dotnet
SignTool Refactoring into SignTool+Microsoft.DotNet.RecursiveSigning
There have been asks by other teams outside of .NET to enable the type of recursive signing that we do in non-Arcade scenarios. This might include 'native' AzDO tasks that are used by teams for signing, OneBranch, etc. Exporting SignTool stock is not an option. The tool is far too .NET centric and also not well tested enough to have anyone iterating on it. It needs a major refactor before it will be usable by other teams.
The goal of this epic is to extract the core of the recursive signing algorithm into a new library that will be usable by non-.NET teams. This library could be integrated into 1ES, OneBranch, or ESRP tooling. The library needs to have the following characteristics:
- [ ] Supports .NET core (need not support .NET framework).
- [ ] Contains core recursive signing algorithm, with abstractions for:
- Signing service integrations (or mock services)
- Certificate calculations
- Archive handling
- [ ] Uses modern patterns for testability, with a solid base of tests
- [ ] Contains default implementations for cert calculation as well as initial set of archive handling.
.NET's SignTool would then be refactored to use this library. It would become a relatively small shell with the following:
- MSBuild task implementation
- MicroBuild integration.
- Implementations for archive types that are not part of the initial library set.
- (If required) .NET specific cert calculation. Ideally, however, .NET's current cert calculation is generic enough to be the default implementation.
