79717895

Date: 2025-07-28 21:29:02
Score: 2
Natty:
Report link

Based upon information from https://github.com/dotnet/runtime/issues/51252 and https://github.com/dotnet/designs/blob/main/accepted/2021/before_bundle_build_hook.md, using the newly proposed PrepareForBundle target, I have added the following to my .csproj file:

<PropertyGroup>
  <!-- For all build agents thus far in Azure DevOps, that is, Windows 2019, Windows 2022, Windows 2025, this has been sufficient.
  Instead of trying to dynamically construct something based on the Windows SDK version, which constantly changes for each build
  agent, we will just use this hard coded value. Note, this is a 32-bit executable. But for our purposes, it has been fine. -->
  <SignToolPath>C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe</SignToolPath>
</PropertyGroup>

<Target Name="SignBundledFiles" BeforeTargets="GenerateSingleFileBundle" DependsOnTargets="PrepareForBundle">
  <!-- Use String.Copy as a hack to then be able to use the .Compare() method. See https://stackoverflow.com/a/23626481/8169136.
  All of the Microsoft assemblies are already signed. Exclude others as needed.
  
  This is using a self-signed code signing certificate for demonstration purposes, so this exact SignTool command won't
  work on your machine. Use your own certificate and replace the "code sign test" with your certificate's subject name. -->
  <Exec Condition="$([System.IO.Path]::GetFileName('%(FilesToBundle.Identity)').EndsWith('.dll'))
          And !$([System.String]::Copy('%(FilesToBundle.Identity)').Contains('packages\microsoft.'))
          And !$([System.String]::Copy('%(FilesToBundle.Identity)').Contains('packages\system.'))"
      Command="&quot;$(SignToolPath)&quot; sign /v /fd SHA256 /tr http://ts.ssl.com /td sha256 /n &quot;code sign test&quot; &quot;%(FilesToBundle.Identity)&quot;" />
</Target>

<Target Name="SignSelfContainedSingleFile" AfterTargets="GenerateSingleFileBundle" DependsOnTargets="SignBundledFiles">
  <!-- Finally, sign the resulting self contained single file executable. -->
  <Exec Command="&quot;C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe&quot; sign /v /fd SHA256 /n &quot;code sign test&quot; &quot;$(PublishDir)$(AppHostFile)&quot;" />
</Target>

You can read more and see the result from this blog post:

https://productioncodeonly.wordpress.com/2025/07/28/code-signing-net-self-contained-single-file-executable/

Reasons:
  • Blacklisted phrase (1): this blog
  • Blacklisted phrase (1): stackoverflow
  • Probably link only (1):
  • Long answer (-1):
  • Has code block (-0.5):
  • Low reputation (0.5):
Posted by: Kevin