Add .cab/.vbs to FileExtensionSignInfo for VS signing compliance#1703
Open
jesuszarate wants to merge 1 commit intodotnet:mainfrom
Open
Add .cab/.vbs to FileExtensionSignInfo for VS signing compliance#1703jesuszarate wants to merge 1 commit intodotnet:mainfrom
jesuszarate wants to merge 1 commit intodotnet:mainfrom
Conversation
jesuszarate
force-pushed
the
dev/jezarat/sign-cab-vbs-ps1
branch
2 times, most recently
from
214beaa to
99b0028
Compare
The VS signing scan flags files across msemscriptenpythonnet* and emsdk6manifest* workload packs (.NET 6-10) as unsigned. Root cause: eng/Signing.props has no FileExtensionSignInfo for .cab or .vbs. Without .cab, the Arcade SignTool cannot open MSI containers to sign embedded cabinet archives. Without .vbs, CPython VBScript installer scripts are unsigned. The Arcade SDK default already covers .ps1 (Microsoft400, auto-upgraded to MicrosoftDotNet500 via UseDotNetCertificate), so no override is needed for that. Fix: - .cab -> MicrosoftDotNet500 (consistent with .pyd, .cat) - .vbs -> MicrosoftDotNet500 (consistent with .pyd, .cat, .cab)
jesuszarate
force-pushed
the
dev/jezarat/sign-cab-vbs-ps1
branch
from
99b0028 to
7c11893
Compare
Author
|
@mmitche would you be able to review this PR? Thanks. |
mmitche
reviewed
Apr 24, 2026
| <FileExtensionSignInfo Include=".pyd" CertificateName="MicrosoftDotNet500" /> | ||
| <FileExtensionSignInfo Include=".cat" CertificateName="MicrosoftDotNet500" /> | ||
| <FileExtensionSignInfo Include=".cab" CertificateName="MicrosoftDotNet500" /> | ||
| <FileExtensionSignInfo Include=".vbs" CertificateName="MicrosoftDotNet500" /> |
Member
There was a problem hiding this comment.
The PR description says these are 3P...is this the correct cert to use for those 3P scripts?
Author
There was a problem hiding this comment.
Good catch — the PR description was stale from an earlier iteration where we used 3PartyScriptsSHA2.
The code intentionally uses MicrosoftDotNet500 because:
FileExtensionSignInfois global — it applies to ALL.vbsfiles in the repo, not just the CPython ones- Consistent with the existing
.pydand.catentries which all useMicrosoftDotNet500 - The repo has
UseDotNetCertificate=true, soMicrosoftDotNet500is the standard cert here
I've updated the PR description to match the actual code.
jesuszarate
changed the title
mmitche
approved these changes
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The VS signing scan flags files across 10
msemscriptenpythonnet*and 3emsdk6manifest*workload packs (.NET 6-10) as unsigned. All originate fromdotnet/emsdk.Root Cause
eng/Signing.propshas noFileExtensionSignInfofor.cabor.vbs. Without.cab, the Arcade SignTool cannot open MSI containers to sign embedded cabinet archives — this blocks signing of ALL files inside the MSI. Without.vbs, CPython VBScript installer scripts remain unsigned..ps1does NOT need an override — the Arcade SDK already defines a default for.ps1(via.ps1;.psd1;.psm1;.psc1;.py->Microsoft400, auto-upgraded toMicrosoftDotNet500viaUseDotNetCertificate=true). Once.cablets the SignTool enter the MSI,.ps1files are signed automatically.Fix
Two new entries in
eng/Signing.props:FileExtensionSignInfo Include='.cab' CertificateName='MicrosoftDotNet500'FileExtensionSignInfo Include='.vbs' CertificateName='MicrosoftDotNet500'Both use
MicrosoftDotNet500, consistent with existing.pydand.catentries.Include(notUpdate) because.caband.vbsare not in Arcade SDK defaults.MicrosoftDotNet500(not3PartyScriptsSHA2) becauseFileExtensionSignInfois global — it applies to all files of that extension in the repo, and the repo standard isMicrosoftDotNet500.Tracking
VS repo bug: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/2949698