Merge pull request #17661 from iterate-ch/feature/windows-cng

Sign using SignTool CSP

Author: dkocher

Directory.Build.props

@@ -50,4 +50,8 @@
 
   <Import Project="$(GeneratedMSBuildDir)Version.props" Condition="Exists('$(GeneratedMSBuildDir)Version.props')" />
 
+  <PropertyGroup>
+    <SignToolExecutablePath>$(PATH)</SignToolExecutablePath>
+  </PropertyGroup>
+
 </Project>

Directory.Build.targets

@@ -96,4 +96,44 @@
     </ItemGroup>
   </Target>
 
+  <PropertyGroup>
+    <_SignToolArgs Condition="'$(SignTool)'=='cng'">_SignToolArgsCNG</_SignToolArgs>
+    <_SignToolArgs Condition="'$(_SignToolArgs)'==''">_SignToolArgsCertificateStore</_SignToolArgs>
+
+    <SignToolArgsDependsOn>$(_SignToolArgs);SignToolExecutablePath</SignToolArgsDependsOn>
+  </PropertyGroup>
+
+  <Target Name="SignToolExecutablePath" Returns="$(SignToolExecutablePath);$(SignToolExecutable)">
+    <PropertyGroup>
+      <SignToolExecutable Condition="'$(SignToolExecutable)'==''">SignTool.exe</SignToolExecutable>
+      <SignToolExecutablePath>$(WindowsSdk_ExecutablePath);$(SignToolExecutablePath)</SignToolExecutablePath>
+    </PropertyGroup>
+  </Target>
+  
+  <Target Name="SignToolArgsBase" Returns="$(SignToolArgsBase)">
+    <PropertyGroup>
+      <SignToolArgsBase>sign /d "Cyberduck" /fd sha256 /tr "http://timestamp.acs.microsoft.com" /td "sha256" /a</SignToolArgsBase>
+    </PropertyGroup>
+  </Target>
+
+  <Target Name="SignToolArgs" DependsOnTargets="$(SignToolArgsDependsOn)">
+    <Error Text="'$(SignTool)' unsupported." Condition="'$(_SignToolArgs)'==''" />
+    <PropertyGroup>
+      <SignToolArgs>"$(SignToolExecutable)" $(SignToolArgsBase)</SignToolArgs>
+    </PropertyGroup>
+    <ItemGroup>
+      <SignToolEnvironmentVariable Include="PATH=$([MSBuild]::Escape('$(SignToolExecutablePath)'))" />
+    </ItemGroup>
+  </Target>
+  <Target Name="_SignToolArgsCertificateStore" DependsOnTargets="SignToolArgsBase" Returns="$(SignToolArgsBase)">
+    <PropertyGroup>
+      <SignToolArgsBase>$(SignToolArgsBase) /sm /n "iterate GmbH"</SignToolArgsBase>
+    </PropertyGroup>
+  </Target>
+  <Target Name="_SignToolArgsCNG" DependsOnTargets="SignToolArgsBase" Returns="$(SignToolArgsBase)">
+    <PropertyGroup>
+      <SignToolArgsBase>$(SignToolArgsBase) /f "$(CyberduckDir)setup\cert\certificate.crt" /csp "$(SignToolCSP)" /kc "$(SignToolKC)"</SignToolArgsBase>
+    </PropertyGroup>
+  </Target>
+
 </Project>

build.xml

@@ -137,6 +137,7 @@
         </condition>
         <property name="msbuild.configuration" value="Release"/>
 
+        <property name="signtool" value="cng" />
         <property name="revision" value="0" />
         <copy todir="${build}/generated/msbuild" overwrite="True">
             <resources>

cli/src/main/wix/Bootstrapper/duck.bootstrapper.wixproj

@@ -19,8 +19,15 @@
   <ItemGroup>
     <Compile Include="Cyberduck CLI Bundle.wxs" />
   </ItemGroup>
+
+  <PropertyGroup>
+    <PreferredToolArchitecture>x64</PreferredToolArchitecture>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)Microsoft.Cpp.MSVC.Toolset.Common.props" />
+
   <Import Project="$(WixTargetsPath)" Condition=" '$(WixTargetsPath)' != '' " />
   <Import Project="$(MSBuildExtensionsPath32)\Microsoft\WiX\v3.x\Wix.targets" Condition=" '$(WixTargetsPath)' == '' AND Exists('$(MSBuildExtensionsPath32)\Microsoft\WiX\v3.x\Wix.targets') " />
+  <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.targets', '$(MSBuildThisFileDirectory)'))" />
   <Target Name="EnsureWixToolsetInstalled" Condition=" '$(WixTargetsImported)' != 'true' ">
     <Error Text="The WiX Toolset v3.14 (or newer) build tools must be installed to build this project. To download the WiX Toolset, see http://wixtoolset.org/releases/" />
   </Target>
@@ -49,34 +56,11 @@
     </ProjectReference>
   </ItemGroup>
 
-  <Target Name="UsesFrameworkSdk">
-    <GetFrameworkSdkPath>
-      <Output TaskParameter="Path" PropertyName="FrameworkSdkPath" />
-    </GetFrameworkSdkPath>
-    <PropertyGroup>
-      <WinSDK>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v8.0@InstallationFolder)</WinSDK>
-      <WinSDK Condition="('@(WinSDK)'=='')">$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Kits\Installed Roots@KitsRoot10)</WinSDK>
-      <Win10SDKBinPath>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v10.0@InstallationFolder)bin\</Win10SDKBinPath>
-      <Win10SDKVersion>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v10.0@ProductVersion).0\</Win10SDKVersion>
-      <Win10SDKVerBinPath>$(Win10SDKBinPath)$(Win10SDKVersion)</Win10SDKVerBinPath>
-    </PropertyGroup>
+  <Target Name="SignBundleEngine" DependsOnTargets="SignToolArgs">
+    <Exec Command="$(SignToolArgs) &quot;@(SignBundleEngine)&quot;" EnvironmentVariables="@(SignToolEnvironmentVariable)" />
   </Target>
-  <Target Name="UsesSignTool" DependsOnTargets="UsesFrameworkSdk">
-    <PropertyGroup>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(FrameworkSdkPath)bin\signtool.exe')">$(FrameworkSdkPath)bin\signtool.exe</SignToolPath>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(WinSDK)\bin\x86\signtool.exe')">$(WinSDK)\bin\x86\signtool.exe</SignToolPath>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(Win10SDKVerBinPath)x86\signtool.exe')">$(Win10SDKVerBinPath)x86\signtool.exe</SignToolPath>
-    </PropertyGroup>
-  </Target>
-
-  <Target Name="SignBundleEngine" DependsOnTargets="UsesSignTool">
-    <Exec
-        Command="&quot;$(SignToolPath)&quot; sign /d &quot;Cyberduck CLI&quot; /fd sha256 /tr http://timestamp.entrust.net/TSS/RFC3161sha2TS /td sha256 /a /sm /n &quot;iterate GmbH&quot; &quot;@(SignBundleEngine)&quot;"/>
-  </Target>
-
-  <Target Name="SignBundle" Condition="'$(SignOutput)' == 'true'" DependsOnTargets="UsesSignTool">
-    <Exec
-        Command="&quot;$(SignToolPath)&quot; sign /d &quot;Cyberduck CLI&quot; /fd sha256 /tr http://timestamp.entrust.net/TSS/RFC3161sha2TS /td sha256 /a /sm /n &quot;iterate GmbH&quot; &quot;@(SignBundle)&quot;"/>
+  <Target Name="SignBundle" DependsOnTargets="SignToolArgs">
+    <Exec Command="$(SignToolArgs) &quot;@(SignBundle)&quot;" EnvironmentVariables="@(SignToolEnvironmentVariable)" />
   </Target>
 
   <!--

cli/src/main/wix/Bundle/duck.bundle.wixproj

@@ -42,8 +42,14 @@
     </HarvestDirectory>
   </ItemGroup>
 
+  <PropertyGroup>
+    <PreferredToolArchitecture>x64</PreferredToolArchitecture>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)Microsoft.Cpp.MSVC.Toolset.Common.props" />
+
   <Import Project="$(WixTargetsPath)" Condition=" '$(WixTargetsPath)' != '' " />
   <Import Project="$(MSBuildExtensionsPath32)\Microsoft\WiX\v3.x\Wix.targets" Condition=" '$(WixTargetsPath)' == '' AND Exists('$(MSBuildExtensionsPath32)\Microsoft\WiX\v3.x\Wix.targets') " />
+  <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.targets', '$(MSBuildThisFileDirectory)'))" />
   <Target Name="EnsureWixToolsetInstalled" Condition=" '$(WixTargetsImported)' != 'true' ">
     <Error Text="The WiX Toolset v3.11 (or newer) build tools must be installed to build this project. To download the WiX Toolset, see http://wixtoolset.org/releases/" />
   </Target>
@@ -65,40 +71,31 @@
     </WixExtension>
   </ItemGroup>
 
-  <Target Name="UsesFrameworkSdk">
-    <GetFrameworkSdkPath>
-      <Output TaskParameter="Path" PropertyName="FrameworkSdkPath" />
-    </GetFrameworkSdkPath>
-    <PropertyGroup>
-      <WinSDK>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v8.0@InstallationFolder)</WinSDK>
-      <WinSDK Condition="('@(WinSDK)'=='')">$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Kits\Installed Roots@KitsRoot10)</WinSDK>
-      <Win10SDKBinPath>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v10.0@InstallationFolder)bin\</Win10SDKBinPath>
-      <Win10SDKVersion>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v10.0@ProductVersion).0\</Win10SDKVersion>
-      <Win10SDKVerBinPath>$(Win10SDKBinPath)$(Win10SDKVersion)</Win10SDKVerBinPath>
-    </PropertyGroup>
-  </Target>
-  <Target Name="UsesSignTool" DependsOnTargets="UsesFrameworkSdk">
-    <PropertyGroup>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(FrameworkSdkPath)bin\signtool.exe')">$(FrameworkSdkPath)bin\signtool.exe</SignToolPath>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(WinSDK)\bin\x86\signtool.exe')">$(WinSDK)\bin\x86\signtool.exe</SignToolPath>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(Win10SDKVerBinPath)x86\signtool.exe')">$(Win10SDKVerBinPath)x86\signtool.exe</SignToolPath>
-    </PropertyGroup>
-  </Target>
-  <Target Name="SignMsi" DependsOnTargets="UsesSignTool">
-    <Exec
-        Command="&quot;$(SignToolPath)&quot; sign /d &quot;Cyberduck CLI&quot; /fd sha256 /tr http://timestamp.entrust.net/TSS/RFC3161sha2TS /td sha256 /a /sm /n &quot;iterate GmbH&quot; &quot;%(SignMsi.FullPath)&quot;"/>
+  <Target Name="SignMsi" DependsOnTargets="SignToolArgs">
+    <Exec Command="$(SignToolArgs) &quot;%(SignMsi.FullPath)&quot;" EnvironmentVariables="@(SignToolEnvironmentVariable)" />
   </Target>
   <!--
 	To modify your build process, add your task inside one of the targets below and uncomment it.
 	Other similar extension points exist, see Wix.targets.
   -->
-  <Target Name="SignDLLs" Condition="'$(SignOutput)' == 'true'" DependsOnTargets="UsesSignTool" AfterTargets="Compile" BeforeTargets="Link">
+  <Target Name="_CollectPayload" Returns="@(SignPayload)">
     <ItemGroup>
-      <Assemblies Include="$(TargetBuildDir)*.dll" />
-      <Assemblies Include="$(TargetBuildDir)*.exe" />
+      <SignPayload Include="$(TargetBuildDir)*.dll;$(TargetBuildDir)*.exe" />
     </ItemGroup>
+  </Target>
+  <Target Name="CollectSignPayload" DependsOnTargets="_CollectPayload;SignToolArgs" Outputs="%(SignPayload.Identity)" Returns="@(SignPayload)">
+    <Exec Command="%22$(SignToolExecutable)%22 verify /q /pa %22%(SignPayload.Identity)%22"
+          EnvironmentVariables="@(SignToolEnvironmentVariable)"
+          IgnoreStandardErrorWarningFormat="true"
+          IgnoreExitCode="true">
+      <Output TaskParameter="ExitCode" PropertyName="PayloadSigned" />
+    </Exec>
 
-    <Exec
-        Command="&quot;$(SignToolPath)&quot; sign /d &quot;Cyberduck&quot; /fd sha256 /tr http://timestamp.entrust.net/TSS/RFC3161sha2TS /td sha256 /a /sm /n &quot;iterate GmbH&quot; &quot;$([System.IO.Path]::GetFullPath('%(Assemblies.Identity)'))&quot;"/>
+    <ItemGroup>
+      <SignPayload Remove="%(SignPayload.Identity)" Condition="'$(PayloadSigned)'=='0'" />
+    </ItemGroup>
+  </Target>
+  <Target Name="SignPayload" Condition=" '$(SignOutput)' == 'true' " DependsOnTargets="CollectSignPayload;SignToolArgs" AfterTargets="Compile" BeforeTargets="Link">
+    <Exec Command="$(SignToolArgs) @(SignPayload->'%22%(Identity)%22', ' ')" EnvironmentVariables="@(SignToolEnvironmentVariable)" Condition="'@(SignPayload)'!=''" />
   </Target>
 </Project>

cli/src/main/wix/Directory.Build.props

@@ -23,6 +23,7 @@
     <PropertyGroup>
         <OutputPath>$(OutputPath)$(Configuration)</OutputPath>
         <SetupDir>$(CyberduckDir)setup\wix\</SetupDir>
+        <OutDir>$(OutputPath)</OutDir>
     </PropertyGroup>
 
 </Project>

setup/cert/certificate.crt

@@ -8,4 +8,10 @@
     <Version>$(AssemblyVersion)</Version>
   </PropertyGroup>
 
-</Project>
+  <PropertyGroup>
+    <SignTool>${signtool}</SignTool>
+    <SignToolCSP>${signtool.csp}</SignToolCSP>
+    <SignToolKC>${signtool.kc}</SignToolKC>
+  </PropertyGroup>
+
+</Project>

src/template/msbuild/Version.props

@@ -19,8 +19,15 @@
   <ItemGroup>
     <Compile Include="Cyberduck Bootstrapper.wxs" />
   </ItemGroup>
+
+  <PropertyGroup>
+    <PreferredToolArchitecture>x64</PreferredToolArchitecture>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)Microsoft.Cpp.MSVC.Toolset.Common.props" />
+
   <Import Project="$(WixTargetsPath)" Condition=" '$(WixTargetsPath)' != '' " />
   <Import Project="$(MSBuildExtensionsPath32)\Microsoft\WiX\v3.x\Wix.targets" Condition=" '$(WixTargetsPath)' == '' AND Exists('$(MSBuildExtensionsPath32)\Microsoft\WiX\v3.x\Wix.targets') " />
+  <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.targets', '$(MSBuildThisFileDirectory)'))" />
   <Target Name="EnsureWixToolsetInstalled" Condition=" '$(WixTargetsImported)' != 'true' ">
     <Error Text="The WiX Toolset v3.14 (or newer) build tools must be installed to build this project. To download the WiX Toolset, see http://wixtoolset.org/releases/" />
   </Target>
@@ -51,32 +58,12 @@
   <ItemGroup>
     <Content Include="InstallerTheme.xml" />
   </ItemGroup>
-  <Target Name="UsesFrameworkSdk">
-    <GetFrameworkSdkPath>
-      <Output TaskParameter="Path" PropertyName="FrameworkSdkPath" />
-    </GetFrameworkSdkPath>
-    <PropertyGroup>
-      <WinSDK>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v8.0@InstallationFolder)</WinSDK>
-      <WinSDK Condition="('@(WinSDK)'=='')">$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Kits\Installed Roots@KitsRoot10)</WinSDK>
-      <Win10SDKBinPath>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v10.0@InstallationFolder)bin\</Win10SDKBinPath>
-      <Win10SDKVersion>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v10.0@ProductVersion).0\</Win10SDKVersion>
-      <Win10SDKVerBinPath>$(Win10SDKBinPath)$(Win10SDKVersion)</Win10SDKVerBinPath>
-    </PropertyGroup>
-  </Target>
-  <Target Name="UsesSignTool" DependsOnTargets="UsesFrameworkSdk">
-    <PropertyGroup>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(FrameworkSdkPath)bin\signtool.exe')">$(FrameworkSdkPath)bin\signtool.exe</SignToolPath>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(WinSDK)\bin\x86\signtool.exe')">$(WinSDK)\bin\x86\signtool.exe</SignToolPath>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(Win10SDKVerBinPath)x86\signtool.exe')">$(Win10SDKVerBinPath)x86\signtool.exe</SignToolPath>
-    </PropertyGroup>
-  </Target>
-  <Target Name="SignBundleEngine" DependsOnTargets="UsesSignTool">
-    <Exec
-        Command="&quot;$(SignToolPath)&quot; sign /d &quot;Cyberduck&quot; /fd sha256 /tr http://timestamp.entrust.net/TSS/RFC3161sha2TS /td sha256 /a /sm /n &quot;iterate GmbH&quot; &quot;@(SignBundleEngine)&quot;"/>
+  
+  <Target Name="SignBundleEngine" DependsOnTargets="SignToolArgs">
+    <Exec Command="$(SignToolArgs) &quot;@(SignBundleEngine)&quot;" EnvironmentVariables="@(SignToolEnvironmentVariable)" />
   </Target>
-  <Target Name="SignBundle" DependsOnTargets="UsesSignTool">
-    <Exec
-        Command="&quot;$(SignToolPath)&quot; sign /d &quot;Cyberduck&quot; /fd sha256 /tr http://timestamp.entrust.net/TSS/RFC3161sha2TS /td sha256 /a /sm /n &quot;iterate GmbH&quot; &quot;@(SignBundle)&quot;"/>
+  <Target Name="SignBundle" DependsOnTargets="SignToolArgs">
+    <Exec Command="$(SignToolArgs) &quot;@(SignBundle)&quot;" EnvironmentVariables="@(SignToolEnvironmentVariable)" />
   </Target>
   <!--
 	To modify your build process, add your task inside one of the targets below and uncomment it.

windows/src/main/wix/Bootstrapper/Cyberduck.Bootstrapper.wixproj

@@ -70,48 +70,43 @@
     </HarvestDirectory>
   </ItemGroup>
 
+  <PropertyGroup>
+    <PreferredToolArchitecture>x64</PreferredToolArchitecture>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)Microsoft.Cpp.MSVC.Toolset.Common.props" />
+
   <Import Project="$(WixTargetsPath)" Condition=" '$(WixTargetsPath)' != '' " />
   <Import Project="$(MSBuildExtensionsPath32)\Microsoft\WiX\v3.x\Wix.targets" Condition=" '$(WixTargetsPath)' == '' AND Exists('$(MSBuildExtensionsPath32)\Microsoft\WiX\v3.x\Wix.targets') " />
+  <Import Project="$([MSBuild]::GetPathOfFileAbove('Directory.Build.targets', '$(MSBuildThisFileDirectory)'))" />
   <Target Name="EnsureWixToolsetInstalled" Condition=" '$(WixTargetsImported)' != 'true' ">
     <Error Text="The WiX Toolset v3.11 (or newer) build tools must be installed to build this project. To download the WiX Toolset, see http://wixtoolset.org/releases/" />
   </Target>
 
-  <Target Name="UsesFrameworkSdk">
-    <GetFrameworkSdkPath>
-      <Output TaskParameter="Path" PropertyName="FrameworkSdkPath" />
-    </GetFrameworkSdkPath>
-    <PropertyGroup>
-      <WinSDK>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v8.0@InstallationFolder)</WinSDK>
-      <WinSDK Condition="('@(WinSDK)'=='')">$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Kits\Installed Roots@KitsRoot10)</WinSDK>
-      <Win10SDKBinPath>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v10.0@InstallationFolder)bin\</Win10SDKBinPath>
-      <Win10SDKVersion>$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v10.0@ProductVersion).0\</Win10SDKVersion>
-      <Win10SDKVerBinPath>$(Win10SDKBinPath)$(Win10SDKVersion)</Win10SDKVerBinPath>
-    </PropertyGroup>
-  </Target>
-  <Target Name="UsesSignTool" DependsOnTargets="UsesFrameworkSdk">
-    <PropertyGroup>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(FrameworkSdkPath)bin\signtool.exe')">$(FrameworkSdkPath)bin\signtool.exe</SignToolPath>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(WinSDK)\bin\x86\signtool.exe')">$(WinSDK)\bin\x86\signtool.exe</SignToolPath>
-      <SignToolPath Condition="('@(SignToolPath)'=='') and Exists('$(Win10SDKVerBinPath)x86\signtool.exe')">$(Win10SDKVerBinPath)x86\signtool.exe</SignToolPath>
-    </PropertyGroup>
-  </Target>
-  <Target Name="SignMsi" DependsOnTargets="UsesSignTool">
-    <Exec
-        Command="&quot;$(SignToolPath)&quot; sign /d &quot;Cyberduck&quot; /fd sha256 /tr http://timestamp.entrust.net/TSS/RFC3161sha2TS /td sha256 /a /sm /n &quot;iterate GmbH&quot; &quot;%(SignMsi.FullPath)&quot;"/>
+  <Target Name="SignMsi" DependsOnTargets="SignToolArgs">
+    <Exec Command="$(SignToolArgs) &quot;%(SignMsi.FullPath)&quot;" EnvironmentVariables="@(SignToolEnvironmentVariable)" />
   </Target>
   <!--
 	To modify your build process, add your task inside one of the targets below and uncomment it.
 	Other similar extension points exist, see Wix.targets.
   -->
-  <Target Name="SignDLLs" Condition=" '$(SignOutput)' == 'true' " DependsOnTargets="UsesSignTool" AfterTargets="Compile" BeforeTargets="Link">
+  <Target Name="_CollectPayload" Returns="@(SignPayload)">
     <ItemGroup>
-      <Assemblies Include="$(TargetBuildDir)*.dll" />
-      <Assemblies Include="$(TargetBuildDir)*.exe" />
-      <Assemblies Remove="$(TargetBuildDir)netstandard.dll" />
-      <Assemblies Remove="$(TargetBuildDir)System*.dll" />
+      <SignPayload Include="$(TargetBuildDir)*.dll;$(TargetBuildDir)*.exe" />
     </ItemGroup>
+  </Target>
+  <Target Name="CollectSignPayload" DependsOnTargets="_CollectPayload;SignToolArgs" Outputs="%(SignPayload.Identity)" Returns="@(SignPayload)">
+    <Exec Command="%22$(SignToolExecutable)%22 verify /q /pa %22%(SignPayload.Identity)%22"
+          EnvironmentVariables="@(SignToolEnvironmentVariable)"
+          IgnoreStandardErrorWarningFormat="true"
+          IgnoreExitCode="true">
+      <Output TaskParameter="ExitCode" PropertyName="PayloadSigned" />
+    </Exec>
 
-    <Exec
-        Command="&quot;$(SignToolPath)&quot; sign /d &quot;Cyberduck&quot; /fd sha256 /tr http://timestamp.entrust.net/TSS/RFC3161sha2TS /td sha256 /a /sm /n &quot;iterate GmbH&quot; &quot;%(Assemblies.Identity)&quot;"/>
+    <ItemGroup>
+      <SignPayload Remove="%(SignPayload.Identity)" Condition="'$(PayloadSigned)'=='0'" />
+    </ItemGroup>
+  </Target>
+  <Target Name="SignPayload" Condition=" '$(SignOutput)' == 'true' " DependsOnTargets="CollectSignPayload;SignToolArgs" AfterTargets="Compile" BeforeTargets="Link">
+    <Exec Command="$(SignToolArgs) @(SignPayload->'%22%(Identity)%22', ' ')" EnvironmentVariables="@(SignToolEnvironmentVariable)" Condition="'@(SignPayload)'!=''" />
   </Target>
 </Project>