From 5cd235b303a3e2a02bfa02cfbac50e6531ebefe0 Mon Sep 17 00:00:00 2001
From: "Dustin L. Howett" <dustin@howett.net>
Date: Thu, 15 May 2025 12:28:36 -0500
Subject: [PATCH] build: strong name sign the Extension Toolkit

Strong-name signing embeds publisher identity into the signature of a
.NET assembly.

This is required if *any other* strong name signed project wants to take
a dependency on it.

To make this work, we need to delay-sign it with a public key (.snk
file)--e.g. say we are going to sign it, but not actually sign it--to
give it an identity and then later submit it to ESRP for final signing.

The snk file does not contain any private material.
---
 .pipelines/272MSSharedLibSN2048.snk           | Bin 0 -> 288 bytes
 .pipelines/ESRPSigning_sdk.json               |  59 +++++++++++++++++-
 ...t.CommandPalette.Extensions.Toolkit.csproj |   6 ++
 .../extensionsdk/nuget/BuildSDKHelper.ps1     |   4 ++
 4 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 .pipelines/272MSSharedLibSN2048.snk

diff --git a/.pipelines/272MSSharedLibSN2048.snk b/.pipelines/272MSSharedLibSN2048.snk
new file mode 100644
index 0000000000000000000000000000000000000000..bd766f84a23ac0323c0589df14827e0644f6a6ae
GIT binary patch
literal 288
zcmV+*0pI=rBme*mfB*m#0RR970ssI2Bme+XQ$aBR2mk;90097ns?fghXpI}0N)347
z{VDt;tTgRCI>Y;$Jq$=VYp67;hyXPP3W!Lu*sb-BXAaT{6uvfrsFBIYz#i`^vM6#?
zd^x@VuMTW-NL_sW8d2YgN7HQUshE)lwTixZ=A-8t0qtwthHw&yJ_{O6HL<ns?QQZN
zKpU{aFCs?FwwZa{o?-6tVuLQw@&-s#a$0prU#O$+x8Nr+oQB@OJ;SlQqO}Mct5T*X
zxsh~G->p+enc>H;SZF)np*8VQkMZhY=?#0CI&6piJ=rt}<6RP#`KS4*d|kC{4?MzJ
m(H@s~`ArjxJnB=qs52ZcZOe@=sZJQb5o7-mDk9t2Ekc^_F@YHX

literal 0
HcmV?d00001

diff --git a/.pipelines/ESRPSigning_sdk.json b/.pipelines/ESRPSigning_sdk.json
index 066acf9e4e..e2e2db7701 100644
--- a/.pipelines/ESRPSigning_sdk.json
+++ b/.pipelines/ESRPSigning_sdk.json
@@ -4,9 +4,66 @@
     "SignBatches": [
         {
             "MatchedPath": [
-                "Microsoft.CommandPalette.Extensions.dll",
                 "Microsoft.CommandPalette.Extensions.Toolkit.dll"
             ],
+            "SigningInfo": {
+                "Operations": [
+                    {
+                        "KeyCode": "CP-233904-SN",
+                        "OperationSetCode": "StrongNameSign",
+                        "ToolName": "sign",
+                        "ToolVersion": "1.0",
+                        "Parameters": []
+                    },
+                    {
+                        "KeyCode": "CP-233904-SN",
+                        "OperationSetCode": "StrongNameVerify",
+                        "ToolName": "sign",
+                        "ToolVersion": "1.0",
+                        "Parameters": []
+                    },
+                    {
+                        "KeyCode": "CP-230012",
+                        "OperationSetCode": "SigntoolSign",
+                        "Parameters": [
+                            {
+                                "parameterName": "OpusName",
+                                "parameterValue": "Microsoft"
+                            },
+                            {
+                                "parameterName": "OpusInfo",
+                                "parameterValue": "http://www.microsoft.com"
+                            },
+                            {
+                                "parameterName": "FileDigest",
+                                "parameterValue": "/fd \"SHA256\""
+                            },
+                            {
+                                "parameterName": "PageHash",
+                                "parameterValue": "/NPH"
+                            },
+                            {
+                                "parameterName": "TimeStamp",
+                                "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+                            }
+                        ],
+                        "ToolName": "sign",
+                        "ToolVersion": "1.0"
+                    },
+                    {
+                        "KeyCode": "CP-230012",
+                        "OperationSetCode": "SigntoolVerify",
+                        "Parameters": [],
+                        "ToolName": "sign",
+                        "ToolVersion": "1.0"
+                    }
+                ]
+            }
+        },
+        {
+            "MatchedPath": [
+                "Microsoft.CommandPalette.Extensions.dll"
+            ],
             "SigningInfo": {
                 "Operations": [
                     {
diff --git a/src/modules/cmdpal/extensionsdk/Microsoft.CommandPalette.Extensions.Toolkit/Microsoft.CommandPalette.Extensions.Toolkit.csproj b/src/modules/cmdpal/extensionsdk/Microsoft.CommandPalette.Extensions.Toolkit/Microsoft.CommandPalette.Extensions.Toolkit.csproj
index 8f3cdaed91..3bb74237a8 100644
--- a/src/modules/cmdpal/extensionsdk/Microsoft.CommandPalette.Extensions.Toolkit/Microsoft.CommandPalette.Extensions.Toolkit.csproj
+++ b/src/modules/cmdpal/extensionsdk/Microsoft.CommandPalette.Extensions.Toolkit/Microsoft.CommandPalette.Extensions.Toolkit.csproj
@@ -15,6 +15,12 @@
     <ResolveAssemblyWarnOrErrorOnTargetArchitectureMismatch>None</ResolveAssemblyWarnOrErrorOnTargetArchitectureMismatch>
   </PropertyGroup>
 
+  <PropertyGroup Condition="'$(CIBuild)'=='true'">
+    <SignAssembly>true</SignAssembly>
+    <DelaySign>true</DelaySign>
+    <AssemblyOriginatorKeyFile>$(SolutionDir)\.pipelines\272MSSharedLibSN2048.snk</AssemblyOriginatorKeyFile>
+  </PropertyGroup>
+
   <PropertyGroup>
     <CsWinRTIncludes>Microsoft.CommandPalette.Extensions</CsWinRTIncludes>
     <CsWinRTGeneratedFilesDir>$(OutDir)</CsWinRTGeneratedFilesDir>
diff --git a/src/modules/cmdpal/extensionsdk/nuget/BuildSDKHelper.ps1 b/src/modules/cmdpal/extensionsdk/nuget/BuildSDKHelper.ps1
index 52e2f17586..8270e7bb4a 100644
--- a/src/modules/cmdpal/extensionsdk/nuget/BuildSDKHelper.ps1
+++ b/src/modules/cmdpal/extensionsdk/nuget/BuildSDKHelper.ps1
@@ -69,6 +69,10 @@ if (($BuildStep -ieq "all") -Or ($BuildStep -ieq "build")) {
           ("/p:VersionNumber="+$VersionOfSDK)
           )
 
+        if ($IsAzurePipelineBuild) {
+          $msbuildArgs += "/p:CIBuild=true"
+        }
+
         & $msbuildPath $msbuildArgs
       }
     }