Use the SignedFileContentKey as the key to the engine dictionary in SignTool#8002
Merged
michellemcdaniel merged 3 commits intoOct 6, 2021
Merged
Conversation
When releasing an sdk-only release (where the sdk is new, but everything else has already been released), we occasionally end up in a state where we have two engines with the same filename but are different files, so we attempt to add them to the dictionary twice. This change does two different things: 1) Use the SignedFileContentKey as the key to the engine dictionary. This will prevent duplicate adds to it. 2) Extract the engines from two different files with the same filename to two different directories by using Guids. This will prevent us from extracting them to the same place (which insignia allows, but means that when we File.Delete later, the first copy will get signed but the second copy will have nothing, and would likely fail).
mmitche
approved these changes
Oct 6, 2021
mmitche
left a comment
Member
There was a problem hiding this comment.
LGTM and thanks for the really great PR description.
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
To double check:
When performing post-build signing on a drop that has been partially released/partially signed (ie, the installer/sdk is unreleased and unsigned, but the runtime bits are already released/signed but not marked as released in BAR), we ended up in a scenario where we would have collisions in the dictionary that controlled signing the engine files. When we extract and then sign the engines, we create a dictionary of the engines. Before, we were simply using the path to the engine as the key to the dictionary. Additionally, if there were two files with the same name, we would extract their engines to the same place. This change changes both of these things, so that we can perform post-build signing on partially signed drops:
This has been tested in two post-build signing scenarios:
Fixes #7908