Localized artifacts now contain Authenticode signed assemblies #6172
Conversation
| @@ -24,9 +24,11 @@ Unfortunately, NuGet.Client does not use OneLocBuild, and any resource comments | |||
| Although the steps below are for the dev branch, the process is similar for release branches. | |||
|
|
|||
| 1. A PR merges into the dev branch. | |||
| 1. A NuGet.Client build generates a `localizationArtifacts` artifact. This artifact contains newly built (but unsigned) assemblies and .lcg files. The .lcg files contain information extracted from .resx files and are the primary input for later localization. | |||
| 1. A NuGet.Client build generates a `localizationArtifacts` artifact. This artifact contains newly built Authenticode-signed assemblies [(see PR#6170)][12]) containing English resources and .lcg files. | |||
There was a problem hiding this comment.
| 1. A NuGet.Client build generates a `localizationArtifacts` artifact. This artifact contains newly built Authenticode-signed assemblies [(see PR#6170)][12]) containing English resources and .lcg files. | |
| 1. A NuGet.Client build generates a `localizationArtifacts` artifact. This artifact contains newly built assemblies containing English resources and .lcg files. |
If someone needs to investigate the loc process in a year or more from now, I'm not sure why the PR would be interesting to call out specifically. In fact, the fact that it's signed or not also doesn't seem important to me.
The loc team's tools don't have a requirement about signed or unsigned assemblies.
There was a problem hiding this comment.
The loc team's tools don't have a requirement about signed or unsigned assemblies.
This documentation is for the NuGet Client team, not the loc team.
In fact, the fact that it's signed or not also doesn't seem important to me.
The original document indicated that these were unsigned assemblies. This is an update reflecting the new state of these assemblies.
This change is part of the SFI work to ensure we sign assemblies. If localized assemblies are not signed, we are no longer meeting SFI requirements.
| [11]: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/20709/MicroBuild-Localization | ||
| [12]: https://github.com/NuGet/NuGet.Client/pull/6170 |
There was a problem hiding this comment.
Similar to another comment, it's not clear to me why someone reading these docs would be more interested in this pull request than any other pull request that modified build/loc.proj or the build yaml.
There was a problem hiding this comment.
This pull request contains an explanation of why it's important to sign the localized assemblies, as well as how it's being done. It's not accidental that they're signed, it is intentional, so the documentation is referencing that PR to point to the purpose of that behavior.
Bug
Fixes:
Description
Documentation update for #6170
PR Checklist