In PR validation, test sign contents of nupkg, but not the nupkg itself (#79643)

dibarbet · web-flow · commit 160f2682042c · 2025-08-01T14:12:41.000-07:00
This allows us to support test signing in PR validation builds. VS cloudbuild will not build with test signed packages (nuget reports certificate errors related to expiration), and we have no way in an insertion to specify that the PR should be queued with specific parameters to disable the errors. Instead, we can simply not sign the nuget packages (while still signing the contents to make sure subsequent steps like ngen see strong named dlls). val build - https://dev.azure.com/devdiv/DevDiv/_git/VS/pullrequest/657144
diff --git a/eng/Signing.props b/eng/Signing.props
@@ -61,4 +61,13 @@
     <FileSignInfo Include="Microsoft.VisualStudio.Threading.dll" CertificateName="MicrosoftSHA2" />
     <FileSignInfo Include="StreamJsonRpc.dll" CertificateName="MicrosoftSHA2" />
   </ItemGroup>
+
+  <!--
+    VS cloudbuild fails to restore when using test signed nuget packages due to certificate errors.
+    To avoid this issue, we sign the package contents, but skip signing the actual package file.
+  -->
+  <ItemGroup Condition="'$(PreReleaseVersionLabel)' == 'pr-validation' And '$(DotNetSignType)' == 'test'">
+    <FileExtensionSignInfo Update=".nupkg" CertificateName="None" />
+  </ItemGroup>
+
 </Project>
