Add support to disable signing python files

[eerhardt]

In Aspire, we are shipping a template with some .py files in it. These .py files are getting a signing block appended to them.

We are working around this in dotnet/aspire#13005, but would like an official way of excluding .py files from being signed. Similar to the work done in #15760, where not signing JS files can be opted in/out with a flag.

cc @missymessa @ellahathaway @mmitche @joperezr

[ellahathaway]

Are you asking to disable signing of python files by default? If so, in looking at the unified build signing binlogs, I’m still seeing many Python files being signed. Because of this, I don’t think it makes sense to disable signing for Python files by default, unlike what was done for .js files in dotnet/arcade#15760. For context, default signing of .js files was disabled because it was largely not required (see dotnet/runtime#114353#issuecomment-2784754860).

I understand the UI/UX perspective of being able to opt-in/out of signing with a flag, but I think the use case for that is limited ATM. For cases where you’d like to opt out specific file types from signing, the recommendation is exactly what you’ve done in dotnet/aspire#13005—explicitly exclude those files in your repo configuration.

[eerhardt]

I didn't want to have it default to stop signing for everyone. Just to give an option to do it.

Are there ways to opt out of signing files in a specific .nupkgs? I'm looking around, and it looks like Aspire opts into signing .js files:

https://github.com/dotnet/aspire/blob/85cef4ea18da891aed38f5f585111f593f72b664/eng/Signing.props#L6

Which is needed for our VS Code extension. But if we ever wanted to ship .js files in a project template, these files would get signed - just like our .py files are getting signed now.

How can I say to sign some files, but don't sign .py and .js files in our Project Template NuGet package?

[eerhardt]

@ellahathaway - reading https://eng.ms/docs/microsoft-security/ciso-organization/azure-security/core-security-services/azure-system-lockdown/code-integrity/code-signing/files-that-require-signing, now I'm wondering if .py files should be signed by default. It seems the reasoning is the same as .js files - it is only supported in a limited environment.

[mmitche]

@eerhardt We don't have plans to support container sensitive signing configurations. It doesn't really make sense in context of the way signing works. It introduces a potential problem where the same file in container X and container Y gets a different computation. The same file in multiple containers should end up identical in all places after signing is complete.

There are ways to achieve what you want, which is generally to list specific files as not requiring signing, or just disable signing of .py for your project via: <FileExtensionSignInfo Update=".py" CertificateName="None" />