Skip to content

Add FileExtensionSignInfo for .cab to fix unsigned cab files inside ANCM MSIs#66443

Open
jesuszarate wants to merge 1 commit intodotnet:mainfrom
jesuszarate:dev/jezarat/sign-cab-files
Open

Add FileExtensionSignInfo for .cab to fix unsigned cab files inside ANCM MSIs#66443
jesuszarate wants to merge 1 commit intodotnet:mainfrom
jesuszarate:dev/jezarat/sign-cab-files

Conversation

@jesuszarate
Copy link
Copy Markdown

@jesuszarate jesuszarate commented Apr 23, 2026

\ CertificateName=\Microsoft400\ />
\\

  • Uses \Include\ (not \Update) because .cab\ is not in Arcade's default \Sign.props\
  • \Microsoft400\ is auto-replaced with \MicrosoftDotNet500\ since this repo sets \UseDotNetCertificate=true\

Affected payloads

Payload Arch Type
msancmv2iisexpressmsi* arm64, x64, x86 ANCM v2 IIS Express
msancmv2iismsi* arm64, x64, x86 ANCM v2 IIS
msancmiisexpressmsi* x64, x86 ANCM v1 IIS Express
msancmiismsi* x64, x86 ANCM v1 IIS

Precedent

Same fix pattern applied in other dotnet repos:

Tracking

  • VS signing compliance bug: 2951246

@github-actions github-actions Bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label Apr 23, 2026
@dotnet-policy-service dotnet-policy-service Bot added the community-contribution Indicates that the PR has been added by a community member label Apr 23, 2026
@dotnet-policy-service
Copy link
Copy Markdown
Contributor

dotnet-policy-service Bot commented Apr 23, 2026

Thanks for your PR, @jesuszarate. Someone from the team will get assigned to your PR shortly and we'll get it reviewed.

This was referenced Apr 23, 2026
Open
Open
Open
This was referenced Apr 27, 2026
Merged
Merged
Merged
Open
Merged
Open
@jesuszarate jesuszarate marked this pull request as ready for review April 27, 2026 16:20
@jesuszarate jesuszarate requested review from a team and wtgodbe as code owners April 27, 2026 16:20
Copilot AI review requested due to automatic review settings April 27, 2026 16:20
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds signing configuration so .cab cabinet archives produced/embedded by ANCM MSI builds are code-signed, addressing signing compliance failures for unsigned CAB payloads.

Changes:

  • Add a FileExtensionSignInfo entry to sign .cab files using the Microsoft400 certificate.
  • Document the intent in eng/Signing.props near existing signing exclusions.

Comment thread eng/Signing.props Outdated
Comment on lines +35 to +36
<!-- Sign cabinet archives embedded inside MSI installers (ANCM, hosting bundle, etc.) -->
<FileExtensionSignInfo Include=".cab" CertificateName="Microsoft400" />
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new .cab signing rule is inside the ItemGroup labeled "Code sign exclusions", which now mixes exclusions (CertificateName="None") with a positive signing rule. Consider moving the .cab entry to a separate ItemGroup (or updating the label) to keep the intent clear for future edits.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Author

@jesuszarate jesuszarate Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch - moved the .cab entry into its own ItemGroup (Label=Container signing) above the exclusions group. This keeps the intent clear: exclusions are None, container signing rules are separate.

@jesuszarate
Add FileExtensionSignInfo for .cab to sign embedded cab files in MSIs
c22892a 
The Arcade SDK's default Sign.props does not include a FileExtensionSignInfo for
.cab, so SignTool skips signing cabinet archives inside MSI installers. This
causes the VS signing compliance scan to flag 22 unsigned files (12 DLLs + 10
cabs) inside the ANCM MSI payloads.

Adding .cab with Microsoft400 (auto-replaced with MicrosoftDotNet500 since
UseDotNetCertificate=true) unblocks SignTool from entering the cab containers
and signing everything inside.

Fix: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/2951246
@jesuszarate jesuszarate force-pushed the dev/jezarat/sign-cab-files branch from e6d8b33 to c22892a Compare April 27, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wtgodbe wtgodbe Awaiting requested review from wtgodbe wtgodbe is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

community-contribution Indicates that the PR has been added by a community member needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jesuszarate