How to do strong name signing and digital signature signing in the Team Build environment  
Author Message
dto





PostPosted: Team Foundation Server - Build Automation, How to do strong name signing and digital signature signing in the Team Build environment Top

We are using Team System Beta3 Refresh at the moment... looking to move to RTM in the near future...

If there are some 'real world' examples on how to implement strongname and digital certificate signing properly, so that it is supported in a Development (building in the VS IDE) AND Build environment (Team Builds), please let me know (if there are examples, you can stop reading here ;)).
I would be interested in knowing:
- which level of the builds scripts/solutions are used to reference these certs (project.sln, AssemblyInfo.cs, TFSBuild.proj, etc..)
- how do you control the timing of the signing at compile time (for example, it would be ideal to allow ALL release/debug/unittesting to complete before signing the targets)
- at least in the case of strongname signing (which is done before digital code authentication anyway), how can the process be made to be identical for developers AND the Team Build environment (one solution for both environments)
- where the certificates should be stored (I personally do _not_ check them into source, but would appreciate other views on this)
-------

Current line of thought, which works with some degree of success:
<ItemGroup>
<Binaries Include="*.dll;*.exe"/>
</ItemGroup>
<Target Name="AfterCompile" >
<!-- sign binaries -->
<Exec Command="&quot;C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\sn.exe&quot; -q -R d:\build\dev\ourproject\dev_ondemand\binaries\release\our.commonresources.dll z:\sign\mykey.snk"/>
</Target>

NOTE: this is obviously a static reference to a single binary and we're looking for a 'dynamic solution' of course.


We were thinking of using Binaries.Identity in the Team Build system, but the path references seem 'messed up' as nothing is returned (no target binaries are listed)... *I'll continue to test with this line of thought*:

<ItemGroup>
<Binaries Include="*.dll;*.exe"/>
</ItemGroup>
<Target Name="AfterCompile" >
<!-- sign binaries -->
<Exec Command="&quot;C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\sn.exe&quot; -q -R %(Binaries.Identity) z:\sign\mykey.snk"/>
</Target>

NOTE: in this scenario, the build is also halted immediately after the release compile completes and the build fails (I.e. Debug compiles are never executed)

Additional Questions:
1) I believe there are issues with the output directory structure differences between a developer running a build on his/her machine verses an automated build type running the same solutions (for test purposes, we'd like strongname signing to work in both environments)... is there a 'standardized' method of addressing this

2) Should we be implementing strongname binary signing in the build script... or should this be done from the solution files

3) Should we be implementing digital certificate binary signing in the build script... or should this be done in some other manner Keeping in mind that this has to be scripted and executed in the automated system.


Thanks a lot
dto



Visual Studio Team System12  
 
 
Gautam Goenka





PostPosted: Team Foundation Server - Build Automation, How to do strong name signing and digital signature signing in the Team Build environment Top

Refer my blog http://blogs.msdn.com/gautamg/archive/2006/04/19/578915.aspx

Though the title says "Building .NET 1.1...", the blog is essentially about how to pass a custom property to each solution/project file while building using Team Build.

Change the AdditionalPropertiesForBuildTarget to the following and it should do the trick for you.

<AdditionalPropertiesForBuildTarget>

SignAssembly=true;AssemblyOriginatorKeyFile=Z:\sign\mykey.snk

</AdditionalPropertiesForBuildTarget>

Thanks,

Gautam


 
 
dto





PostPosted: Team Foundation Server - Build Automation, How to do strong name signing and digital signature signing in the Team Build environment Top

Thanks Gautam,

I haven't implemented your proposed solution yet, and I'll most likely 'hold off' on doing so until I get the RTM solution in place (VSTFS bits).

As a side note, I did get a hackish solution in place (see below). However, I have to recreate the sections for Release/Debug and any subdirectories generated for binary output (i.e. lanuguage dirs) :(

<ItemGroup>
<!-- STRONG NAME AND DIGITALLY SIGN **RELEASE** BINARIES
This section _explicitly_ references the output directory structure
used by the Dev_Compile workspace during automated builds
-->
<Binaries Include="D:\Build\Dev\<project>\Dev_Compile\Binaries\Release\*.dll;D:\Build\Dev\<project>\Dev_Compile\Binaries\Release\*.exe"/>
</ItemGroup>
<Target Name="AfterCompile" >
<!-- Strong Name sign binaries -->
<Exec Command="&quot;C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\sn.exe&quot; -q -R %(Binaries.Identity) z:\sign\our.snk"/>
</Target>
<ItemGroup>
<Binaries Include="D:\Build\Dev\<project>\Dev_Compile\Binaries\Release\*.dll;D:\Build\Dev\<project>\Dev_Compile\Binaries\Release\*.exe"/>
</ItemGroup>
<Target Name="AfterCompile" >
<!-- Digitally sign binaries -->
<Exec Command="&quot;C:\Program Files\Microsoft Platform SDK\Bin\signtool.exe&quot; sign -f z:\sign\our.pfx -p <ourpassword> -t http://timestamp.verisign.com/scripts/timstamp.dll %(Binaries.Identity)"/>
</Target>
<ItemGroup>

this currenlty works... but I'll test your solution as soon as I can as well.

thanks again

dto


 
 
Gautam Goenka





PostPosted: Team Foundation Server - Build Automation, How to do strong name signing and digital signature signing in the Team Build environment Top

I added another blog around this http://blogs.msdn.com/gautamg/archive/2006/04/20/579801.aspx

Thanks.


 
 
msbuilddude





PostPosted: Team Foundation Server - Build Automation, How to do strong name signing and digital signature signing in the Team Build environment Top

Was the AdditionalPropertiesForBuildTarget property included in the final bits or was this removed during Beta
I can't find this property in any targets file.

I need to do something very similar. I'm trying the following in the TFSBuild.proj file but it doesn't seem to be overriding the CustomAfterMicrosoftCommonTargets property for each project:
<PropertyGroup>
<AdditionalPropertiesForBuildTarget>CustomAfterMicrosoftCommonTargets=$(MSBuildExtensionsPath)\MyCustom.targets</AdditionalPropertiesForBuildTarget>
</PropertyGroup>

What am I missing

Thanks for any help...


 
 
Aaron Hallberg





PostPosted: Team Foundation Server - Build Automation, How to do strong name signing and digital signature signing in the Team Build environment Top

This functionality was never in the shipping version of Team Build. If you check out the older post (http://blogs.msdn.com/gautamg/archive/2006/04/19/578915.aspx), a download is provided that includes a new targets file that overrides the CoreCompile target in Microsoft.TeamFoundation.Build.targets and adds this functionality.

-Aaron