Skip to content

Add FileExtensionSignInfo for .cab to fix unsigned cab files inside ANCM MSIs#66443

Merged
wtgodbe merged 2 commits into
dotnet:mainfrom
jesuszarate:dev/jezarat/sign-cab-files
May 22, 2026
Merged

Add FileExtensionSignInfo for .cab to fix unsigned cab files inside ANCM MSIs#66443
wtgodbe merged 2 commits into
dotnet:mainfrom
jesuszarate:dev/jezarat/sign-cab-files

Conversation

@jesuszarate
Copy link
Copy Markdown
Contributor

@jesuszarate jesuszarate commented Apr 23, 2026

\ CertificateName=\Microsoft400\ />
\\

  • Uses \Include\ (not \Update) because .cab\ is not in Arcade's default \Sign.props\
  • \Microsoft400\ is auto-replaced with \MicrosoftDotNet500\ since this repo sets \UseDotNetCertificate=true\

Affected payloads

Payload Arch Type
msancmv2iisexpressmsi* arm64, x64, x86 ANCM v2 IIS Express
msancmv2iismsi* arm64, x64, x86 ANCM v2 IIS
msancmiisexpressmsi* x64, x86 ANCM v1 IIS Express
msancmiismsi* x64, x86 ANCM v1 IIS

Precedent

Same fix pattern applied in other dotnet repos:

Tracking

  • VS signing compliance bug: 2951246

@github-actions github-actions Bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label Apr 23, 2026
@dotnet-policy-service dotnet-policy-service Bot added the community-contribution Indicates that the PR has been added by a community member label Apr 23, 2026
This was referenced Apr 23, 2026
Open
Open
Closed
This was referenced Apr 27, 2026
Merged
Merged
Merged
Merged
Merged
Merged
@jesuszarate jesuszarate marked this pull request as ready for review April 27, 2026 16:20
@jesuszarate jesuszarate requested review from a team and wtgodbe as code owners April 27, 2026 16:20
Copilot AI review requested due to automatic review settings April 27, 2026 16:20
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds signing configuration so .cab cabinet archives produced/embedded by ANCM MSI builds are code-signed, addressing signing compliance failures for unsigned CAB payloads.

Changes:

  • Add a FileExtensionSignInfo entry to sign .cab files using the Microsoft400 certificate.
  • Document the intent in eng/Signing.props near existing signing exclusions.

Comment thread eng/Signing.props Outdated
Comment on lines +35 to +36
<!-- Sign cabinet archives embedded inside MSI installers (ANCM, hosting bundle, etc.) -->
<FileExtensionSignInfo Include=".cab" CertificateName="Microsoft400" />
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new .cab signing rule is inside the ItemGroup labeled "Code sign exclusions", which now mixes exclusions (CertificateName="None") with a positive signing rule. Consider moving the .cab entry to a separate ItemGroup (or updating the label) to keep the intent clear for future edits.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@jesuszarate jesuszarate Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch - moved the .cab entry into its own ItemGroup (Label=Container signing) above the exclusions group. This keeps the intent clear: exclusions are None, container signing rules are separate.

@jesuszarate jesuszarate force-pushed the dev/jezarat/sign-cab-files branch from e6d8b33 to c22892a Compare April 27, 2026 17:13
@jesuszarate jesuszarate force-pushed the dev/jezarat/sign-cab-files branch from 3d8c2ee to 4e17ba2 Compare May 20, 2026 17:50
@jesuszarate jesuszarate force-pushed the dev/jezarat/sign-cab-files branch 2 times, most recently from a1ec329 to 1be622d Compare May 20, 2026 18:11
@jesuszarate
Add .cat catalog signing and update .js exclusion comment
d2458f8 
Add FileExtensionSignInfo for .cat so catalog files covering
customer-modifiable JS templates are signed with Microsoft400.

Update .js exclusion comment to clarify: JS files are excluded from
Authenticode because they are customer-modifiable templates, covered
by catalog signing instead.

VS signing compliance bugs: 2951246, 2991694
@jesuszarate jesuszarate force-pushed the dev/jezarat/sign-cab-files branch from 1be622d to d2458f8 Compare May 20, 2026 19:22
@build-analysis build-analysis Bot mentioned this pull request May 22, 2026
Open
@wtgodbe wtgodbe merged commit 27c660e into dotnet:main May 22, 2026
21 of 24 checks passed
@dotnet-policy-service dotnet-policy-service Bot added this to the 11.0-preview5 milestone May 22, 2026
@dotnet-maestro dotnet-maestro Bot mentioned this pull request May 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wtgodbe wtgodbe wtgodbe approved these changes

@tdykstra tdykstra Awaiting requested review from tdykstra

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy

@halter73 halter73 Awaiting requested review from halter73

Assignees

No one assigned

Labels

community-contribution Indicates that the PR has been added by a community member needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically

Projects

None yet

Milestone

11.0-preview6

Development

Successfully merging this pull request may close these issues.

3 participants

@jesuszarate @wtgodbe