From 5ed1cb7aa02fefec051855b9721541fde13a126a Mon Sep 17 00:00:00 2001
From: Chuy Zarate <jezarat@microsoft.com>
Date: Wed, 25 Mar 2026 17:42:04 -0600
Subject: [PATCH] Add catalog signing for .js files for VS signing compliance

The .js files in the Emscripten SDK are customer-modifiable toolchain files
that cannot be directly Authenticode-signed (modifying a signed file breaks
the signature). Instead, generate a .cat catalog file covering all .js files,
which is signed with MicrosoftDotNet500 via the existing FileExtensionSignInfo
entry for .cat files.

The GenerateCatalogFiles target runs after ReallyBuild on Windows only
(makecat.exe is a Windows SDK tool), generates a CDF listing all .js files,
produces emscripten-js.cat, and places it in the SDK package directory so it
ships alongside the files it covers.

This fixes ~14,468 unsigned .js files flagged by VS signing compliance scans.
---
 eng/Signing.props |  5 ++++-
 eng/emsdk.proj    | 43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/eng/Signing.props b/eng/Signing.props
index afc88110f7..3d376905eb 100644
--- a/eng/Signing.props
+++ b/eng/Signing.props
@@ -8,7 +8,10 @@
     <FileExtensionSignInfo Include=".pyd" CertificateName="MicrosoftDotNet500" />
     <FileExtensionSignInfo Include=".cat" CertificateName="MicrosoftDotNet500" />
 
-    <!-- We don't need to code sign .js files because they are not used in Windows Script Host. -->
+    <!-- JS files are customer-modifiable Emscripten toolchain files. They cannot be
+         Authenticode-signed because modifying a signed file breaks the signature.
+         Instead, a catalog file (emscripten-js.cat) is generated and signed to provide
+         integrity verification. See the GenerateCatalogFiles target in eng/emsdk.proj. -->
     <FileExtensionSignInfo Update=".js" CertificateName="None" />
 
     <!--
diff --git a/eng/emsdk.proj b/eng/emsdk.proj
index 45386f070c..b1b9ae6dee 100644
--- a/eng/emsdk.proj
+++ b/eng/emsdk.proj
@@ -365,6 +365,49 @@
     <Delete Files="@(DeleteCacheFiles)" />
   </Target>
 
+  <!--
+    Generate a catalog (.cat) file covering all .js files in the SDK package.
+    The .js files are customer-modifiable Emscripten toolchain files that cannot be
+    directly Authenticode-signed. The .cat provides integrity verification without
+    preventing modification. Only runs on Windows (makecat.exe is a Windows SDK tool)
+    and only the Windows packs are inserted into VS.
+  -->
+  <Target Name="GenerateCatalogFiles" AfterTargets="ReallyBuild" Condition="$([MSBuild]::IsOSPlatform('Windows'))">
+    <PropertyGroup>
+      <_CdfFile>$(ArtifactsObjDir)emscripten-js.cdf</_CdfFile>
+      <_CatOutputDir>$(ArtifactsObjDir)upstream\emscripten\</_CatOutputDir>
+    </PropertyGroup>
+
+    <Exec Command="powershell.exe -NoProfile -ExecutionPolicy Bypass -Command &quot;&amp; {
+      $$rootPath = '$(ArtifactsObjDir)upstream'
+      $$cdfPath = '$(_CdfFile)'
+      $$catPath = '$(_CatOutputDir)emscripten-js.cat'
+
+      $$files = Get-ChildItem -Path $$rootPath -Recurse -Filter '*.js' -File
+      $$cdf = @()
+      $$cdf += '[CatalogHeader]'
+      $$cdf += 'Name=' + $$catPath
+      $$cdf += 'CatalogVersion=2'
+      $$cdf += 'HashAlgorithms=SHA256'
+      $$cdf += ''
+      $$cdf += '[CatalogFiles]'
+
+      $$i = 0
+      foreach ($$f in $$files) {
+        $$label = 'js_' + $$i + '_' + ($$f.Name -replace '[^\w\.-]','_')
+        $$cdf += '&lt;hash&gt;' + $$label + '=' + $$f.FullName
+        $$i++
+      }
+
+      $$cdf | Set-Content -Path $$cdfPath -Encoding ASCII
+      Write-Host ('Generated CDF with ' + $$files.Count + ' .js files')
+    }&quot;" StandardOutputImportance="High" />
+
+    <Exec Command="makecat.exe &quot;$(_CdfFile)&quot;" StandardOutputImportance="High" />
+
+    <Message Importance="High" Text="Generated catalog file: $(_CatOutputDir)emscripten-js.cat" />
+  </Target>
+
   <Target Name="ReallyPack" DependsOnTargets="Build" BeforeTargets="Pack">
     <Message Importance="High" Text="Creating nuget packages..." />
     <MSBuild Projects="$(MSBuildThisFileDirectory)nuget\Microsoft.NET.Runtime.Emscripten.Node\Microsoft.NET.Runtime.Emscripten.Node.pkgproj" Targets="Build" />