Skip to content

Add 3rd-party signing entries for Sigstore, Tuf, and NSec.Cryptography#14915

Merged
radical merged 1 commit intorelease/13.2from
fix/sign004-sigstore-tuf-nsec
Mar 3, 2026
Merged

Add 3rd-party signing entries for Sigstore, Tuf, and NSec.Cryptography#14915
radical merged 1 commit intorelease/13.2from
fix/sign004-sigstore-tuf-nsec

Conversation

@radical
Copy link
Member

@radical radical commented Mar 3, 2026

Fix SIGN004 build failures in dotnet-aspire internal pipeline

The dotnet-aspire internal build is failing with SIGN004 errors:

error SIGN004: Signing 3rd party library 'NSec.Cryptography.dll' with Microsoft certificate 'Microsoft400'.
error SIGN004: Signing 3rd party library 'Sigstore.dll' with Microsoft certificate 'Microsoft400'.
error SIGN004: Signing 3rd party library 'Tuf.dll' with Microsoft certificate 'Microsoft400'.

These 3rd-party DLLs were introduced in #14569 when Sigstore and Tuf NuGet packages were added to Aspire.Cli, but the corresponding FileSignInfo entries in eng/Signing.props were not added. The Arcade SDK's signing validation correctly flags them as 3rd-party libraries (based on copyright metadata) being signed with the wrong certificate.

Changes

Add FileSignInfo entries with CertificateName="3PartySHA2" for:

  • NSec.Cryptography.dll — transitive dependency of Sigstore (© Klaus Hartke)
  • Sigstore.dll — direct dependency
  • Tuf.dll — direct dependency

cc @mitchdenny

@radical
Add 3rd-party signing entries for Sigstore, Tuf, and NSec.Cryptography
8f8655f 
The Sigstore and Tuf NuGet packages (and their transitive dependency
NSec.Cryptography) were added to Aspire.Cli in #14569 but the
corresponding FileSignInfo entries in eng/Signing.props were not added.
This causes SIGN004 errors in the internal build because the Arcade SDK
detects 3rd-party DLLs being signed with the Microsoft certificate.

Add FileSignInfo entries with CertificateName="3PartySHA2" for:
- NSec.Cryptography.dll (transitive dep, © Klaus Hartke)
- Sigstore.dll (direct dep)
- Tuf.dll (direct dep)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 3, 2026 21:46
@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2026

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14915

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14915"

@radical radical added the area-engineering-systems infrastructure helix infra engineering repo stuff label Mar 3, 2026
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Arcade signing configuration to address SIGN004 failures in the internal build by explicitly marking newly introduced 3rd-party assemblies for 3rd-party certificate signing.

Changes:

  • Adds FileSignInfo entries for NSec.Cryptography.dll, Sigstore.dll, and Tuf.dll.
  • Configures these assemblies to use CertificateName="3PartySHA2" to satisfy Arcade 3rd-party signing validation.

@github-actions github-actions bot mentioned this pull request Mar 3, 2026
Open
@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2026
edited
Loading

🎬 CLI E2E Test Recordings

The following terminal recordings are available for commit 8f8655f:

Test Recording
AddPackageInteractiveWhileAppHostRunningDetached ▶️ View Recording
AddPackageWhileAppHostRunningDetached ▶️ View Recording
AgentCommands_AllHelpOutputs_AreCorrect ▶️ View Recording
AgentInitCommand_MigratesDeprecatedConfig ▶️ View Recording
AgentInitCommand_WithMalformedMcpJson_ShowsErrorAndExitsNonZero ▶️ View Recording
AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps ▶️ View Recording
Banner_DisplayedOnFirstRun ▶️ View Recording
Banner_DisplayedWithExplicitFlag ▶️ View Recording
CreateAndDeployToDockerCompose ▶️ View Recording
CreateAndDeployToDockerComposeInteractive ▶️ View Recording
CreateAndPublishToKubernetes ▶️ View Recording
CreateAndRunAspireStarterProject ▶️ View Recording
CreateAndRunAspireStarterProjectWithBundle ▶️ View Recording
CreateAndRunJsReactProject ▶️ View Recording
CreateAndRunPythonReactProject ▶️ View Recording
CreateAndRunTypeScriptStarterProject ▶️ View Recording
CreateEmptyAppHostProject ▶️ View Recording
CreateStartAndStopAspireProject ▶️ View Recording
CreateStartWaitAndStopAspireProject ▶️ View Recording
CreateTypeScriptAppHostWithViteApp ▶️ View Recording
DescribeCommandResolvesReplicaNames ▶️ View Recording
DescribeCommandShowsRunningResources ▶️ View Recording
DetachFormatJsonProducesValidJson ▶️ View Recording
DoctorCommand_DetectsDeprecatedAgentConfig ▶️ View Recording
DoctorCommand_WithSslCertDir_ShowsTrusted ▶️ View Recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted ▶️ View Recording
LogsCommandShowsResourceLogs ▶️ View Recording
PsCommandListsRunningAppHost ▶️ View Recording
PsFormatJsonOutputsOnlyJsonToStdout ▶️ View Recording
SecretCrudOnDotNetAppHost ▶️ View Recording
SecretCrudOnTypeScriptAppHost ▶️ View Recording
StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels ▶️ View Recording
StopAllAppHostsFromAppHostDirectory ▶️ View Recording
StopAllAppHostsFromUnrelatedDirectory ▶️ View Recording
StopNonInteractiveMultipleAppHostsShowsError ▶️ View Recording
StopNonInteractiveSingleAppHost ▶️ View Recording
StopWithNoRunningAppHostExitsSuccessfully ▶️ View Recording

📹 Recordings uploaded automatically from CI run #22644212359

@radical radical added the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Mar 3, 2026
@radical radical removed the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Mar 3, 2026
@radical radical enabled auto-merge (squash) March 3, 2026 23:45
@radical radical merged commit 17a622b into release/13.2 Mar 3, 2026
762 of 766 checks passed
@radical radical deleted the fix/sign004-sigstore-tuf-nsec branch March 3, 2026 23:49
@dotnet-policy-service dotnet-policy-service bot added this to the 13.2 milestone Mar 3, 2026
@github-actions github-actions bot mentioned this pull request Mar 4, 2026
Closed
Copilot AI pushed a commit that referenced this pull request Mar 10, 2026
@radical
Add 3rd-party signing entries for Sigstore, Tuf, and NSec.Cryptography (
a2cce66 
#14915)

The Sigstore and Tuf NuGet packages (and their transitive dependency
NSec.Cryptography) were added to Aspire.Cli in #14569 but the
corresponding FileSignInfo entries in eng/Signing.props were not added.
This causes SIGN004 errors in the internal build because the Arcade SDK
detects 3rd-party DLLs being signed with the Microsoft certificate.

Add FileSignInfo entries with CertificateName="3PartySHA2" for:
- NSec.Cryptography.dll (transitive dep, © Klaus Hartke)
- Sigstore.dll (direct dep)
- Tuf.dll (direct dep)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@DamianEdwards DamianEdwards DamianEdwards approved these changes

@eerhardt eerhardt eerhardt approved these changes

@mitchdenny mitchdenny Awaiting requested review from mitchdenny

Assignees

No one assigned

Labels

area-engineering-systems infrastructure helix infra engineering repo stuff

Projects

None yet

Milestone

13.2

Development

Successfully merging this pull request may close these issues.

4 participants

@radical @DamianEdwards @eerhardt