From 2d4af4a49af4f39373620c79f2a026d2817a7952 Mon Sep 17 00:00:00 2001
From: Omair Majid <omajid@redhat.com>
Date: Wed, 1 Mar 2023 18:17:50 -0500
Subject: [PATCH 1/2] Allow PublicSign=true even if full keys are available

In certain environments - such as RHEL 9 - full signing does not work.
That's because full signing requires SHA1 which is considered weak and
was disabled in OpenSSL. Trying to use full signing leads to a
Interop+Crypto+OpenSslCryptographicException. For more details, see
https://github.com/dotnet/runtime/issues/65874.

In contrast, public signing doesn't use SHA1 and works fine in these
environments.

To make sure we can still build projects in those environments using
arcade, allow arcade consumers to select public signing even when we
have all the keys for full signing.

Fixes: #12515
---
 .../tools/StrongName.targets                           | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.DotNet.Arcade.Sdk/tools/StrongName.targets b/src/Microsoft.DotNet.Arcade.Sdk/tools/StrongName.targets
index bc69424a623..60de17fa7ad 100644
--- a/src/Microsoft.DotNet.Arcade.Sdk/tools/StrongName.targets
+++ b/src/Microsoft.DotNet.Arcade.Sdk/tools/StrongName.targets
@@ -5,6 +5,12 @@
   <!--
     Reads variables:
       SignAssembly    "true" to sign the output assembly of the current project
+      FullAssemblySigningSupported    "false" to use public signing even when full signing is possible. This is useful
+                                      in environments where full signing is non-functional or not desired. For example,
+                                      in some Linux distributions RSA+SHA1 (required for full signing) is not
+                                      functional/availalbe, and trying to use full signing results in the runtime
+                                      throwing an exception. For more details and an example, see
+                                      https://github.com/dotnet/runtime/issues/65874.
       StrongNameKeyId The id of the key used for strong name generation
 
     Writes variables:
@@ -42,7 +48,7 @@
         <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)snk/AspNetCore.snk</AssemblyOriginatorKeyFile>
         <PublicKey>$(MicrosoftAspNetCorePublicKey)</PublicKey>
         <PublicKeyToken>adb9793829ddae60</PublicKeyToken>
-        <PublicSign>false</PublicSign> <!-- The MicrosoftAspNetCore strong name key is a full key -->
+        <PublicSign Condition="'$(FullAssemblySigningSupported)' != 'false'">false</PublicSign> <!-- The MicrosoftAspNetCore strong name key is a full key -->
       </PropertyGroup>
     </When>
     <When Condition="'$(StrongNameKeyId)' == 'ECMA'">
@@ -63,7 +69,7 @@
         <PublicKey>$(OpenPublicKey)</PublicKey>
         <PublicKeyToken>cc7b13ffcd2ddd51</PublicKeyToken>
         <DelaySign>false</DelaySign>
-        <PublicSign>false</PublicSign> <!-- The Open strong name key is a full key -->
+        <PublicSign Condition="'$(FullAssemblySigningSupported)' != 'false'">false</PublicSign> <!-- The Open strong name key is a full key -->
       </PropertyGroup>
     </When>
     <When Condition="'$(StrongNameKeyId)' == 'SilverlightPlatform'">

From ed22cce3cdd6d3fe53e742c1b186ca078139a1a8 Mon Sep 17 00:00:00 2001
From: Omair Majid <omajid@redhat.com>
Date: Mon, 6 Mar 2023 13:05:14 -0500
Subject: [PATCH 2/2] Fix typo in
 src/Microsoft.DotNet.Arcade.Sdk/tools/StrongName.targets

Co-authored-by: Matt Mitchell <mmitche@microsoft.com>
---
 src/Microsoft.DotNet.Arcade.Sdk/tools/StrongName.targets | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.DotNet.Arcade.Sdk/tools/StrongName.targets b/src/Microsoft.DotNet.Arcade.Sdk/tools/StrongName.targets
index 60de17fa7ad..4cfd4bd186b 100644
--- a/src/Microsoft.DotNet.Arcade.Sdk/tools/StrongName.targets
+++ b/src/Microsoft.DotNet.Arcade.Sdk/tools/StrongName.targets
@@ -8,7 +8,7 @@
       FullAssemblySigningSupported    "false" to use public signing even when full signing is possible. This is useful
                                       in environments where full signing is non-functional or not desired. For example,
                                       in some Linux distributions RSA+SHA1 (required for full signing) is not
-                                      functional/availalbe, and trying to use full signing results in the runtime
+                                      functional/available, and trying to use full signing results in the runtime
                                       throwing an exception. For more details and an example, see
                                       https://github.com/dotnet/runtime/issues/65874.
       StrongNameKeyId The id of the key used for strong name generation