From ea94ed02e4597b6a1f841f31e8e48eba12640277 Mon Sep 17 00:00:00 2001
From: Rob Mensching <rob@firegiant.com>
Date: Sun, 28 Jan 2024 13:29:06 -0800
Subject: [PATCH] Modernize signing infrastructure

---
 tools/Dotnet.targets           | 60 ----------------------------------
 tools/WixBuild.Signing.targets | 40 +++++++++++------------
 tools/WixBuild.Tools.targets   |  8 ++---
 tools/WixBuild.props           |  1 -
 4 files changed, 24 insertions(+), 85 deletions(-)
 delete mode 100644 tools/Dotnet.targets

diff --git a/tools/Dotnet.targets b/tools/Dotnet.targets
deleted file mode 100644
index aa378082d..000000000
--- a/tools/Dotnet.targets
+++ /dev/null
@@ -1,60 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
-
-
-<Project InitialTargets="DotnetToolRestore" 
-  xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
-  <PropertyGroup>
-    <WixRoot Condition=" '$(WixRoot)'=='' ">$([System.IO.Path]::GetFullPath($(MSBuildThisFileDirectory)..\))</WixRoot>
-    <DotnetToolsFolder>$(WixRoot)packages\tools\</DotnetToolsFolder>
-    <DotnetExe>$(ProgramW6432)\dotnet\dotnet.exe</DotnetExe>
-    <DotnetExe Condition="!Exists('$(DotnetExe)')">$(MSBuildProgramFiles32)\dotnet\dotnet.exe</DotnetExe>
-  </PropertyGroup>
-
-  <PropertyGroup>
-    <SignClientPath>$(DotnetToolsFolder)SignClient.exe</SignClientPath>
-  </PropertyGroup>
-
-  <!--
-  ================================================================================================
-  DotnetToolRestore
-
-    Restores the required packages to build using nuget.exe.
-  ================================================================================================
-  -->
-  <ItemGroup>
-    <RestoreDotnetToolsPackage Include="SignClient" Condition="'$(PleaseSignOutput)'!=''">
-      <Version>1.1.7</Version>
-    </RestoreDotnetToolsPackage>
-  </ItemGroup>
-  <Target Name="DotnetToolRestore" DependsOnTargets="_FindDotnetExe;_FindMissingDotnetToolPackages">
-    <Exec Command="&quot;$(DotnetExe)&quot; tool install %(Identity) --version %(Version) --tool-path &quot;$(DotnetToolsFolder)\&quot;" Condition="Exists('$(DotnetExe)') and '@(_MissingDotnetToolPackage)'!=''" WorkingDirectory="$(MSBuildThisFileDirectory)" />
-  </Target>
-
-  <Target Name="_FindMissingDotnetToolPackages">
-    <CreateItem Include="@(RestoreDotnetToolsPackage)" Condition="!Exists('$(DotnetToolsFolder).store\%(Identity)\%(Version)\%(Identity)\%(Version)\%(Identity).%(Version).nupkg')" PreserveExistingMetadata="true">
-      <Output TaskParameter="Include" ItemName="_MissingDotnetToolPackage"/>
-    </CreateItem>
-  </Target>
-
-  <!-- Find dotnet.exe in the PATH if it is not in the default location. -->
-  <Target Name="_FindDotnetExe" Condition="!Exists('$(DotnetExe)')">
-    <CreateItem Include="$(PATH)">
-      <Output TaskParameter="Include" ItemName="_FindDotnetExePaths" />
-    </CreateItem>
-    <CombinePath BasePath="%(_FindDotnetExePaths.Identity)" Paths="dotnet.exe">
-      <Output TaskParameter="CombinedPaths" ItemName="_FindDotnetExeCombinedPaths" />
-    </CombinePath>
-    <CreateItem Include="@(_FindDotnetExeCombinedPaths->Reverse())">
-      <Output TaskParameter="Include" ItemName="_FindDotnetExeCombinedPathsReversed" />
-    </CreateItem>
-    <CreateItem Include="@(_FindDotnetExeCombinedPathsReversed)">
-      <Output TaskParameter="Include" PropertyName="DotnetExe" Condition="Exists('%(_FindDotnetExeCombinedPathsReversed.Identity)')" />
-    </CreateItem>
-  </Target>
-
-  <!-- Sentinel value that indicates Dotnet.targets has been initialized. -->
-  <PropertyGroup>
-    <WixBuildDotnetToolPropertiesDefined>true</WixBuildDotnetToolPropertiesDefined>
-  </PropertyGroup>
-</Project>
diff --git a/tools/WixBuild.Signing.targets b/tools/WixBuild.Signing.targets
index e008147e0..ff79b54b3 100644
--- a/tools/WixBuild.Signing.targets
+++ b/tools/WixBuild.Signing.targets
@@ -2,15 +2,12 @@
 <!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
 
 
-<Project InitialTargets="DotnetToolRestore" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
-  <!-- Ensure that the SignClient is initialized. -->
-  <Import Project="Dotnet.targets" Condition="'$(WixBuildDotnetToolPropertiesDefined)'!='true'" />
-
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
   <PropertyGroup>
-    <_SigningAppSettingsPath>$(MSBuildThisFileDirectory)appsettings.json</_SigningAppSettingsPath>
-    <_SigningFilterNonePath>$(MSBuildThisFileDirectory)signing-filter.none.txt</_SigningFilterNonePath>
-    <_SigningName>WiX Toolset</_SigningName>
-    <_SigningUrl>http://wixtoolset.org</_SigningUrl>
+    <SigningToolExe>$(WIX_ROOT).tools\sign.exe</SigningToolExe>
+    <SigningCommand>code azure-key-vault</SigningCommand>
+    <SigningFilelist>$(MSBuildThisFileDirectory)signing-filter.none.txt</SigningFilelist>
+    <SigningConfiguration>--description "WiX Toolset" --description-url "https://wixtoolset.org/" --timestamp-url "http://timestamp.digicert.com" --file-list "$(SigningFilelist)" --azure-key-vault-url $(SigningKeyVaultUri) --azure-key-vault-tenant-id $(SigningTenantId) --azure-key-vault-client-id $(SigningClientId) --azure-key-vault-client-secret $(SigningClientSecret) --azure-key-vault-certificate $(SigningCertName)</SigningConfiguration>
   </PropertyGroup>
 
   <ItemGroup>
@@ -19,7 +16,10 @@
   </ItemGroup>
 
   <Target Name="SignFiles" AfterTargets="AfterBuild" Condition="'$(SignOutput)'=='true'">
-    <Exec Command="&quot;$(SignClientPath)&quot; sign -c &quot;$(_SigningAppSettingsPath)&quot; -i &quot;%(FilesToSign.FullPath)&quot; -f &quot;$(_SigningFilterNonePath)&quot; -s &quot;$(SignClientSecret)&quot; -r &quot;$(SignClientUser)&quot; -n &quot;$(_SigningName)&quot; -d &quot;$(_SigningName)&quot; -u &quot;$(_SigningUrl)&quot;" />
+    <Message Importance="high" Text="Signing file: %(FilesToSign.FullPath)" />
+
+    <Exec Command='"$(SigningToolExe)" $(SigningCommand) $(SigningConfiguration) "%(FilesToSign.FullPath)"'
+          WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 
   <!--
@@ -30,24 +30,24 @@
 
   ================================================================================================
   -->
-  <Target Name="SignCabs">
-    <!-- <Exec Command="&quot;$(SignClientPath)&quot; sign -c &quot;$(_SigningAppSettingsPath)&quot; -i &quot;%(SignCabs.FullPath)&quot; -f &quot;$(_SigningFilterNonePath)&quot; -s &quot;$(SignClientSecret)&quot; -r &quot;$(SignClientUser)&quot; -n &quot;$(_SigningName)&quot; -d &quot;$(_SigningName)&quot; -u &quot;$(_SigningUrl)&quot;" /> -->
-  </Target>
+  <Target Name="SignCabs" />
 
-  <Target Name="SignMsi">
-    <!-- <Exec Command="&quot;$(SignClientPath)&quot; sign -c &quot;$(_SigningAppSettingsPath)&quot; -i &quot;%(SignMsi.FullPath)&quot; -f &quot;$(_SigningFilterNonePath)&quot; -s &quot;$(SignClientSecret)&quot; -r &quot;$(SignClientUser)&quot; -n &quot;$(_SigningName)&quot; -d &quot;$(_SigningName)&quot; -u &quot;$(_SigningUrl)&quot;" /> -->
-  </Target>
+  <Target Name="SignMsi" />
 
-  <Target Name="SignContainers">
-    <Exec Command="&quot;$(SignClientPath)&quot; sign -c &quot;$(_SigningAppSettingsPath)&quot; -i &quot;%(SignContainers.FullPath)&quot; -f &quot;$(_SigningFilterNonePath)&quot; -s &quot;$(SignClientSecret)&quot; -r &quot;$(SignClientUser)&quot; -n &quot;$(_SigningName)&quot; -d &quot;$(_SigningName)&quot; -u &quot;$(_SigningUrl)&quot;" />
-  </Target>
+  <Target Name="SignContainers" />
 
   <Target Name="SignBundleEngine">
-    <Exec Command="&quot;$(SignClientPath)&quot; sign -c &quot;$(_SigningAppSettingsPath)&quot; -i &quot;%(SignBundleEngine.FullPath)&quot; -f &quot;$(_SigningFilterNonePath)&quot; -s &quot;$(SignClientSecret)&quot; -r &quot;$(SignClientUser)&quot; -n &quot;$(_SigningName)&quot; -d &quot;$(_SigningName)&quot; -u &quot;$(_SigningUrl)&quot;" />
+    <Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;)" />
+
+    <Exec Command='"$(SigningToolExe)" $(SigningCommand) $(SigningConfiguration) "@(SignBundleEngine->&apos;%(Identity)&apos;)"'
+          WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 
   <Target Name="SignBundle">
-    <Exec Command="&quot;$(SignClientPath)&quot; sign -c &quot;$(_SigningAppSettingsPath)&quot; -i &quot;%(SignBundle.FullPath)&quot; -f &quot;$(_SigningFilterNonePath)&quot; -s &quot;$(SignClientSecret)&quot; -r &quot;$(SignClientUser)&quot; -n &quot;$(_SigningName)&quot; -d &quot;$(_SigningName)&quot; -u &quot;$(_SigningUrl)&quot;" />
+    <Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;)" />
+
+    <Exec Command='"$(SigningToolExe)" $(SigningCommand) $(SigningConfiguration) "@(SignBundle->&apos;%(Identity)&apos;)"'
+          WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 
   <!-- Sentinel value that indicates WixBuid.Signing.targets has been initialized. -->
diff --git a/tools/WixBuild.Tools.targets b/tools/WixBuild.Tools.targets
index 99ae4b800..1c71325f0 100644
--- a/tools/WixBuild.Tools.targets
+++ b/tools/WixBuild.Tools.targets
@@ -125,13 +125,13 @@
 
     <Error
       Code="WIXBUILD014"
-      Condition=" '$(PleaseSignOutput)'!='' and !Exists('$(SignClientPath)') "
-      Text="Cannot locate SignClient. Ensure SignClient is present at &quot;$(SignClientPath)&quot;. If not, run the following command from the root of the project: msbuild -t:DotnetToolRestore" />
+      Condition=" '$(PleaseSignOutput)'!='' and !Exists('$(SigningToolExe)') "
+      Text="Cannot locate SigningTool. Ensure SigningTool is present at &quot;$(SigningToolExe)&quot;." />
 
     <Error
       Code="WIXBUILD015"
-      Condition=" '$(PleaseSignOutput)'!='' and ('$(SignClientUser)'=='' or '$(SignClientSecret)'=='') "
-      Text="Signing is requested but one or both required properites SignClientUser and SignClientSecret were not specified on the command line or as environment variables." />
+      Condition=" '$(PleaseSignOutput)'!='' and ('$(SigningKeyVaultUri)'=='' or '$(SigningCertName)'=='') "
+      Text="Signing is requested but one or both required properites SigningKeyVaultUri and SigningCertName were not specified on the command line or as environment variables." />
 
     <Error
       Code="WIXBUILD016"
diff --git a/tools/WixBuild.props b/tools/WixBuild.props
index 06e402189..fb811e6f6 100644
--- a/tools/WixBuild.props
+++ b/tools/WixBuild.props
@@ -30,7 +30,6 @@
   </PropertyGroup>
 
   <Import Project="Nuget.targets" />
-  <Import Project="Dotnet.targets" />
 
   <!-- Converts the VS-standard Debug and Release to the wix-standard debug and ship -->
   <PropertyGroup Condition=" '$(Configuration)' == 'Debug' or '$(Configuration)' == '' or '$(WixFlavor)' == 'debug' ">