From b586f71d38aa8710c1b782c4db96326d7f4494fe Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 08:18:22 -0700
Subject: [PATCH 01/29] Windows: Add step to verify signature

---
 .vsts-ci.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 816e45b0..86c03527 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -107,6 +107,10 @@ extends:
                 $(_BuildArgs)
                 /p:RID=$(_RID)
               displayName: Build and Publish
+            - script: |
+                # Verify the signature of the MSI
+                signtool verify /pa /v artifacts/packages/$(_BuildConfig)/Shipping/dotnet-core-uninstall-$(_RID).msi
+              name: Verify Signature
             - task: CopyFiles@2
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:
@@ -141,6 +145,9 @@ extends:
                 --prepareMachine
                 -p:RID=$(_RID) -p:DotNetSignType=real -p:TeamName=$(TeamName) -p:OfficialBuildId=$(Build.BuildNumber)
               displayName: Build
+            - script: |
+                codesign -dv --verbose=4 artifacts/layout/dotnet-core-uninstall/dotnet-core-uninstall
+              name: Verify Signature
             - task: ArchiveFiles@2
               condition: eq(variables['system.pullrequest.isfork'], false)
               inputs:

From e55a773de62e4698f05817333389968d4d184120 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 08:21:37 -0700
Subject: [PATCH 02/29] DotNetCertificateName

---
 eng/Signing.props | 1 +
 1 file changed, 1 insertion(+)

diff --git a/eng/Signing.props b/eng/Signing.props
index e87a7c0c..5e9d81e7 100644
--- a/eng/Signing.props
+++ b/eng/Signing.props
@@ -1,5 +1,6 @@
 <Project>
   <PropertyGroup>
+    <DotNetCertificateName>MicrosoftDotNet500</DotNetCertificateName>
     <UseDotNetCertificate>true</UseDotNetCertificate>
   </PropertyGroup>
 

From bacef55bbbf3f173255aae31c4c7a5e3992c36ee Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 08:49:53 -0700
Subject: [PATCH 03/29] CI: Remove unnecessary checkout step

---
 .vsts-ci.yml | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 86c03527..5f2905a5 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -99,8 +99,6 @@ extends:
               - name: _OfficialBuildArgs
                 value: ''
             steps:
-            - checkout: self
-              clean: true
             - script: eng\common\cibuild.cmd
                 -configuration $(_BuildConfig)
                 -prepareMachine
@@ -110,7 +108,8 @@ extends:
             - script: |
                 # Verify the signature of the MSI
                 signtool verify /pa /v artifacts/packages/$(_BuildConfig)/Shipping/dotnet-core-uninstall-$(_RID).msi
-              name: Verify Signature
+              name: VerifySignature
+              displayName: Verify Signature
             - task: CopyFiles@2
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:
@@ -137,8 +136,6 @@ extends:
                 X64:
                   _RID: osx-x64
             steps:
-            - checkout: self
-              clean: true
             - script: eng/common/cibuild.sh
                 --sign
                 --configuration Release
@@ -147,7 +144,8 @@ extends:
               displayName: Build
             - script: |
                 codesign -dv --verbose=4 artifacts/layout/dotnet-core-uninstall/dotnet-core-uninstall
-              name: Verify Signature
+              name: VerifySignature
+              displayName: Verify Signature
             - task: ArchiveFiles@2
               condition: eq(variables['system.pullrequest.isfork'], false)
               inputs:

From f9558509daf53334d0bae5e1f99132f269b12bb1 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 09:08:31 -0700
Subject: [PATCH 04/29] Windows: Update verify tool

---
 .vsts-ci.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 5f2905a5..a858ad17 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -106,8 +106,7 @@ extends:
                 /p:RID=$(_RID)
               displayName: Build and Publish
             - script: |
-                # Verify the signature of the MSI
-                signtool verify /pa /v artifacts/packages/$(_BuildConfig)/Shipping/dotnet-core-uninstall-$(_RID).msi
+                certutil -verify -urlfetch artifacts/packages/$(_BuildConfig)/Shipping/dotnet-core-uninstall.msi
               name: VerifySignature
               displayName: Verify Signature
             - task: CopyFiles@2

From c556640f2f847332231803a28e842b251addedc4 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 09:18:37 -0700
Subject: [PATCH 05/29] Mac: Add missing variables

---
 .vsts-ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index a858ad17..55f0d2a1 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -134,6 +134,9 @@ extends:
                   _RID: osx-arm64
                 X64:
                   _RID: osx-x64
+            variables:
+            - name: _BuildConfig
+              value: Release
             steps:
             - script: eng/common/cibuild.sh
                 --sign

From 1bce5d53e82b0d764a1c3afafbd8934a1c7c6aa6 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 09:30:11 -0700
Subject: [PATCH 06/29] Windows: Verify cert

---
 .vsts-ci.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 55f0d2a1..c7c692d3 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -106,7 +106,9 @@ extends:
                 /p:RID=$(_RID)
               displayName: Build and Publish
             - script: |
-                certutil -verify -urlfetch artifacts/packages/$(_BuildConfig)/Shipping/dotnet-core-uninstall.msi
+                - script: |
+                  $msiFile = Get-ChildItem -Path "artifacts/packages/$(_BuildConfig)/Shipping" -Filter "*.msi" | Select-Object -First 1
+                  certutil -verify -urlfetch $msiFile.FullName
               name: VerifySignature
               displayName: Verify Signature
             - task: CopyFiles@2

From 04816fd6aaaa72a77a03b8f0497bb4e8f51c18e5 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 09:49:32 -0700
Subject: [PATCH 07/29] Windows: Fix script syntax

---
 .vsts-ci.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index c7c692d3..34fc1d30 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -106,9 +106,8 @@ extends:
                 /p:RID=$(_RID)
               displayName: Build and Publish
             - script: |
-                - script: |
-                  $msiFile = Get-ChildItem -Path "artifacts/packages/$(_BuildConfig)/Shipping" -Filter "*.msi" | Select-Object -First 1
-                  certutil -verify -urlfetch $msiFile.FullName
+                $msiFile = Get-ChildItem -Path "artifacts/packages/$(_BuildConfig)/Shipping" -Filter "*.msi" | Select-Object -First 1
+                certutil -verify -urlfetch $msiFile.FullName
               name: VerifySignature
               displayName: Verify Signature
             - task: CopyFiles@2

From 6c935ec63c41bbef2a8b03d8e6872d84cbeab782 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 09:51:37 -0700
Subject: [PATCH 08/29] Mac: Add targets for signing in correct order

---
 .../targets/MacEntitlements/AddMacEntitlements.targets     | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/redist/targets/MacEntitlements/AddMacEntitlements.targets b/src/redist/targets/MacEntitlements/AddMacEntitlements.targets
index cbab9a62..4b464fcf 100644
--- a/src/redist/targets/MacEntitlements/AddMacEntitlements.targets
+++ b/src/redist/targets/MacEntitlements/AddMacEntitlements.targets
@@ -1,7 +1,12 @@
 <Project>
     <!-- Entitlements are needed but not automatically added for macOS. See https://github.com/dotnet/runtime/issues/113707 -->
     <!-- This generates an ad-hoc signature that will later be resigned, but keeps the entitlements. -->
-    <Target Name="AddMacEntitlements" AfterTargets="GenerateLayout">
+    <ItemGroup>
+        <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="$(MicrosoftVisualStudioEngMicroBuildCoreVersion)" />
+    </ItemGroup>
+    <Target Name="AddMacEntitlements" 
+        BeforeTargets="SignFiles" 
+        AfterTargets="AfterBuild">
         <Exec Command="codesign -s - -f --entitlements $(MSBuildThisFileDirectory)entitlements.plist $(ArtifactsDir)layout/dotnet-core-uninstall/dotnet-core-uninstall" />
     </Target>
 </Project>
\ No newline at end of file

From 946298c9215d8c7975f9c77bab65cf4218122f01 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 10:14:18 -0700
Subject: [PATCH 09/29] Windows: Use MicroBuildCodesignVerify

---
 .vsts-ci.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 34fc1d30..4ec40485 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -105,11 +105,9 @@ extends:
                 $(_BuildArgs)
                 /p:RID=$(_RID)
               displayName: Build and Publish
-            - script: |
-                $msiFile = Get-ChildItem -Path "artifacts/packages/$(_BuildConfig)/Shipping" -Filter "*.msi" | Select-Object -First 1
-                certutil -verify -urlfetch $msiFile.FullName
-              name: VerifySignature
-              displayName: Verify Signature
+            - task: MicroBuildCodesignVerify@3
+              inputs:
+                TargetFolders: 'artifacts/packages/$(_BuildConfig)/Shipping/'
             - task: CopyFiles@2
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:

From 97d39bc36f551595029bbd844d052afba2dec206 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 10:30:01 -0700
Subject: [PATCH 10/29] Windows: MicroBuildCodesignVerify glob file names

---
 .vsts-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 4ec40485..f0003b2e 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -107,7 +107,7 @@ extends:
               displayName: Build and Publish
             - task: MicroBuildCodesignVerify@3
               inputs:
-                TargetFolders: 'artifacts/packages/$(_BuildConfig)/Shipping/'
+                TargetFolders: 'artifacts/packages/$(_BuildConfig)/Shipping/*.msi'
             - task: CopyFiles@2
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:

From 0ec94bc900c5fe37128ca9ce18f9181ce8100aef Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 11:05:03 -0700
Subject: [PATCH 11/29] Windows: MicroBuildCodesignVerify

---
 .vsts-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index f0003b2e..59078c54 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -107,7 +107,7 @@ extends:
               displayName: Build and Publish
             - task: MicroBuildCodesignVerify@3
               inputs:
-                TargetFolders: 'artifacts/packages/$(_BuildConfig)/Shipping/*.msi'
+                TargetFolders: 'artifacts/packages/$(_BuildConfig)/Shipping'
             - task: CopyFiles@2
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:

From 53391729d20cc28c03ffc108e77464d154f91090 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 11:28:00 -0700
Subject: [PATCH 12/29] Windows: Move MicroBuildCodesignVerify@3

---
 .vsts-ci.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 59078c54..2c23e53c 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -105,15 +105,15 @@ extends:
                 $(_BuildArgs)
                 /p:RID=$(_RID)
               displayName: Build and Publish
-            - task: MicroBuildCodesignVerify@3
-              inputs:
-                TargetFolders: 'artifacts/packages/$(_BuildConfig)/Shipping'
             - task: CopyFiles@2
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:
                 sourceFolder: 'artifacts/packages/$(_BuildConfig)/Shipping/'
                 contents: '*.msi'
                 targetFolder: '$(Build.ArtifactStagingDirectory)'
+            - task: MicroBuildCodesignVerify@3
+              inputs:
+                TargetFolders: '$(Build.ArtifactStagingDirectory)'
             - task: 1ES.PublishBuildArtifacts@1
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:

From 75b75c7e5b4e8630d04b1f1661cb3b65cd6adb97 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 13:19:11 -0700
Subject: [PATCH 13/29] Update artifactsstagingdirectory

---
 .vsts-ci.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 2c23e53c..12a392f7 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -110,14 +110,15 @@ extends:
               inputs:
                 sourceFolder: 'artifacts/packages/$(_BuildConfig)/Shipping/'
                 contents: '*.msi'
-                targetFolder: '$(Build.ArtifactStagingDirectory)'
+                targetFolder: '$(Build.ArtifactStagingDirectory)\artifacts'
             - task: MicroBuildCodesignVerify@3
               inputs:
-                TargetFolders: '$(Build.ArtifactStagingDirectory)'
+                TargetFolders: '$(Build.ArtifactStagingDirectory)\artifacts'
+                ExcludeFolders: '.git MicroBuild'
             - task: 1ES.PublishBuildArtifacts@1
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:
-                PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+                PathtoPublish: '$(Build.ArtifactStagingDirectory)\artifacts'
                 ArtifactName: 'drop-windows'
                 publishLocation: 'Container'
                 parallel: true
@@ -154,12 +155,12 @@ extends:
                 includeRootFolder: false
                 archiveType: 'tar'
                 tarCompression: 'gz'
-                archiveFile: '$(Build.ArtifactStagingDirectory)/dotnet-core-uninstall.tar.gz'
+                archiveFile: '$(Build.ArtifactStagingDirectory)/artifacts/dotnet-core-uninstall.tar.gz'
                 replaceExistingArchive: true
             - task: 1ES.PublishBuildArtifacts@1
               condition: eq(variables['system.pullrequest.isfork'], false)
               inputs:
-                PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+                PathtoPublish: '$(Build.ArtifactStagingDirectory)/artifacts'
                 ArtifactName: 'drop-$(_RID)'
                 publishLocation: 'Container'
                 parallel: true
\ No newline at end of file

From 9eccc844a138fcd12042daa415cfe0b06d3345f5 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 13:35:33 -0700
Subject: [PATCH 14/29] Windows: MicroBuildCodesignVerify ExcludeSNVerify

---
 .vsts-ci.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 12a392f7..0bcffabc 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -115,6 +115,7 @@ extends:
               inputs:
                 TargetFolders: '$(Build.ArtifactStagingDirectory)\artifacts'
                 ExcludeFolders: '.git MicroBuild'
+                ExcludeSNVerify: true
             - task: 1ES.PublishBuildArtifacts@1
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:
@@ -139,7 +140,7 @@ extends:
               value: Release
             steps:
             - script: eng/common/cibuild.sh
-                --sign
+                -sign
                 --configuration Release
                 --prepareMachine
                 -p:RID=$(_RID) -p:DotNetSignType=real -p:TeamName=$(TeamName) -p:OfficialBuildId=$(Build.BuildNumber)

From 163f336ec8a98c75656a2bf414df71a58f27466b Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 13:56:59 -0700
Subject: [PATCH 15/29] Also sign .cab files

---
 .vsts-ci.yml      | 2 +-
 eng/Signing.props | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 0bcffabc..e518ac99 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -114,7 +114,7 @@ extends:
             - task: MicroBuildCodesignVerify@3
               inputs:
                 TargetFolders: '$(Build.ArtifactStagingDirectory)\artifacts'
-                ExcludeFolders: '.git MicroBuild'
+                ExcludeFolders: '.git MicroBuild .cab'
                 ExcludeSNVerify: true
             - task: 1ES.PublishBuildArtifacts@1
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
diff --git a/eng/Signing.props b/eng/Signing.props
index 5e9d81e7..30afd696 100644
--- a/eng/Signing.props
+++ b/eng/Signing.props
@@ -5,7 +5,7 @@
   </PropertyGroup>
 
   <ItemGroup Condition="'$(RID)' == 'win-x86'">
-    <FileExtensionSignInfo Include=".wixpdb" CertificateName="MicrosoftDotNet500" />
+    <FileExtensionSignInfo Include=".wixpdb;.cab" CertificateName="MicrosoftDotNet500" />
     <ItemsToSign Include="$(ArtifactsShippingPackagesDir)**\*.wixpack.zip;
       $(ArtifactsDir)packages\**\dotnet-core-uninstall*.msi;" />
   </ItemGroup>

From 67397d1eeda2aace7ab8cdfa4037512ce17300d2 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 14:02:45 -0700
Subject: [PATCH 16/29] Mac: AddMacEntitlements after GenerateLayout

---
 eng/Signing.props                                             | 3 ++-
 src/redist/targets/MacEntitlements/AddMacEntitlements.targets | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/eng/Signing.props b/eng/Signing.props
index 30afd696..147df0e2 100644
--- a/eng/Signing.props
+++ b/eng/Signing.props
@@ -6,8 +6,9 @@
 
   <ItemGroup Condition="'$(RID)' == 'win-x86'">
     <FileExtensionSignInfo Include=".wixpdb;.cab" CertificateName="MicrosoftDotNet500" />
+    <FileSignInfo Include="cab1.cab" CertificateName="MicrosoftDotNet500" />
     <ItemsToSign Include="$(ArtifactsShippingPackagesDir)**\*.wixpack.zip;
-      $(ArtifactsDir)packages\**\dotnet-core-uninstall*.msi;" />
+      $(ArtifactsDir)packages\**\dotnet-core-uninstall*.msi" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(RID)' == 'osx-x64' OR '$(RID)' == 'osx-arm64'">
diff --git a/src/redist/targets/MacEntitlements/AddMacEntitlements.targets b/src/redist/targets/MacEntitlements/AddMacEntitlements.targets
index 4b464fcf..c32f2895 100644
--- a/src/redist/targets/MacEntitlements/AddMacEntitlements.targets
+++ b/src/redist/targets/MacEntitlements/AddMacEntitlements.targets
@@ -6,7 +6,7 @@
     </ItemGroup>
     <Target Name="AddMacEntitlements" 
         BeforeTargets="SignFiles" 
-        AfterTargets="AfterBuild">
+        AfterTargets="GenerateLayout">
         <Exec Command="codesign -s - -f --entitlements $(MSBuildThisFileDirectory)entitlements.plist $(ArtifactsDir)layout/dotnet-core-uninstall/dotnet-core-uninstall" />
     </Target>
 </Project>
\ No newline at end of file

From b34234f4e5127d81c747815817f644211f02e4c9 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 14:38:45 -0700
Subject: [PATCH 17/29] Add SignVerifyIgnore.txt

---
 .vsts-ci.yml             | 2 +-
 eng/SignVerifyIgnore.txt | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 eng/SignVerifyIgnore.txt

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index e518ac99..705209f5 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -114,8 +114,8 @@ extends:
             - task: MicroBuildCodesignVerify@3
               inputs:
                 TargetFolders: '$(Build.ArtifactStagingDirectory)\artifacts'
-                ExcludeFolders: '.git MicroBuild .cab'
                 ExcludeSNVerify: true
+                ApprovalListPathForCerts: eng\SignVerifyIgnore.txt
             - task: 1ES.PublishBuildArtifacts@1
               condition: and(eq(variables['system.pullrequest.isfork'], false), eq(variables['_BuildConfig'], 'Release'))
               inputs:
diff --git a/eng/SignVerifyIgnore.txt b/eng/SignVerifyIgnore.txt
new file mode 100644
index 00000000..884c0d21
--- /dev/null
+++ b/eng/SignVerifyIgnore.txt
@@ -0,0 +1,2 @@
+**\*.xml,ignore unsigned .xml
+**\cab*.cab.cab,ignore unsigned .cab
\ No newline at end of file

From 3575f9aa9bdbf09bb367b1d59dad467c2bda851f Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 14:43:23 -0700
Subject: [PATCH 18/29] Nvmd do not sign .cab files

---
 eng/Signing.props | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/eng/Signing.props b/eng/Signing.props
index 147df0e2..c4ebecd0 100644
--- a/eng/Signing.props
+++ b/eng/Signing.props
@@ -5,8 +5,7 @@
   </PropertyGroup>
 
   <ItemGroup Condition="'$(RID)' == 'win-x86'">
-    <FileExtensionSignInfo Include=".wixpdb;.cab" CertificateName="MicrosoftDotNet500" />
-    <FileSignInfo Include="cab1.cab" CertificateName="MicrosoftDotNet500" />
+    <FileExtensionSignInfo Include=".wixpdb" CertificateName="MicrosoftDotNet500" />
     <ItemsToSign Include="$(ArtifactsShippingPackagesDir)**\*.wixpack.zip;
       $(ArtifactsDir)packages\**\dotnet-core-uninstall*.msi" />
   </ItemGroup>

From 9590912e949d3a40dacbcadc42ff67ea791b9539 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 15:12:51 -0700
Subject: [PATCH 19/29] Mac: Temp disable entitlements

---
 src/redist/redist.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/redist/redist.csproj b/src/redist/redist.csproj
index 759ab143..5fbf5338 100644
--- a/src/redist/redist.csproj
+++ b/src/redist/redist.csproj
@@ -21,6 +21,6 @@
   <Target Condition="'$(RID)' == 'win-x86'" Name="GenerateMSIs" AfterTargets="Build" DependsOnTargets="GenerateLayout;GenerateDotnetCoreUninstallMsi" />
 
   <!-- Entitlements are needed but not automatically added for macOS. See https://github.com/dotnet/runtime/issues/113707 -->
-  <Import Condition="'$(RID)' == 'osx-x64' OR '$(RID)' == 'osx-arm64'" Project="targets\MacEntitlements\AddMacEntitlements.targets" />
+  <!-- <Import Condition="'$(RID)' == 'osx-x64' OR '$(RID)' == 'osx-arm64'" Project="targets\MacEntitlements\AddMacEntitlements.targets" /> -->
   
 </Project>
\ No newline at end of file

From f0715de0c3ad64182bcd9c71d15edd60b5d0a860 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 15:21:42 -0700
Subject: [PATCH 20/29] Mac Expand certificates

---
 eng/Signing.props | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/eng/Signing.props b/eng/Signing.props
index c4ebecd0..79d4df6d 100644
--- a/eng/Signing.props
+++ b/eng/Signing.props
@@ -11,8 +11,19 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(RID)' == 'osx-x64' OR '$(RID)' == 'osx-arm64'">
-    <FileSignInfo Include="dotnet-core-uninstall" CertificateName="MacDeveloperHarden" />
-    <FileSignInfo Include="dotnet-core-uninstall.pdb" CertificateName="MacDeveloperHarden" />
+    <!--
+      This is intended to hold information about the certificates used for signing.
+    -->
+    <CertificatesSignInfo Include="3PartyDual" DualSigningAllowed="true" />
+    <CertificatesSignInfo Include="3PartySHA2" DualSigningAllowed="true" />
+    <!-- This signing information indicates certificates that represent a sign and notarize operation. -->
+    <CertificatesSignInfo Include="MacDeveloperHardenWithNotarization" MacCertificate="MacDeveloperHarden" MacNotarizationAppName="dotnet" />
+    <CertificatesSignInfo Include="MacDeveloperWithNotarization" MacCertificate="MacDeveloper" MacNotarizationAppName="dotnet" />
+    <CertificatesSignInfo Include="MacDeveloperVNextWithNotarization" MacCertificate="MacDeveloperVNext" MacNotarizationAppName="dotnet" />
+    <CertificatesSignInfo Include="MacDeveloperVNextHardenWithNotarization" MacCertificate="MacDeveloperVNextHarden" MacNotarizationAppName="dotnet" />
+
+    <FileSignInfo Include="dotnet-core-uninstall" CertificateName="MacDeveloperHardenWithNotarization" />
+    <FileSignInfo Include="dotnet-core-uninstall.pdb" CertificateName="MacDeveloperHardenWithNotarization" />
     <ItemsToSign Include="$(ArtifactsDir)layout/dotnet-core-uninstall/*" />
   </ItemGroup>
 </Project>

From 00d51439e0acfc6fffe39310ebda7f78c2acf425 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 15:36:21 -0700
Subject: [PATCH 21/29] Remove windows-specific package

---
 src/redist/redist.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/redist/redist.csproj b/src/redist/redist.csproj
index 5fbf5338..f85a8f63 100644
--- a/src/redist/redist.csproj
+++ b/src/redist/redist.csproj
@@ -9,7 +9,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\dotnet-core-uninstall\dotnet-core-uninstall.csproj" />
-    <PackageReference Include="Microsoft.DotNet.Build.Tasks.Installers" Version="10.0.0-beta.25124.4" Condition="'$(RID)' == 'win-x86'"/>
+    <PackageReference Include="Microsoft.DotNet.Build.Tasks.Installers" Version="10.0.0-beta.25124.4" />
   </ItemGroup>
 
   <Import Condition="'$(RID)' == 'win-x86'" Project="targets\Versions.targets" />

From bfd04504b6b206d5756987150a073660a0d5dc99 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 15:48:06 -0700
Subject: [PATCH 22/29] Mac: Add job parameters

---
 .vsts-ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 705209f5..56b7e94f 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -138,6 +138,9 @@ extends:
             variables:
             - name: _BuildConfig
               value: Release
+            parameters:
+              enableMicrobuild: true
+              enableMicrobuildForMacAndLinux: true
             steps:
             - script: eng/common/cibuild.sh
                 -sign

From 6cc3d2cb57f6f04d0048055fbc1c28bb44d5cd6c Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 15:58:02 -0700
Subject: [PATCH 23/29] Remove parent pool

---
 .vsts-ci.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 56b7e94f..f68bcf1d 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -32,10 +32,6 @@ extends:
         enabled: true
       binskim:
         analyzeTargetGlob: $(Build.SourcesDirectory)/artifacts/bin/**.dll;$(Build.SourcesDirectory)/artifacts/bin/**.exe;
-    pool:
-      name: $(DncEngInternalBuildPool)
-      image: 1es-windows-2022
-      os: windows
     customBuildTags:
     - ES365AIMigrationTooling
     stages:

From 017d8455c78c30c682b317729c65af2b7ce71bf7 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 16:06:37 -0700
Subject: [PATCH 24/29] Mac: Add _SignType

---
 .vsts-ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index f68bcf1d..31a838d5 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -134,6 +134,8 @@ extends:
             variables:
             - name: _BuildConfig
               value: Release
+            - name: _SignType
+              value: real
             parameters:
               enableMicrobuild: true
               enableMicrobuildForMacAndLinux: true

From 70b35abfcc489c3dd892ddd8f73d3e87a6f4b3f2 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 16:08:13 -0700
Subject: [PATCH 25/29] Mac: Restore signing

---
 .vsts-ci.yml             | 7 ++-----
 src/redist/redist.csproj | 2 +-
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index 31a838d5..d1a67ca6 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -136,15 +136,12 @@ extends:
               value: Release
             - name: _SignType
               value: real
-            parameters:
-              enableMicrobuild: true
-              enableMicrobuildForMacAndLinux: true
             steps:
             - script: eng/common/cibuild.sh
                 -sign
-                --configuration Release
+                --configuration $(_BuildConfig)
                 --prepareMachine
-                -p:RID=$(_RID) -p:DotNetSignType=real -p:TeamName=$(TeamName) -p:OfficialBuildId=$(Build.BuildNumber)
+                -p:RID=$(_RID) -p:DotNetSignType=$(_SignType) -p:TeamName=$(TeamName) -p:OfficialBuildId=$(Build.BuildNumber)
               displayName: Build
             - script: |
                 codesign -dv --verbose=4 artifacts/layout/dotnet-core-uninstall/dotnet-core-uninstall
diff --git a/src/redist/redist.csproj b/src/redist/redist.csproj
index f85a8f63..7eec5dc5 100644
--- a/src/redist/redist.csproj
+++ b/src/redist/redist.csproj
@@ -21,6 +21,6 @@
   <Target Condition="'$(RID)' == 'win-x86'" Name="GenerateMSIs" AfterTargets="Build" DependsOnTargets="GenerateLayout;GenerateDotnetCoreUninstallMsi" />
 
   <!-- Entitlements are needed but not automatically added for macOS. See https://github.com/dotnet/runtime/issues/113707 -->
-  <!-- <Import Condition="'$(RID)' == 'osx-x64' OR '$(RID)' == 'osx-arm64'" Project="targets\MacEntitlements\AddMacEntitlements.targets" /> -->
+  <Import Condition="'$(RID)' == 'osx-x64' OR '$(RID)' == 'osx-arm64'" Project="targets\MacEntitlements\AddMacEntitlements.targets" />
   
 </Project>
\ No newline at end of file

From 8be0823f19dffe9e61f9a0433f4e6876fe9719b8 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 16:09:18 -0700
Subject: [PATCH 26/29] Add windows pool back

---
 .vsts-ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index d1a67ca6..cfe9cbd3 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -32,11 +32,17 @@ extends:
         enabled: true
       binskim:
         analyzeTargetGlob: $(Build.SourcesDirectory)/artifacts/bin/**.dll;$(Build.SourcesDirectory)/artifacts/bin/**.exe;
+    pool:
+      pool:
+      name: $(DncEngInternalBuildPool)
+      image: 1es-windows-2022
+      os: windows
     customBuildTags:
     - ES365AIMigrationTooling
     stages:
     - stage: build
       displayName: Build
+
       jobs:
       - template: /eng/common/templates-official/jobs/jobs.yml@self
         parameters:

From a2dc6fc33a16e75e760d1a0c7907d74145ed635e Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 16:24:25 -0700
Subject: [PATCH 27/29] Mac: MacDeveloperHarden

---
 eng/Signing.props | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/eng/Signing.props b/eng/Signing.props
index 79d4df6d..c4ebecd0 100644
--- a/eng/Signing.props
+++ b/eng/Signing.props
@@ -11,19 +11,8 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(RID)' == 'osx-x64' OR '$(RID)' == 'osx-arm64'">
-    <!--
-      This is intended to hold information about the certificates used for signing.
-    -->
-    <CertificatesSignInfo Include="3PartyDual" DualSigningAllowed="true" />
-    <CertificatesSignInfo Include="3PartySHA2" DualSigningAllowed="true" />
-    <!-- This signing information indicates certificates that represent a sign and notarize operation. -->
-    <CertificatesSignInfo Include="MacDeveloperHardenWithNotarization" MacCertificate="MacDeveloperHarden" MacNotarizationAppName="dotnet" />
-    <CertificatesSignInfo Include="MacDeveloperWithNotarization" MacCertificate="MacDeveloper" MacNotarizationAppName="dotnet" />
-    <CertificatesSignInfo Include="MacDeveloperVNextWithNotarization" MacCertificate="MacDeveloperVNext" MacNotarizationAppName="dotnet" />
-    <CertificatesSignInfo Include="MacDeveloperVNextHardenWithNotarization" MacCertificate="MacDeveloperVNextHarden" MacNotarizationAppName="dotnet" />
-
-    <FileSignInfo Include="dotnet-core-uninstall" CertificateName="MacDeveloperHardenWithNotarization" />
-    <FileSignInfo Include="dotnet-core-uninstall.pdb" CertificateName="MacDeveloperHardenWithNotarization" />
+    <FileSignInfo Include="dotnet-core-uninstall" CertificateName="MacDeveloperHarden" />
+    <FileSignInfo Include="dotnet-core-uninstall.pdb" CertificateName="MacDeveloperHarden" />
     <ItemsToSign Include="$(ArtifactsDir)layout/dotnet-core-uninstall/*" />
   </ItemGroup>
 </Project>

From f4d08c3fc319677540edde1e92ed6def85a48787 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 16:37:09 -0700
Subject: [PATCH 28/29] Remove duplicate pool var

---
 .vsts-ci.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.vsts-ci.yml b/.vsts-ci.yml
index cfe9cbd3..2e615810 100644
--- a/.vsts-ci.yml
+++ b/.vsts-ci.yml
@@ -33,7 +33,6 @@ extends:
       binskim:
         analyzeTargetGlob: $(Build.SourcesDirectory)/artifacts/bin/**.dll;$(Build.SourcesDirectory)/artifacts/bin/**.exe;
     pool:
-      pool:
       name: $(DncEngInternalBuildPool)
       image: 1es-windows-2022
       os: windows

From 04dbba6d3df874cac0ec96ca30b2d869ad414f07 Mon Sep 17 00:00:00 2001
From: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date: Mon, 31 Mar 2025 16:47:21 -0700
Subject: [PATCH 29/29] Restore redist.csproj

---
 src/redist/redist.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/redist/redist.csproj b/src/redist/redist.csproj
index 7eec5dc5..759ab143 100644
--- a/src/redist/redist.csproj
+++ b/src/redist/redist.csproj
@@ -9,7 +9,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\dotnet-core-uninstall\dotnet-core-uninstall.csproj" />
-    <PackageReference Include="Microsoft.DotNet.Build.Tasks.Installers" Version="10.0.0-beta.25124.4" />
+    <PackageReference Include="Microsoft.DotNet.Build.Tasks.Installers" Version="10.0.0-beta.25124.4" Condition="'$(RID)' == 'win-x86'"/>
   </ItemGroup>
 
   <Import Condition="'$(RID)' == 'win-x86'" Project="targets\Versions.targets" />