Check the commit hash during verification about buildtools HOT 12 CLOSED

I would just test this manually by running this rule on packages with and without the commit hash.

from buildtools.

Yeah run it on some packages built on a recent Coherence-Signed, and it should pass (include both regular and .Sources packages). Then run it on older Coherence-Signed packages and it should fail.

from buildtools.

Yes. For example take a look at AssemblyHasCompanyAttributeRule

from buildtools.

Just a note on this one: the source packages (packages that don't have binaries in them) don't have commit hashes. The rule needs to take that into account and verify that there's no source file in the package (*.generated.cs) that contains that attribute.

from buildtools.

Hmm could we have a convention in the rule that ignores *.Sources packages? I don't like the idea of using *.generated.cs as a flag because there could be other files that match that pattern.

from buildtools.

What's the best way to test this?

from buildtools.

I would ignore .Sources packages and check everything else.

from buildtools.

Unzip the nupkg and check that the assemblies inside have the attribute set and its value matches the format of a commit hash. It would be too hard to verify that the actual value is the right commit.

from buildtools.

Oh, you mean the sources packages or how to test the attribute? 😕

from buildtools.

Ignoring .Sources should be easy. We have access to the package id in the rule.

from buildtools.

Yeah of course we can't check that the hash is actually correct - we just want to verify existence.

from buildtools.

I was asking what the best way to set this up to test that my changes work is since there's no tests and I can't find where it's used anywhere.

from buildtools.