Enable signing and notarization of .pkg files using SignTool

[mmitche]

Enable SignTool to process and and submit MacOS .pkgs for signing and notarization. Because notarization can only happen on a Mac machine, this requires #14431 to be complete.

One place to start with this is looking at what we do in the staging pipelines.

[dotnet-issue-labeler]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[ellahathaway]

Assigning myself for now since I've been working on this in parallel with #14438. The piece that I'm missing is the entitlements. I'll discuss this more when I open the draft PR since then I'll be able to point to the section of code that I think we may need to add entitlements with.

[ellahathaway]

This is the current commit with the changes for signing. This commit sits on top of #15205 and #15206.

Some things that were unclear with these task that will need to be addressed before the changes are ready for PR:

• What certificate should be used? I defaulted to Microsoft400 but I am unsure if this is correct.
• Do we still need to group OSX files by certificate when signing?
  • If yes, do we still use Round{round}-OSX-Cert{certificate}.proj?
  • If no, will Round{round}.proj be the project filename? How does this work with signing non OSX files that use the same project filename?
• How do we add entitlements to OSX files?
  • Current infra uses an entitlements file that describes which entitlements to add. Does this file differ per repo?
  • What about .app bundles that may have Entitlements.plist. Do we have to add those back manually? https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/19841/Additional-Requirements-for-Signing-or-Notarizing-Mac-Files?anchor=visual-studio-project-files seems to imply so, but I'm not sure if the doc is just talking about general entitlements from an external file or entitlements from the app bundle.

[ellahathaway]

T-Shirt Size: S/M

Requires reworking of the current infra for signing osx extensions given this documentation: https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/19841/Additional-Requirements-for-Signing-or-Notarizing-Mac-Files?anchor=visual-studio-project-files

[mmitche]

There are a couple interesting points here:

• When using MacDeveloperHarden, we need to include in the signing metadata. I do not believe this is the case for other file types, but not positive.
• The executable names that will need to signed and notarized (e.g. dotnet or createdump) only need to be signed on Mac, not on Linux. Even if they were going to get signed on Linux, they would not get the same signature. This means that repos will need to tweak their Signing.props to select the correct sig per platform.
• Notarization is

Our existing signing infra has us applying entitlements to dotnet, createdump, etc. I need to determine whether these entitlements have already been applied by other repos. Is it necessary to re-apply them?

[mmitche]

It does look like entitlements are already added and do not need to be re-added. Confirming