Enable Unpacking and Repacking of .pkg files and .app bundles #15206
Conversation
ellahathaway
changed the title
…-unpack-repack-pkg
Co-authored-by: Ella Hathaway <[email protected]>
Co-authored-by: Ella Hathaway <[email protected]>
…ol-unpack-repack-pkg
| <FileExtensionSignInfo Condition="$([MSBuild]::IsOSPlatform('OSX'))" Include=".pkg" CertificateName="None" /> | ||
| <!-- .app bundles are technically directories, but the Microsoft.DotNet.MacOsPkg | ||
| tool packs these bundles into zips when unpacking .pkgs --> | ||
| <FileExtensionSignInfo Condition="$([MSBuild]::IsOSPlatform('OSX'))" Include=".app" CertificateName="None" /> |
There was a problem hiding this comment.
I would leave out the platform checks. This leaves the possibility someone assumes MacOS .pkgs will get signed properly on Windows, but instead they get ignored. Instead, the pack/unpack process should error out (which it will, since the tool won't work). Then we rely on teams not specifying that .pkgs should be signed on non-Mac platforms.
| }); | ||
|
|
||
| // OSX files need to be zipped first before being signed | ||
| // This is why the .pkgs and .apps are listed as .zip files below |
There was a problem hiding this comment.
Looks like it, yes. This comment applies to the changes in ellahathaway@cd090b8
| // unpacking, repacking, and notarization can only happen on a Mac. | ||
| internal static bool IsPkg(string path) | ||
| => Path.GetExtension(path).Equals(".pkg", StringComparison.OrdinalIgnoreCase) | ||
| && RuntimeInformation.IsOSPlatform(OSPlatform.OSX); |
There was a problem hiding this comment.
I would leave out these platform checks, and instead let the pack/unpack fail on non-Mac
| <FileExtensionSignInfo Condition="$([MSBuild]::IsOSPlatform('OSX'))" Include=".pkg" CertificateName="None" /> | ||
| <!-- .app bundles are technically directories, but the Microsoft.DotNet.MacOsPkg | ||
| tool packs these bundles into zips when unpacking .pkgs --> | ||
| <FileExtensionSignInfo Condition="$([MSBuild]::IsOSPlatform('OSX'))" Include=".app" CertificateName="None" /> |
There was a problem hiding this comment.
I also don't understand the .app file extension sign info. The .app doesn't get signed itself, so I don't think it should have an entry here.
…athaway/arcade into signtool-unpack-repack-pkg
…ation' into add-in-osx-files-signing
Co-authored-by: Jeremy Koritzinsky <[email protected]>
Co-authored-by: Jeremy Koritzinsky <[email protected]>
…ation' into replace-sn-with-custom-implementation
|
Converting back to a draft and merging in the latest changes for OSX and strong name signing. |
Related to #14438
This is the second part of #14438. This PR integrates the pkg tool, introduced in #15205, into SignTool. More specifically, this PR enables the unpacking and repacking of .pkgs and nested .app bundles within SignTool & adds tests & test data for this functionality into SignTool.Tests.
An important change here is that
.pkgwas removed as a signable extension. This change is needed avoid errors related to.pkgsbeing considered "not signed" now that they're included as aFileExtensionSignInfoitem. Otherwise, this part of the code is hit, and the signing fails..pkgswill be added back as a signable extension with #14435.An alternative choice to above is to still allow the pkg and .apps to be signable files. This choice would invole adjusting this PR to include the signing validation of the pkg and .app as part of this PR.
Leaving as a draft until #15205 is merged.