dotnet
diff --git a/‎src/arcade/Arcade.slnx‎
Lines changed: 1 addition & 1 deletion b/‎src/arcade/Arcade.slnx‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/arcade/eng/Version.Details.props‎
Lines changed: 2 additions & 2 deletions b/‎src/arcade/eng/Version.Details.props‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/arcade/eng/Version.Details.xml‎
Lines changed: 4 additions & 4 deletions b/‎src/arcade/eng/Version.Details.xml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/arcade/global.json‎
Lines changed: 2 additions & 2 deletions b/‎src/arcade/global.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/arcade/src/Microsoft.DotNet.Build.Tasks.Installers/build/wix5/bundle/bundle.wxs‎
Lines changed: 9 additions & 1 deletion b/‎src/arcade/src/Microsoft.DotNet.Build.Tasks.Installers/build/wix5/bundle/bundle.wxs‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎src/arcade/src/Microsoft.DotNet.Build.Tasks.Installers/build/wix5/wix.targets‎
Lines changed: 1 addition & 1 deletion b/‎src/arcade/src/Microsoft.DotNet.Build.Tasks.Installers/build/wix5/wix.targets‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/arcade/src/Microsoft.DotNet.SignTool.Tests/Resources/InnerZipFile.zip‎
17.3 KB b/‎src/arcade/src/Microsoft.DotNet.SignTool.Tests/Resources/InnerZipFile.zip‎
17.3 KB
diff --git a/‎src/arcade/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs‎
Lines changed: 107 additions & 2 deletions b/‎src/arcade/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs‎
Lines changed: 107 additions & 2 deletions
diff --git a/‎src/arcade/src/Microsoft.DotNet.SignTool/src/AdditionalCertificateInformation.cs‎
Lines changed: 4 additions & 0 deletions b/‎src/arcade/src/Microsoft.DotNet.SignTool/src/AdditionalCertificateInformation.cs‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/arcade/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs‎
Lines changed: 38 additions & 3 deletions b/‎src/arcade/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs‎
Lines changed: 38 additions & 3 deletions
@@ -45,6 +45,7 @@
   <Project Path="src/Microsoft.DotNet.Arcade.Sdk/Microsoft.DotNet.Arcade.Sdk.csproj" />
   <Project Path="src/Microsoft.DotNet.ArcadeAzureIntegration/Microsoft.DotNet.ArcadeAzureIntegration.csproj" />
   <Project Path="src/Microsoft.DotNet.ArcadeLogging/Microsoft.DotNet.ArcadeLogging.csproj" />
+  <Project Path="src/Microsoft.DotNet.Baselines.Tasks/Microsoft.DotNet.Baselines.Tasks.csproj" />
   <Project Path="src/Microsoft.DotNet.Build.Manifest/Microsoft.DotNet.Build.Manifest.csproj" />
   <Project Path="src/Microsoft.DotNet.Build.Tasks.Archives/Microsoft.DotNet.Build.Tasks.Archives.csproj" />
   <Project Path="src/Microsoft.DotNet.Build.Tasks.Feed/Microsoft.DotNet.Build.Tasks.Feed.csproj" />
@@ -71,7 +72,6 @@
   <Project Path="src/Microsoft.DotNet.SourceBuild/tasks/Microsoft.DotNet.SourceBuild.Tasks.csproj" />
   <Project Path="src/Microsoft.DotNet.StrongName/Microsoft.DotNet.StrongName.csproj" />
   <Project Path="src/Microsoft.DotNet.Tar/Microsoft.DotNet.Tar.csproj" />
-  <Project Path="src/Microsoft.DotNet.Baselines.Tasks/Microsoft.DotNet.Baselines.Tasks.csproj" />
   <Project Path="src/Microsoft.DotNet.XliffTasks/Microsoft.DotNet.XliffTasks.csproj" />
   <Project Path="src/Microsoft.DotNet.XUnitAssert/src/Microsoft.DotNet.XUnitAssert.csproj" />
   <Project Path="src/Microsoft.DotNet.XUnitConsoleRunner/src/Microsoft.DotNet.XUnitConsoleRunner.csproj" />
 
@@ -14,8 +14,8 @@ This file should be imported by eng/Versions.props
     <!-- dotnet/templating dependencies -->
     <MicrosoftTemplateEngineAuthoringTasksPackageVersion>10.0.100-preview.4.25220.1</MicrosoftTemplateEngineAuthoringTasksPackageVersion>
     <!-- dotnet/arcade dependencies -->
-    <MicrosoftDotNetArcadeSdkPackageVersion>10.0.0-beta.25469.2</MicrosoftDotNetArcadeSdkPackageVersion>
-    <MicrosoftDotNetHelixSdkPackageVersion>10.0.0-beta.25469.2</MicrosoftDotNetHelixSdkPackageVersion>
+    <MicrosoftDotNetArcadeSdkPackageVersion>10.0.0-beta.25507.1</MicrosoftDotNetArcadeSdkPackageVersion>
+    <MicrosoftDotNetHelixSdkPackageVersion>10.0.0-beta.25507.1</MicrosoftDotNetHelixSdkPackageVersion>
     <!-- dotnet/arcade-services dependencies -->
     <MicrosoftDotNetDarcLibPackageVersion>1.1.0-beta.25424.1</MicrosoftDotNetDarcLibPackageVersion>
     <MicrosoftDotNetProductConstructionServiceClientPackageVersion>1.1.0-beta.25424.1</MicrosoftDotNetProductConstructionServiceClientPackageVersion>
 
@@ -20,13 +20,13 @@
       <Uri>https://github.com/dotnet/templating</Uri>
       <Sha>43b5827697e501c442eb75ffff832cd4df2514fe</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="10.0.0-beta.25469.2">
+    <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="10.0.0-beta.25507.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>6275af47ebda0d394d4a5a401b77bc6f2304204a</Sha>
+      <Sha>4eaa220ea860cee9fa61df42411bbf79394edd23</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DotNet.Helix.Sdk" Version="10.0.0-beta.25469.2">
+    <Dependency Name="Microsoft.DotNet.Helix.Sdk" Version="10.0.0-beta.25507.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
-      <Sha>6275af47ebda0d394d4a5a401b77bc6f2304204a</Sha>
+      <Sha>4eaa220ea860cee9fa61df42411bbf79394edd23</Sha>
     </Dependency>
     <Dependency Name="Microsoft.DotNet.ProductConstructionService.Client" Version="1.1.0-beta.25424.1">
       <Uri>https://github.com/dotnet/arcade-services</Uri>
 
@@ -12,8 +12,8 @@
     "dotnet": "10.0.100-rc.1.25451.107"
   },
   "msbuild-sdks": {
-    "Microsoft.DotNet.Arcade.Sdk": "10.0.0-beta.25469.2",
-    "Microsoft.DotNet.Helix.Sdk": "10.0.0-beta.25469.2",
+    "Microsoft.DotNet.Arcade.Sdk": "10.0.0-beta.25507.1",
+    "Microsoft.DotNet.Helix.Sdk": "10.0.0-beta.25507.1",
     "Microsoft.Build.NoTargets": "3.7.0"
   }
 }
@@ -61,7 +61,15 @@
       </BootstrapperApplication>
     <?endif?>
 
-    <SoftwareTag Regid="microsoft.com" InstallPath="[ProgramFiles6432Folder]dotnet" />
+    <?if $(var.Platform)=x64?>
+      <SoftwareTag Regid="microsoft.com" InstallPath="[ProgramFiles64Folder]dotnet" />
+    <?endif?>
+    <?if $(var.Platform)=arm64?>
+      <SoftwareTag Regid="microsoft.com" InstallPath="[ProgramFiles64Folder]dotnet" />
+    <?endif?>
+    <?if $(var.Platform)=x86?>
+      <SoftwareTag Regid="microsoft.com" InstallPath="[ProgramFilesFolder]dotnet" />
+    <?endif?>
 
     <!-- Variables used solely for localization. -->
     <Variable Name="BUNDLEMONIKER" Type="string" Value="$(var.ProductMoniker) ($(var.TargetArchitectureDescription))" bal:Overridable="no" />
 
@@ -340,7 +340,7 @@
       <CandleVariables Include="BuildVersion" Value="$(MsiVersionString)" />
       <CandleVariables Include="NugetVersion" Value="$(Version)" />
       <CandleVariables Include="InstallerPlatform" Value="$(MsiArch)" />
-      <CandleVariables Include="Platform" Value="$(MsiArch)" />
+      <CandleVariables Include="Platform" Value="$(InstallerTargetArchitecture)" />
       <CandleVariables Include="TargetArchitectureDescription" Value="$(InstallerTargetArchitecture)$(CrossArchContentsBuildPart)" />
       <CandleVariables Include="UpgradeCode" Value="$(UpgradeCode)" />
       <CandleVariables Include="MajorUpgradeSchedule" Value="$(MajorUpgradeSchedule)" Condition="'$(MajorUpgradeSchedule)' != ''" />
 
@@ -1281,6 +1281,93 @@ public void SignZipFile()
             });
         }
 
+        [Fact]
+        public void SignArchivesUsingDetachedSignature()
+        {
+            // List of files to be considered for signing
+            var itemsToSign = new List<ItemToSign>()
+            {
+                new ItemToSign(GetResourcePath("test.zip")),
+                new ItemToSign(GetResourcePath("test.tgz")),
+                new ItemToSign(GetResourcePath("NestedZip.zip")),
+                new ItemToSign(GetResourcePath("InnerZipFile.zip"))
+            };
+
+            var strongNameSignInfo = new Dictionary<string, List<SignInfo>>();
+
+            // Overriding information
+            var explicitCertKeys = new Dictionary<ExplicitCertificateKey, string>()
+            {
+                { new ExplicitCertificateKey("test.zip"), "ArchiveCert" },
+                { new ExplicitCertificateKey("test.tgz"), "ArchiveCert" },
+                { new ExplicitCertificateKey("InnerZipFile.zip"), "ArchiveCert" }
+            };
+
+            var additionalCertificateInfo = new Dictionary<string, List<AdditionalCertificateInformation>>()
+            {
+                {  "ArchiveCert",
+                    new List<AdditionalCertificateInformation>() {
+                        new AdditionalCertificateInformation() { GeneratesDetachedSignature = true }
+                    }
+                }
+            };
+
+            ValidateFileSignInfos(itemsToSign, strongNameSignInfo, explicitCertKeys, s_fileExtensionSignInfo, new[]
+            {
+                "File 'NativeLibrary.dll' Certificate='Microsoft400'",
+                "File 'SOS.NETCore.dll' TargetFramework='.NETCoreApp,Version=v1.0' Certificate='Microsoft400'",
+                "File 'Nested.NativeLibrary.dll' Certificate='Microsoft400'",
+                "File 'Nested.SOS.NETCore.dll' TargetFramework='.NETCoreApp,Version=v1.0' Certificate='Microsoft400'",
+                "File 'test.zip' Certificate='ArchiveCert'",
+                "File 'test.tgz' Certificate='ArchiveCert'",
+                "File 'InnerZipFile.zip' Certificate='ArchiveCert'",
+                "File 'Mid.SOS.NETCore.dll' TargetFramework='.NETCoreApp,Version=v1.0' Certificate='Microsoft400'",
+                "File 'MidNativeLibrary.dll' Certificate='Microsoft400'",
+                "File 'NestedZip.zip'",
+            },
+            additionalCertificateInfo: additionalCertificateInfo,
+            expectedCopyFiles: new[]
+            {
+                $"{Path.Combine(_tmpDir, "ContainerSigning", "6", "InnerZipFile.zip")} -> {Path.Combine(_tmpDir, "InnerZipFile.zip")}",
+                $"{Path.Combine(_tmpDir, "ContainerSigning", "6", "InnerZipFile.zip.sig")} -> {Path.Combine(_tmpDir, "InnerZipFile.zip.sig")}"
+            });
+
+            ValidateGeneratedProject(itemsToSign, strongNameSignInfo, explicitCertKeys, s_fileExtensionSignInfo, new[]
+            {
+$@"
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "0", "NativeLibrary.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "1", "SOS.NETCore.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "2", "this_is_a_big_folder_name_look/this_is_an_even_more_longer_folder_name/but_this_one_is_ever_longer_than_the_previous_other_two/Nested.NativeLibrary.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "3", "this_is_a_big_folder_name_look/this_is_an_even_more_longer_folder_name/but_this_one_is_ever_longer_than_the_previous_other_two/Nested.SOS.NETCore.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "7", "Mid.SOS.NETCore.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "8", "MidNativeLibrary.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+",
+$@"
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "test.zip"))}"">
+  <Authenticode>ArchiveCert</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "test.tgz"))}"">
+  <Authenticode>ArchiveCert</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "6", "InnerZipFile.zip"))}"">
+  <Authenticode>ArchiveCert</Authenticode>
+</FilesToSign>
+"
+            }, additionalCertificateInfo: additionalCertificateInfo);
+        }
+
         /// <summary>
         /// Verifies that signing of pkgs can be done on Windows, even though
         /// we will not unpack or repack them.
@@ -2590,6 +2677,11 @@ public void ValidateSignToolTaskParsing()
                 }),
                 // Signed pe file
                 new TaskItem(GetResourcePath("SignedLibrary.dll"), new Dictionary<string, string>
+                {
+                    { SignToolConstants.CollisionPriorityId, "123" }
+                }),
+                // Sign a test.zip
+                new TaskItem(GetResourcePath("test.zip"), new Dictionary<string, string>
                 {
                     { SignToolConstants.CollisionPriorityId, "123" }
                 })
@@ -2621,6 +2713,11 @@ public void ValidateSignToolTaskParsing()
                     { "CertificateName", "DualSignCertificate" },
                     { "PublicKeyToken", "31bf3856ad364e35" },
                     { "CollisionPriorityId", "123" }
+                }),
+                new TaskItem("test.zip", new Dictionary<string, string>
+                {
+                    { "CertificateName", "DetachedArchiveCert" },
+                    { "CollisionPriorityId", "123" }
                 })
             };
 
@@ -2637,7 +2734,11 @@ public void ValidateSignToolTaskParsing()
                     { "MacCertificate", "MacDeveloperHarden" },
                     { "MacNotarizationAppName", "com.microsoft.dotnet" },
                     { "CollisionPriorityId", "123" }
-                })
+                }),
+                new TaskItem("DetachedArchiveCert", new Dictionary<string, string>
+                {
+                    { "DetachedSignature", "true" }
+                }),
             };
 
             var task = new SignToolTask
@@ -2670,7 +2771,11 @@ public void ValidateSignToolTaskParsing()
                 "File 'ProjectOne.dll' TargetFramework='.NETCoreApp,Version=v2.1' Certificate='3PartySHA2' StrongName='ArcadeStrongTest'",
                 "File 'ProjectOne.dll' TargetFramework='.NETStandard,Version=v2.0' Certificate='OverrideCertificateName' StrongName='ArcadeStrongTest'",
                 "File 'ContainerOne.1.0.0.nupkg' Certificate='NuGet'",
-                "File 'SignedLibrary.dll' TargetFramework='.NETCoreApp,Version=v2.0' Certificate='DualSignCertificate'"
+                "File 'SignedLibrary.dll' TargetFramework='.NETCoreApp,Version=v2.0' Certificate='DualSignCertificate'",
+                "File 'SOS.NETCore.dll' TargetFramework='.NETCoreApp,Version=v1.0' Certificate='Microsoft400'",
+                "File 'Nested.NativeLibrary.dll' Certificate='Microsoft400'",
+                "File 'Nested.SOS.NETCore.dll' TargetFramework='.NETCoreApp,Version=v1.0' Certificate='Microsoft400'",
+                "File 'test.zip' Certificate='DetachedArchiveCert'"
             };
             task.ParsedSigningInput.FilesToSign.Select(f => f.ToString()).Should().BeEquivalentTo(expected);
         }
 
@@ -21,6 +21,10 @@ public class AdditionalCertificateInformation
         /// If the certificate name represents a sign+notarize operation, this is the name of the notarize operation.
         /// </summary>
         public string MacNotarizationAppName { get; set; }
+        /// <summary>
+        /// If true, this certificate should generate detached signatures instead of in-place signing.
+        /// </summary>
+        public bool GeneratesDetachedSignature { get; set; }
         public string CollisionPriorityId { get; set; }
     }
 }
@@ -554,16 +554,30 @@ private void VerifyCertificates(TaskLoggingHelper log)
                 }
                 else if (fileName.IsZip())
                 {
-                    if (fileName.SignInfo.Certificate != null)
+                    // Zip files can't be signed without a detached signature. If a certificate is provided but the signature is not detached.
+                    if (!fileName.SignInfo.GeneratesDetachedSignature && fileName.SignInfo.Certificate != null)
                     {
-                        log.LogError($"Zip {fileName} should not be signed with this certificate: {fileName.SignInfo.Certificate}");
+                        log.LogError($"'{fileName}' may only be signed with a detached signature. '{fileName.SignInfo.Certificate}' does not produce a detached signature");
                     }
 
                     if (fileName.SignInfo.StrongName != null)
                     {
                         log.LogError($"Zip {fileName} cannot be strong name signed.");
                     }
                 }
+                else if (fileName.IsTarGZip())
+                {
+                    // Tar.gz files can't be signed without a detached signature. If a certificate is provided but the signature is not detached.
+                    if (!fileName.SignInfo.GeneratesDetachedSignature && fileName.SignInfo.Certificate != null)
+                    {
+                        log.LogError($"'{fileName}' may only be signed with a detached signature. '{fileName.SignInfo.Certificate}' does not produce a detached signature");
+                    }
+                    
+                    if (fileName.SignInfo.StrongName != null)
+                    {
+                        log.LogError($"TarGZip {fileName} cannot be strong name signed.");
+                    }
+                }
                 if (fileName.IsExecutableWixContainer())
                 {
                     if (isInvalidEmptyCertificate)
@@ -589,7 +603,28 @@ private void VerifyAfterSign(TaskLoggingHelper log, FileSignInfo file)
             // No need to check if the file should not have been signed.
             if (file.SignInfo.ShouldSign)
             {
-                if (file.IsPEFile())
+                // For files with detached signatures, verify the .sig file exists
+                if (file.SignInfo.GeneratesDetachedSignature)
+                {
+                    string sigFilePath = file.DetachedSignatureFullPath;
+                    if (!File.Exists(sigFilePath))
+                    {
+                        _log.LogError($"Detached signature file {sigFilePath} does not exist for {file.FullPath}");
+                    }
+                    else
+                    {
+                        var fileInfo = new FileInfo(sigFilePath);
+                        if (fileInfo.Length == 0)
+                        {
+                            _log.LogError($"Detached signature file {sigFilePath} is empty.");
+                        }
+                        else
+                        {
+                            _log.LogMessage(MessageImportance.Low, $"Detached signature file {sigFilePath} exists and is non-empty.");
+                        }
+                    }
+                }
+                else if (file.IsPEFile())
                 {
                     using (var stream = File.OpenRead(file.FullPath))
                     {
Original file line number	Diff line number	Diff line change
`@@ -12,8 +12,8 @@`
`12`	`12`	`"dotnet": "10.0.100-rc.1.25451.107"`
`13`	`13`	`},`
`14`	`14`	`"msbuild-sdks": {`
`15`		`- "Microsoft.DotNet.Arcade.Sdk": "10.0.0-beta.25469.2",`
`16`		`- "Microsoft.DotNet.Helix.Sdk": "10.0.0-beta.25469.2",`
	`15`	`+ "Microsoft.DotNet.Arcade.Sdk": "10.0.0-beta.25507.1",`
	`16`	`+ "Microsoft.DotNet.Helix.Sdk": "10.0.0-beta.25507.1",`
`17`	`17`	`"Microsoft.Build.NoTargets": "3.7.0"`
`18`	`18`	`}`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,10 @@ public class AdditionalCertificateInformation`
`21`	`21`	`/// If the certificate name represents a sign+notarize operation, this is the name of the notarize operation.`
`22`	`22`	`/// </summary>`
`23`	`23`	`public string MacNotarizationAppName { get; set; }`
	`24`	`+ /// <summary>`
	`25`	`+ /// If true, this certificate should generate detached signatures instead of in-place signing.`
	`26`	`+ /// </summary>`
	`27`	`+ public bool GeneratesDetachedSignature { get; set; }`
`24`	`28`	`public string CollisionPriorityId { get; set; }`
`25`	`29`	`}`
`26`	`30`	`}`