CopyLocalLockFileAssemblies produces broken deps.json file if PrivateAssets is set to compile

[handerss-spotfire]

Setting CopyLocalLockFileAssemblies causes runtime exceptions for projects where PrivateAssets is set to compile. This is because the resulting .deps.json file will contain a ".Reference" entry which does not contain the necessary runtime dll.

Example

This project uses a facade library which is meant to wrap some API (in this case System.Security.Cryptography.ProtectedData). To protect consuming projects from the wrapped library the package reference has its private assets set to compile.
This works well unless the Facade library adds the CopyLocalLockFileAssemblies and sets it true.
This addition causes the consuming program's .deps.json to get a reference entry added, in this case it's System.Security.Cryptography.ProtectedData.Reference/5.0.0.0, which in turn results in the program crashing with a runtime error.

The example program below can be run with dotnet run --project ./Transitive/Transitive.csproj and results in the following output:

Unhandled exception. System.PlatformNotSupportedException: Windows Data Protection API (DPAPI) is not supported on this platform.
   at System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope)
   at Facade.Facade.Protect(Byte[] input) in C:\tibco\Source\transitive\Facade\Facade.cs:line 8
   at Program.<Main>$(String[] args) in C:\tibco\Source\transitive\Transitive\Program.cs:line 4

Facade/Facade.csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net5.0</TargetFramework>
    <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="5.0.0" PrivateAssets="compile" />
  </ItemGroup>
</Project>

Facade/Facade.cs

using System;
using System.Security.Cryptography;

namespace Facade
{
    public static class Facade
    {
        public static byte[] Protect(byte[] input) => ProtectedData.Protect(input, null, DataProtectionScope.CurrentUser);
    }
}

Transitive/Transitive.csproj

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net5.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <ProjectReference Include="..\Facade\Facade.csproj" />
  </ItemGroup>
</Project>

Transitive/Program.cs

using System;
using Facade;

var foo = Facade.Facade.Protect(Array.Empty<byte>());

[handerss-spotfire]

The solution of setting PrivateAssets to compile to protect against transitive dependencies is suggested by @nkolev92 here: #11803 (comment)

For our use case this works well except for the fact that the resulting deps.json files sometimes contain ".Reference" entries which break at runtime. This issue is one such reproducible case, but unfortunately we get these additions even without CopyLocalLockFileAssemblies. Is there anyway to turn this type of behavior off in general?

Is PrivateAssets=compile + DisableTransitiveProjectReferences the best way to protect against compiling against transitive dependencies.

[sfoslund]

This issue is one such reproducible case, but unfortunately we get these additions even without CopyLocalLockFileAssemblies. Is there anyway to turn this type of behavior off in general?

Not sure, @dsplaisted do you have any guidance here?