Enable test signing during PR validation jobs

[dagood]

In Core-Setup, PR validation ran test signing. This ensured new changes don't break the signing infrastructure in a fundamental way. It was removed in #1016 to unblock official builds.

runtime/eng/pipelines/installer/jobs/base-job.yml

Lines 57 to 62 in 385121f

	# TODO: (Consolidation) Enable test signing during PR validation. https://github.com/dotnet/runtime/issues/1026
	#
	# CoreCLR only produces the UCRT redist file in Release config. When the redist file isn't
	# present, signing fails. For now, only sign in official builds which only run Release mode.
	- name: SignType
	value: ''

[ViktorHofer]

Why does signing depend on the UCRT redist files?

[dagood]

Someone who knows why CoreCLR needs to sign it would need to answer that. The config in question:

runtime/eng/Signing.props

Lines 53 to 56 in 516956a

	<!-- Sign api-ms-win-core-xstate-l2-1-0 binary as it is only catalog signed in the current SDK. -->
	<ItemsToSign
	Condition="'$(ConfigurationGroup)' == 'Release' and '$(TargetArchitecture)' == 'x86'"
	Include="$(CoreCLRArtifactsPath)Redist\ucrt\DLLs\$(TargetArchitecture)\api-ms-win-core-xstate-l2-1-0.dll" />

[dagood]

I'm not sure what the behavior of that DLL is in general--if it's only packed up in Release builds (so the condition just needs to work right?), if we could enable it in Debug builds, if there's some root issue that could be sorted out.... It's possible it's not hard, I didn't look into it other than filing this tracking issue since it wasn't the priority. Best first step IMO is seeing what happens.

/cc @NikolaMilosavljevic

[ViktorHofer]

Thanks, assigning to myself to look further.

[ViktorHofer]

cc @janvorli @trylek, why do we only produce that files in Release? Tomas mentioned it might already be obsolete?

[trylek]

I found a commit that seems related:

dotnet/coreclr@557c8f0

@mmitche - is there any harm in executing the CopyUcrtFiles target even in debug mode so that we can test signing in PR runs?

[trylek]

@ViktorHofer / @dagood - does there exist any private branch or PR enabling signing in debug builds so that I could give it a try in combination with the fix for CopyUcrtFiles?

[mmitche]

@mmitche - is there any harm in executing the CopyUcrtFiles target even in debug mode so that we can test signing in PR runs?

No idea.

[dagood]

does there exist any private branch

Not that I'm aware of. To get started, just changing the lines called out above will kick it off:

- name: SignType
  value: test