Arcade SDK: Run signcheck against all build outputs of real-signed CI #1444
Comments
|
Example: dotnet/aspnetcore#4429. SignTool didn't catch that we had unsigned files in mpack's. |
|
We should integrate this validation to the asset publishing infrastructure. That's the funnel thru which all assets that we publish go thru. |
|
Could we also run it during the CI build? It would be nice to fail faster if something isn't properly code signed. |
|
CI build doesn't sign anything, right? Only official build does. |
That's what I meant by "CI build". As the issue title says, I think we should run signcheck against all outputs of real-signed builds. |
|
Official build executes Arcade publish task, so it would be exactly what you asking for. In general, not all build outputs are signed. Only outputs that are being published. |
|
We should definitely turn on signing validation for every build we sign. I'm not sure I care much if it's dong right before we publish or right after we sign. Backing it directly into publish seems like it might overload publish too much....but, I don't care much. Regardless, let's get signing validation for sure. |
|
After further discussion - the current though is to add to the the AzDO release pipeline as part of the publish refactoring work. cc/ @JohnTortugo |
This repo now contains and produces the SignCheck tool (see src/SignCheck/), but the Arcade SDK isn't actually consuming this. This tool checks for code signing in scenarios not supported yet by SignTool.
Scenarios signcheck covers which (I don't believe) SignTool verifies:
The text was updated successfully, but these errors were encountered: