Disallowed cloaked PFX binaries in external packages

[ellahathaway]

Related to dotnet/source-build#5480

[Copilot]

Pull request overview

This PR updates the source-build binary allowlist to stop permitting certain PFX (certificate) binaries that are present in external package sources, aligning with the goal of disallowing “cloaked” PFX binaries during source-build prep.

Changes:

• Removed the allowlist entry for Humanizer test PFX files under src/source-build-reference-packages.
• Removed the allowlist entry for Azure IdentityModel test certificate PFX files under src/source-build-reference-packages.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[NikolaMilosavljevic]

Should these PFX binaries be cloaked again? Was this file the reason why cloaking didn't work after #4609

cc @premun

[ellahathaway]

Merging this PR is contingent on the binaries being cloaked from the VMR. Otherwise, the VMR tests fail continue to fail with new detected binaries:

2026-02-11T23:15:23.8427932Z   Failed Microsoft.DotNet.Tests.BinaryScanTest.ScanForBinaries [8 ms]
2026-02-11T23:15:23.8430452Z   Error Message:
2026-02-11T23:15:23.8431411Z    The following binaries were detected:
2026-02-11T23:15:23.8432191Z src/source-build-reference-packages/src/externalPackages/src/humanizer/src/Humanizer.Tests.Uwp/Humanizer.Tests.Uwp_TemporaryKey.pfx
2026-02-11T23:15:23.8448559Z src/source-build-reference-packages/src/externalPackages/src/humanizer/src/Humanizer.Tests.Uwp.Runner/Humanizer.Tests.Uwp.Runner_TemporaryKey.pfx
2026-02-11T23:15:23.8449577Z src/source-build-reference-packages/src/externalPackages/src/azure-activedirectory-identitymodel-extensions-for-dotnet/test/Certs/SelfSigned1024_SHA1.pfx
2026-02-11T23:15:23.8450472Z src/source-build-reference-packages/src/externalPackages/src/azure-activedirectory-identitymodel-extensions-for-dotnet/test/Certs/SelfSigned1024_SHA256.pfx
2026-02-11T23:15:23.8451394Z src/source-build-reference-packages/src/externalPackages/src/azure-activedirectory-identitymodel-extensions-for-dotnet/test/Certs/SelfSigned2048_SHA384.pfx
2026-02-11T23:15:23.8452333Z src/source-build-reference-packages/src/externalPackages/src/azure-activedirectory-identitymodel-extensions-for-dotnet/test/Certs/SelfSigned2048_SHA256.pfx
2026-02-11T23:15:23.8453270Z src/source-build-reference-packages/src/externalPackages/src/azure-activedirectory-identitymodel-extensions-for-dotnet/test/Certs/SelfSigned2048_SHA256_2.pfx
2026-02-11T23:15:23.8454208Z src/source-build-reference-packages/src/externalPackages/src/azure-activedirectory-identitymodel-extensions-for-dotnet/test/Certs/SelfSigned2048_SHA512.pfx
2026-02-11T23:15:23.8454791Z 
2026-02-11T23:15:23.8455477Z See https://github.com/dotnet/dotnet/blob/main/docs/VMR-Permissible-Sources.md for information on how to resolve these failures.

[premun]

1. spectre is under src/externalPackages/src/spectre-console, your rule has src/externalPackages/spectre-console/docs/**/*
2. Cloaking packages which are already in the VMR won't remove the packages, it will only stop syncing them into the VMR. So you need to remove any already synchronized ones manually from the VMR

[NikolaMilosavljevic]

1. spectre is under src/externalPackages/src/spectre-console, your rule has src/externalPackages/spectre-console/docs/**/*
2. Cloaking packages which are already in the VMR won't remove the packages, it will only stop syncing them into the VMR. So you need to remove any already synchronized ones manually from the VMR

The PFX files were removed with https://github.com/dotnet/dotnet/pull/4609/changes and the pattern seems correct for those: src/externalPackages/**/*.pfx

Do we know why they showed up again with 4c474d7#diff-88c628c55921c35a7fcaee849f15bbb6a7cad031f421b2aeb8e40d1fb4007aef

We'll fix the Spectre pattern.

[ellahathaway]

Adding the no-merge label until we cloak the offending binaries.

[ellahathaway]

Will merge once #4914 goes in

[NikolaMilosavljevic]

@ellahathaway I've merged the dependent PR - #4914