dotnet · hoyosjs · Nov 5, 2025 · Nov 5, 2025
diff --git a/src/Microsoft.DotNet.SignTool/src/Configuration.cs b/src/Microsoft.DotNet.SignTool/src/Configuration.cs
@@ -830,11 +830,12 @@ private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData,
 
                         // if we already encountered file that has the same content we can reuse its signed version when repackaging the container.
                         var fileName = Path.GetFileName(entry.RelativePath);
+                        string entryPerms = entry.UnixFileMode.HasValue ? Convert.ToString((uint)entry.UnixFileMode.Value, 8) : "default perms";
                         if (!_filesByContentKey.TryGetValue(fileUniqueKey, out var fileSignInfo))
                         {
                             string extractPathRoot = _useHashInExtractionPath ? fileUniqueKey.StringHash : _filesByContentKey.Count().ToString();
                             string tempPath = Path.Combine(_pathToContainerUnpackingDirectory, extractPathRoot, entry.RelativePath);
-                            _log.LogMessage($"Extracting file '{fileName}' from '{archivePath}' to '{tempPath}'.");
+                            _log.LogMessage($"Extracting file '{fileName}' from '{archivePath}' to '{tempPath}'. (Caching with perms: {entryPerms})");
 
                             Directory.CreateDirectory(Path.GetDirectoryName(tempPath));
 
@@ -845,6 +846,10 @@ private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData,
                             PathWithHash nestedFile = new PathWithHash(tempPath, entry.ContentHash);
                             fileSignInfo = TrackFile(nestedFile, zipFileSignInfo.File, collisionPriorityId);
                         }
+                        else
+                        {
+                            _log.LogMessage($"Reusing previously extracted file '{fileName}' for '{archivePath}'. (Archival perms: {entryPerms})");
+                        }
 
                         if (fileSignInfo.ShouldTrack)
                         {

diff --git a/src/Microsoft.DotNet.SignTool/src/ZipData.cs b/src/Microsoft.DotNet.SignTool/src/ZipData.cs
@@ -376,6 +376,15 @@ private static IEnumerable<ZipDataEntry> ReadPkgOrAppBundleEntries(
 
         private void RepackPkgOrAppBundles(TaskLoggingHelper log, string tempDir, string dotNetPathTooling, string pkgToolPath)
         {
+#if NET472
+            throw new NotImplementedException("PKG manipulation is not supported on .NET Framework");
+#else
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                log.LogError("Pkg/AppBundle repackaging is not supported on Windows.");
+                return;
+            }
+
             string extractDir = Path.Combine(tempDir, Guid.NewGuid().ToString());
             try
             {
@@ -395,8 +404,12 @@ private void RepackPkgOrAppBundles(TaskLoggingHelper log, string tempDir, string
                         continue;
                     }
 
-                    log.LogMessage(MessageImportance.Low, $"Copying signed stream from {signedPart.Value.FileSignInfo.FullPath} to {FileSignInfo.FullPath} -> {relativePath}.");
+                    // Preserve the original file mode from the PKG/App. The sign cache might bring if from an entry in an archive with different perms.
+                    UnixFileMode extractedFileMode = File.GetUnixFileMode(path);
+
+                    log.LogMessage(MessageImportance.Low, $"Copying signed stream from {signedPart.Value.FileSignInfo.FullPath} to {FileSignInfo.FullPath} -> {relativePath} (perms: {Convert.ToString((uint)extractedFileMode, 8)}).");
                     File.Copy(signedPart.Value.FileSignInfo.FullPath, path, overwrite: true);
+                    File.SetUnixFileMode(path, extractedFileMode);
                 }
 
                 if (!RunPkgProcess(srcPath: extractDir, dstPath: FileSignInfo.FullPath, "pack", dotNetPathTooling, pkgToolPath))
@@ -411,6 +424,7 @@ private void RepackPkgOrAppBundles(TaskLoggingHelper log, string tempDir, string
                     Directory.Delete(extractDir, recursive: true);
                 }
             }
+#endif
         }
 
 #if NETFRAMEWORK
@@ -515,8 +529,7 @@ private void RepackTarGZip(TaskLoggingHelper log, string tempDir, string dotNetP
                             entry.DataStream = signedStream;
                             entry.DataStream.Position = 0;
                             writer.WriteEntry(entry);
-
-                            log.LogMessage(MessageImportance.Low, $"Copying signed stream from {signedPart.Value.FileSignInfo.FullPath} to {FileSignInfo.FullPath} -> {relativeName}.");
+                            log.LogMessage(MessageImportance.Low, $"Copying signed stream from {signedPart.Value.FileSignInfo.FullPath} to {FileSignInfo.FullPath} -> {relativeName} (perms: {Convert.ToString((uint)entry.Mode, 8)}).");
                             continue;
                         }