Add option to skip test signing on some assemblies (#10695)

joelverhagen · web-flow · commit a5685c086acd · 2026-01-30T18:03:00.000-05:00
* Add SkipAuthenticodeSubjects so we can not re-sign in some cases
* Remove flaky assertion
diff --git a/build/FindDuplicateFiles.cs b/build/FindDuplicateFiles.cs
@@ -6,6 +6,7 @@
 using System.IO;
 using System.Linq;
 using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using Microsoft.Build.Framework;
 
 namespace NuGet.Services.Build
@@ -21,6 +22,8 @@ public class FindDuplicateFiles : Microsoft.Build.Utilities.Task
         [Output]
         public ITaskItem[] DuplicateFiles { get; set; }
 
+        public string SkipAuthenticodeSubjects { get; set; }
+
         public override bool Execute()
         {
             var infos = GetUniqueTaskItemInfo();
@@ -123,6 +126,57 @@ private Dictionary<string, List<TaskItemInfo>> FindDuplicates(List<TaskItemInfo>
                 BreakTiesWithLeadingHash(filePathToDuplicates, buffer, fileSizePair);
             }
 
+            if (!string.IsNullOrWhiteSpace(SkipAuthenticodeSubjects))
+            {
+                Log.LogMessage("Skipping files with the following Authenticode subjects: {0}", SkipAuthenticodeSubjects);
+
+                var skipSubjects = SkipAuthenticodeSubjects
+                    .Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries)
+                    .Select(s => s.Trim())
+                    .ToHashSet(StringComparer.Ordinal);
+
+                foreach (var pair in filePathToDuplicates.ToList())
+                {
+                    var path = pair.Key;
+                    try
+                    {
+                        var cert = X509Certificate.CreateFromSignedFile(path);
+                        var subject = cert.Subject;
+
+                        if (skipSubjects.Contains(subject))
+                        {
+                            Log.LogMessage(
+                                "Skipping file '{0}' with Authenticode subject '{1}'.",
+                                path,
+                                subject);
+
+                            filePathToDuplicates.Remove(path);
+                        }
+                        else
+                        {
+                            Log.LogMessage(
+                                "Not skipping file '{0}' with Authenticode subject '{1}'.",
+                                path,
+                                subject);
+                        }
+                    }
+                    catch (Exception ex)
+                    {
+                        if (ex is CryptographicException)
+                        {
+                            // The file is not signed, proceed as normal.
+                            continue;
+                        }
+
+                        throw;
+                    }
+                }
+            }
+            else
+            {
+                Log.LogMessage("No Authenticode subjects to skip were provided.");
+            }
+
             return filePathToDuplicates;
         }
 
diff --git a/build/FindDuplicateFiles.targets b/build/FindDuplicateFiles.targets
@@ -7,6 +7,15 @@
       <Files ParameterType="Microsoft.Build.Framework.ITaskItem[]" Required="true" />
       <UniqueFiles ParameterType="Microsoft.Build.Framework.ITaskItem[]" Output="true" />
       <DuplicateFiles ParameterType="Microsoft.Build.Framework.ITaskItem[]" Output="true" />
+
+      <!--
+      MicroBuild test signing fails signing a file that is already signed with the target strong name key.
+      Because of this, when doing test signing we skip files that are already fully signed.
+      We use the Authenticode subject to identify files that are signed with the real Microsoft key, since those will also have a complete strong name.
+      Ideally we would have an option to filter out fully signed files directly, but this is not as simple (requires sn.exe to check).
+      This is obviously not a full proof check, but it's sufficient for test signing (non-production scenarios).
+      -->
+      <SkipAuthenticodeSubjects ParameterType="System.String" />
     </ParameterGroup>
     <Task>
       <Code Type="Class" Language="cs" Source="$(MSBuildThisFileDirectory)FindDuplicateFiles.cs" />
diff --git a/build/sign-binaries.proj b/build/sign-binaries.proj
@@ -7,6 +7,7 @@
     <IntermediateOutputPath>$(RepositoryRootDirectory)artifacts\sign\obj\</IntermediateOutputPath>
     <OutDir>$(RepositoryRootDirectory)</OutDir>
     <SignTargetsDependOn>BatchSign</SignTargetsDependOn>
+    <SkipAuthenticodeSubjects Condition="'$(SkipAuthenticodeSubjects)' == '' and '$(SignType)' == 'test'">CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US</SkipAuthenticodeSubjects>
   </PropertyGroup>
 
   <ItemGroup>
@@ -29,7 +30,7 @@
           TaskParameter="TargetOutputs"
           ItemName="UnfilteredFilesToSign" />
     </MSBuild>
-    <FindDuplicateFiles Files="@(UnfilteredFilesToSign)">
+    <FindDuplicateFiles Files="@(UnfilteredFilesToSign)" SkipAuthenticodeSubjects="$(SkipAuthenticodeSubjects)">
       <Output
         TaskParameter="UniqueFiles"
         ItemName="FilesToSign" />
@@ -51,4 +52,4 @@
 
   <Import Project="FindDuplicateFiles.targets" />
   <Import Project="..\packages\MicroBuild.Core\build\MicroBuild.Core.targets" Condition="Exists('..\packages\MicroBuild.Core\build\MicroBuild.Core.targets')" />
-</Project>
+</Project>
diff --git a/build/sign.microbuild.targets b/build/sign.microbuild.targets
@@ -8,6 +8,7 @@
     <MicroBuild_NuPkgSigningEnabled>false</MicroBuild_NuPkgSigningEnabled>
     <BatchSign Condition="'$(BatchSign)' == ''">true</BatchSign>
     <RepositoryRootDirectory Condition="'$(RepositoryRootDirectory)' == ''">$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), 'build.ps1'))\</RepositoryRootDirectory>
+    <SkipAuthenticodeSubjects Condition="'$(SkipAuthenticodeSubjects)' == '' and '$(SignType)' == 'test'">CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US</SkipAuthenticodeSubjects>
 
     <!--
     By default, only run EnumerateFilesToSign if we are not batch signing. This property is explicitly set to true when
@@ -145,7 +146,7 @@
   <Target
     Name="DedupeFilesToSign"
     DependsOnTargets="EnumerateFilesToSign">
-    <FindDuplicateFiles Files="@(UnfilteredFilesToSign)">
+    <FindDuplicateFiles Files="@(UnfilteredFilesToSign)" SkipAuthenticodeSubjects="$(SkipAuthenticodeSubjects)">
       <Output
         TaskParameter="UniqueFiles"
         ItemName="FilesToSign" />
@@ -155,7 +156,7 @@
     </FindDuplicateFiles>
     <Message Text="Count of files to sign: @(FilesToSign->Count())" Importance="High" />
     <Message Text="Files to sign:%0A@(FilesToSign, '%0A')" Importance="High" />
-  </Target>  
+  </Target>
 
   <Target Name="CopySignedFiles"
     AfterTargets="SignFiles"
diff --git a/tests/NuGet.Jobs.GitHubIndexer.Tests/GitHubSearchWrapperFacts.cs b/tests/NuGet.Jobs.GitHubIndexer.Tests/GitHubSearchWrapperFacts.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -90,7 +90,6 @@ public async Task CancelsTheRequestAtTwiceTheTimeout()
                 var ex = await Assert.ThrowsAsync<OperationCanceledException>(() => searcher.GetResponse(new SearchRepositoriesRequest { }));
                 sw.Stop();
                 Assert.Equal("The operation was forcibly canceled.", ex.Message);
-                Assert.True(sw.Elapsed >= TimeSpan.FromMilliseconds(200));
             }
 
             [Fact]
