Add catalog signing for unsigned apphost template files#127888
Open
jesuszarate wants to merge 3 commits into
Open
Add catalog signing for unsigned apphost template files#127888jesuszarate wants to merge 3 commits into
jesuszarate wants to merge 3 commits into
Conversation
The apphost template files (apphost.exe, singlefilehost.exe, comhost.dll) are intentionally unsigned because the .NET SDK modifies them at build time via HostWriter.CreateAppHost(). However, the Visual Studio signing scan flags them as non-compliant. This change adds a catalog file (.cat) containing SHA256 hashes of the template files. The catalog is signed with MicrosoftDotNet500 via Arcade signing and shipped alongside the templates in the AppHostPack NuGet package and MSI. This provides integrity verification for VS signing compliance without breaking the SDK workflow. Fixes the VS signing scan finding for 54 apphost template PE files across .NET 8/9/10 architectures. Related: dotnet#3694
Contributor
There was a problem hiding this comment.
Copilot encountered an error: Your billing is not configured or you have Copilot licenses from multiple standalone organizations or enterprises. To use premium requests, select a billing entity via the GitHub site, under Settings > Copilot > Features.
dotnet-policy-service
Bot
added
the
community-contribution
| Condition="'$(TargetOS)' == 'windows'"> | ||
| <PropertyGroup> | ||
| <_CatStagingDir>$(IntermediateOutputPath)apphost-catalog\</_CatStagingDir> | ||
| <_CatalogFilePath>$(DotNetHostBinDir)apphost-templates.cat</_CatalogFilePath> |
Author
There was a problem hiding this comment.
Fixed in 3ef521e — moved _CatalogFilePath from to so it's per-project and won't collide across parallel TFM/arch builds.
Comment on lines
+107
to
+117
| <!-- Stage the unsigned template files in an isolated directory for catalog generation --> | ||
| <RemoveDir Directories="$(_CatStagingDir)" /> | ||
| <MakeDir Directories="$(_CatStagingDir)" /> | ||
| <Copy SourceFiles="$(DotNetHostBinDir)apphost.exe" DestinationFolder="$(_CatStagingDir)" Condition="Exists('$(DotNetHostBinDir)apphost.exe')" /> | ||
| <Copy SourceFiles="$(DotNetHostBinDir)singlefilehost.exe" DestinationFolder="$(_CatStagingDir)" Condition="Exists('$(DotNetHostBinDir)singlefilehost.exe')" /> | ||
| <Copy SourceFiles="$(DotNetHostBinDir)comhost.dll" DestinationFolder="$(_CatStagingDir)" Condition="Exists('$(DotNetHostBinDir)comhost.dll')" /> | ||
|
|
||
| <Exec Command="powershell.exe -NoProfile -NonInteractive -Command "New-FileCatalog -Path '$(_CatStagingDir)' -CatalogFilePath '$(_CatalogFilePath)' -CatalogVersion 2"" /> | ||
|
|
||
| <ItemGroup> | ||
| <FilesToPackage Include="$(_CatalogFilePath)" /> |
Author
There was a problem hiding this comment.
Fixed in 3ef521e — added _StagedTemplateFiles ItemGroup that globs the staging directory. The Exec is now conditioned on @(_StagedTemplateFiles) != '' and FilesToPackage is conditioned on Exists('$(_CatalogFilePath)'), so neither runs if no template files were staged.
| <Copy SourceFiles="$(DotNetHostBinDir)singlefilehost.exe" DestinationFolder="$(_CatStagingDir)" Condition="Exists('$(DotNetHostBinDir)singlefilehost.exe')" /> | ||
| <Copy SourceFiles="$(DotNetHostBinDir)comhost.dll" DestinationFolder="$(_CatStagingDir)" Condition="Exists('$(DotNetHostBinDir)comhost.dll')" /> | ||
|
|
||
| <Exec Command="powershell.exe -NoProfile -NonInteractive -Command "New-FileCatalog -Path '$(_CatStagingDir)' -CatalogFilePath '$(_CatalogFilePath)' -CatalogVersion 2"" /> |
Author
There was a problem hiding this comment.
Fixed in 3ef521e — added a _PowerShellCommand property that resolves to the full path via $(SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe when it exists, falling back to bare powershell.exe otherwise. This avoids PATH dependency on Windows build agents.
…ll path - Move _CatalogFilePath from $(DotNetHostBinDir) to $(IntermediateOutputPath) to avoid cross-target/parallel-build collisions in the shared output directory - Add _StagedTemplateFiles ItemGroup and condition the Exec on it being non-empty so the build is resilient to missing template inputs - Condition FilesToPackage on Exists() for the catalog file - Resolve powershell.exe via $(SystemRoot) full path to avoid PATH dependency, with fallback to bare powershell.exe
This was referenced May 19, 2026
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The apphost template files (\�pphost.exe, \singlefilehost.exe, \comhost.dll) are intentionally unsigned because the .NET SDK modifies them at build time via \HostWriter.CreateAppHost(). However, the Visual Studio signing scan (SignVerify) flags them as non-compliant unsigned PE binaries.
This change adds a catalog file (.cat) containing SHA256 hashes of the template files. The catalog is signed with \MicrosoftDotNet500\ via Arcade signing and shipped alongside the templates in the AppHostPack NuGet package and MSI. This provides integrity verification for VS signing compliance without breaking the SDK workflow.
Changes
Context
Risk
Low — This is a purely additive change. The unsigned template files are not modified. The .cat\ file is a new artifact that provides integrity verification only. The target only runs on Windows builds.