   </ItemGroup>
 
   <Target Name="AddMachOEntitlements" >
-    <Exec Command="codesign -vvvv -f -s - -o runtime --entitlements &quot;%(_MSBuildFilesUnixSignAndHarden.EntitlementsPath)&quot; &quot;%(_MSBuildFilesUnixSignAndHarden.Identity)&quot;" />
+    <Exec Command="codesign -vvvv -f -s - -o runtime --entitlements &quot;$(DefaultRuntimeEntitlementsPath)&quot; &quot;%(_MSBuildFilesUnixSignAndHarden.Identity)&quot;" />
+    <Exec Command="codesign -vvvv -f -s - -o runtime --entitlements &quot;$(DefaultRuntimeEntitlementsPath)&quot; &quot;%(_BinUtilsFilesUnixSignAndHarden.Identity)&quot;" />
+  </Target>
+
+  <Target Name="AddMSBuildFilesUnixSign" >
     <ItemGroup>
       <FilesToSign Include="@(_MSBuildFilesUnixSign)">
         <Authenticode>MacDeveloperVNext</Authenticode>
         <Zip>true</Zip>
       </FilesToSign>
+    </ItemGroup>
+  </Target>
+
+  <Target Name="AddMSBuildFilesUnixSignAndHarden" >
+    <ItemGroup>
       <FilesToSign Include="@(_MSBuildFilesUnixSignAndHarden)">
         <Authenticode>MacDeveloperVNextHarden</Authenticode>
         <Zip>true</Zip>
       </FilesToSign>
     </ItemGroup>
   </Target>
 
+  <Target Name="AddBinUtilsFilesUnixSign" >
+    <ItemGroup>
+      <FilesToSign Include="@(_BinUtilsFilesUnixSign)">
+        <Authenticode>MacDeveloperVNext</Authenticode>
+        <Zip>true</Zip>
+      </FilesToSign>
+    </ItemGroup>
+  </Target>
+
+  <Target Name="AddBinUtilsFilesUnixSignAndHarden" >
+    <ItemGroup>
+      <FilesToSign Include="@(_BinUtilsFilesUnixSignAndHarden)">
+        <Authenticode>MacDeveloperVNextHarden</Authenticode>
+        <Zip>true</Zip>
+      </FilesToSign>
+    </ItemGroup>
+  </Target>
+
   <Target Name="AddVsixContent" >
     <RemoveDir Directories="$(UnzippedVsixDir)" />
     <MakeDir Directories="$(UnzippedVsixDir)" />