Migrate SignFile Task to TaskEnvironment API

[Copilot]

Context

SignFile task needed migration to support MSBuild's multithreaded execution model. Tasks must use TaskEnvironment for path resolution instead of relying on process working directory.

Changes Made

• Add [MSBuildMultiThreadableTask] attribute and implement IMultiThreadableTask
• Add TaskEnvironment property
• Absolutize SigningTarget.ItemSpec via TaskEnvironment.GetAbsolutePath() before passing to SecurityUtilities.SignFile()
• Handle ArgumentException from path resolution with appropriate error logging

Thread-safety fix for SecurityUtilities

SecurityUtilities.SignFile() transitively used process-global state, which is unsafe under multithreaded execution:

1. GetPathToTool() used Directory.GetCurrentDirectory() as fallback for signtool.exe discovery
2. SignPEFileInternal() created new ProcessStartInfo() without setting WorkingDirectory, inheriting process CWD
3. SetDllDirectoryW() modified process-wide DLL search path during manifest signing

Fix: Thread TaskEnvironment through the entire SecurityUtilities.SignFile → SignFileInternal → SignPEFile → SignPEFileInternal call chain via internal overloads. Public API signatures are unchanged (old methods delegate with taskEnvironment: null).

• SignPEFileInternal now uses taskEnvironment.GetProcessStartInfo() as baseline ProcessStartInfo (inherits correct WorkingDirectory and environment variables from the task's project context)
• GetPathToTool accepts a fallbackDirectory parameter instead of calling Directory.GetCurrentDirectory()
• SetDllDirectoryW calls are serialized with a lock under #if RUNTIME_TYPE_NETCORE
• Added TaskEnvironmentHelper.CreateMultithreadedForTest() helper for tests

Testing

• GetPathToTool_WithFallbackDirectory_NeverUsesCwd — verifies fallback directory is never the process CWD
• SignFile_WithTaskEnvironment_UsesTaskEnvironmentProjectDirectory — verifies MultiThreadedTaskEnvironmentDriver sets correct WorkingDirectory on ProcessStartInfo
• Existing SignFile_Success tests unchanged

Notes

SignFile is Windows-only ([SupportedOSPlatform("windows")]), so unit tests are skipped on Linux CI runners.

[dotnet-policy-service]

Hello @@copilot, I noticed that you’re changing an .swr file or any file under src/Package/MSBuild.VSSetup.. Please make sure to validate this change by an experimental VS insertion. This is accomplished by pushing to an exp/* branch, which requires write permissions to this repo.

[Copilot]

Pull request overview

Migrates the SignFile task to use the TaskEnvironment API for path resolution to better support MSBuild’s multithreaded execution model.

Changes:

• Mark SignFile as multithread-capable via [MSBuildMultiThreadableTask] and IMultiThreadableTask, adding a TaskEnvironment property.
• Resolve SigningTarget.ItemSpec to an absolute path via TaskEnvironment.GetAbsolutePath(...) before signing.
• Add handling/logging for ArgumentException thrown during path resolution.

[Copilot]

Marking SignFile as [MSBuildMultiThreadableTask] / IMultiThreadableTask looks unsafe because it calls SecurityUtilities.SignFile(...), which internally depends on process-global state (e.g., falls back to Directory.GetCurrentDirectory() when locating signtool and uses SetDllDirectoryW during manifest signing). In a multithreaded build this can lead to nondeterministic tool resolution or interference between concurrently executing tasks. Consider removing the multithreadable attribute/interface until SecurityUtilities can take/use TaskEnvironment (or otherwise avoid process-global current directory / DLL directory changes) for tool discovery and process execution.

[JanProvaznik]

valid concern