Enable signing in the VMR official pipeline

dotnet · Dec 18, 2024 · 66c74fc · 66c74fc
1 parent a83c58d
commit 66c74fc
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 11 deletions.
diff --git a/eng/pipelines/templates/jobs/vmr-build.yml b/eng/pipelines/templates/jobs/vmr-build.yml
@@ -161,6 +161,21 @@ jobs:
   - name: runTestsTimeout
     value: 30
 
+  - ${{ if or(eq(parameters.useDevVersions, 'True'), eq(variables['System.TeamProject'], 'public')) }}:
+    - name: _SignType
+      value: ''
+  - ${{ elseif in(variables['Build.Reason'], 'PullRequest') }}:
+    - ${{ if eq(variables['Agent.OS'], 'Windows_NT') }}:
+      - name: _SignType
+        value: test
+    - ${{ else }}:
+      # Test signing is not supported on non-Windows platforms
+      - name: _SignType
+        value: ''
+  - ${{ else }}:
+    - name: _SignType
+      value: real
+
   - ${{ if parameters.isBuiltFromVmr }}:
     - name: vmrPath
       value: $(Build.SourcesDirectory)
@@ -287,6 +302,12 @@ jobs:
         fi
       displayName: Setup Previously Source-Built SDK
 
+  - ${{ if and(eq(parameters.sign, 'True'), ne(parameters.buildSourceOnly, 'True')) }}:
+    - template: ${{ variables['Build.SourcesDirectory'] }}/eng/common/core-templates/steps/install-microbuild.yml
+      parameters:
+        enableMicrobuild: true
+        enableMicrobuildForMacAndLinux: true
+
   - ${{ if eq(parameters.targetOS, 'windows') }}:
     # Node 20.x is a toolset dependency to build aspnetcore
     # Keep in sync with aspnetcore: https://github.com/dotnet/aspnetcore/blob/7d5309210d8f7bae8fa074da495e9d009d67f1b4/.azure/pipelines/ci.yml#L719-L722
@@ -297,7 +318,12 @@ jobs:
 
     - script: |
         set extraBuildArguments=
-        if /I '${{ parameters.sign }}'=='True' (if /I NOT '${{ parameters.buildSourceOnly }}'=='True' (set extraBuildArguments=%extraBuildArguments% -sign))
+
+        set signArgs=/p:ForceDryRunSigning=true
+        if /I '$(_SignType)'=='real' set signArgs=/p:DotNetSignType=real /p:TeamName=$(_TeamName)
+        if /I '$(_SignType)'=='test' set signArgs=/p:DotNetSignType=test /p:TeamName=$(_TeamName)
+        if /I '${{ parameters.sign }}'=='True' if /I NOT '${{ parameters.buildSourceOnly }}'=='True' set extraBuildArguments=%extraBuildArguments% -sign %signArgs%
+
         if /I '${{ parameters.useDevVersions }}'=='True' set extraBuildArguments=%extraBuildArguments% -dev
         set extraBuildProperties=
         if not [${{ parameters.buildPass }}]==[] set extraBuildProperties=%extraBuildProperties% /p:DotNetBuildPass=${{ parameters.buildPass }}
@@ -389,6 +415,12 @@ jobs:
 
         if [[ '${{ parameters.sign }}' == 'True' ]] && [[ '${{ parameters.buildSourceOnly }}' != 'True' ]]; then
           customBuildArgs="$customBuildArgs --sign"
+          if [[ '$(_SignType)' == 'real' ]] || [[ '$(_SignType)' == 'test' ]]; then
+            # Force dry run signing until https://github.com/dotnet/source-build/issues/4793 is resolved - https://github.com/dotnet/source-build/issues/4678
+            extraBuildProperties="$extraBuildProperties /p:DotNetSignType=$(_SignType) /p:TeamName=$(_TeamName) /p:ForceDryRunSigning=true"
+          else
+            extraBuildProperties="$extraBuildProperties /p:ForceDryRunSigning=true"
+          fi
         fi
 
         if [[ -n "${{ parameters.targetRid }}" ]]; then
@@ -503,6 +535,12 @@ jobs:
         displayName: Run Tests
         timeoutInMinutes: ${{ variables.runTestsTimeout }}
 
+  - ${{ if and(eq(parameters.sign, 'True'), ne(parameters.buildSourceOnly, 'True')) }}:
+    - template: ${{ variables['Build.SourcesDirectory'] }}/eng/common/core-templates/steps/cleanup-microbuild.yml
+      parameters:
+        enableMicrobuild: true
+        enableMicrobuildForMacAndLinux: true
+
   - task: CopyFiles@2
     displayName: Prepare BuildLogs staging directory
     inputs:

diff --git a/eng/pipelines/templates/variables/vmr-build.yml b/eng/pipelines/templates/variables/vmr-build.yml
@@ -12,6 +12,9 @@ variables:
   - name: VmrBranch
     value: ${{ replace(replace(variables['Build.SourceBranch'], 'refs/heads/', ''), 'refs/pull/', '') }}
 
+- name: _TeamName
+  value: DotNetCore
+
 - name: almaLinuxContainerName
   value: almaLinuxContainer
 - name: almaLinuxContainerImage

diff --git a/src/SourceBuild/content/build.sh b/src/SourceBuild/content/build.sh
@@ -131,11 +131,6 @@ while [[ $# > 0 ]]; do
       ;;
     -sign)
       properties+=( "/p:Sign=true" )
-      # Force dry run signing for now. In typical VMR builds, the official build ID is set for each repo, which
-      # tells the signing infra that it should expect to see signed bits. This won't be the case in CI builds,
-      # and won't be the case for official builds until more of the real signing infra is functional.
-      # https://github.com/dotnet/source-build/issues/4678
-      properties+=( "/p:ForceDryRunSigning=true" )
       ;;
 
     # Source-only settings

diff --git a/src/SourceBuild/content/eng/build.ps1 b/src/SourceBuild/content/eng/build.ps1
@@ -68,11 +68,6 @@ if ($test) {
 
 if ($sign) {
   $arguments += "/p:Sign=true"
-  # Force dry run signing for now. In typical VMR builds, the official build ID is set for each repo, which
-  # tells the signing infra that it should expect to see signed bits. This won't be the case in CI builds,
-  # and won't be the case for official builds until more of the real signing infra is functional.
-  # https://github.com/dotnet/source-build/issues/4678
-  $arguments +=  "/p:ForceDryRunSigning=true"
 }
 
 if ($buildRepoTests) {