Skip Authenticode for ReconnectModal.razor.js; add catalog signing

[jesuszarate]

ReconnectModal.razor.js is a customer-modifiable template file in the maui-blazor-solution template. Users edit it after project creation, so Authenticode signing is inappropriate -- it would break on modification.

This PR:

• Sets CertificateName=None for ReconnectModal.razor.js to skip Authenticode signing.
• Adds eng/generate-catalog.ps1 to produce a .cat file covering *.js template content via makecat.exe.
• Adds a GenerateCatalogFiles MSBuild target in Microsoft.Maui.Templates.csproj that runs after Build/before Pack (Windows-only). The .cat is included in the NuGet package.
• Adds FileExtensionSignInfo for .cat (Microsoft400) in eng/Signing.props so Arcade signs the catalog file.

The .cat provides integrity verification for the JS files without blocking customer modifications. This addresses VS signing compliance scan findings for the mauitemplatesnet* payloads (ReconnectModal.razor.js flagged as unsigned).

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.sh | bash -s -- 35547

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.ps1) } 35547"

[dotnet-policy-service]

Hey there @@jesuszarate! Thank you so much for your PR! Someone from the team will get assigned to your PR shortly and we'll get it reviewed.

[kubaflo]

/review -b feature/refactor-copilot-yml

[MauiBot]

Expert Review — 1 findings

See inline comments for details.

[MauiBot]

[major] Build & MSBuild — GenerateCatalogFiles is hooked to AfterTargets="Build" and the Exec always passes -ErrorIfMakecatNotFound, so every ordinary Windows build of the templates project now requires Windows SDK makecat.exe even when not packing/signing. Catalog generation is only needed for package/signing output; scope this target to the pack/signing path, e.g. remove the AfterTargets="Build" hook and keep/replace it with an appropriate pack-only target/property guard.

[kubaflo]

/review -b feature/enhanced-reviewer -p windows

[kubaflo]

Could you please check the ai's suggestions?

[kubaflo]

/review rerun

[kubaflo]

/review -b feature/enhanced-reviewer -p windows

[MauiBot]

Expert Review — 1 findings

See inline comments for details.

[MauiBot]

[major] Build & MSBuild - This target runs after every Windows Build and always passes -ErrorIfMakecatNotFound, so normal local/solution builds of the templates project now require a Windows SDK makecat.exe even though catalog generation is only needed for packing/signing. It also relies on BeforeTargets="Pack"; for dotnet pack --no-build, the pack item collection happens through GenerateNuspec dependencies before the Pack target body, so the .cat can be generated too late to be included. Please move this into the pack/signing path before _GetPackageFiles/GenerateNuspec, or condition the hard failure to official signing builds only.

[kubaflo]

Could you check the ai's suggestions?

[kubaflo]

/review -b feature/enhanced-reviewer -p android

[MauiBot]

Expert Review — 1 findings

See inline comments for details.

[MauiBot]

[major] Build & MSBuild — GenerateCatalogFiles is wired with AfterTargets="Build"/BeforeTargets="Pack", which gives two bad failure modes: ordinary Windows builds now require makecat.exe because the target always passes -ErrorIfMakecatNotFound, and dotnet pack --no-build can run NuGet's pack dependency chain (BeforePack, GenerateNuspec, _GetPackageFiles) before this BeforeTargets="Pack" target adds the generated .cat to @(Content). Move catalog generation into the existing BeforePack dependency list (for example append GenerateCatalogFiles to <BeforePack>) and remove the AfterTargets/BeforeTargets hooks so the catalog is generated only for pack and before package content collection.

[MauiBot]

AI Review Summary

@jesuszarate — new AI review results are available based on this last commit: 0b53911. To request a fresh review after new comments or commits, comment /review rerun.

Review Sessions — click to expand

Gate — Test Before & After Fix

Gate Result: ⚠️ SKIPPED

No tests were detected in this PR.

Recommendation: Add tests to verify the fix using the write-tests-agent.

---

Pre-Flight — Context & Validation

Issue: N/A - PR addresses VS signing compliance scan findings; no linked GitHub issue detected
PR: #35547 - Skip Authenticode for ReconnectModal.razor.js; add catalog signing
Platforms Affected: Packaging/signing infrastructure; Windows pack/signing path. Requested test platform: android; no Android runtime implementation impact detected.
Files Changed: 3 implementation/build files, 0 test files

Key Findings

• PR marks ReconnectModal.razor.js as CertificateName="None", adds a PowerShell catalog generator, includes a generated .cat as template package content, and configures .cat signing.
• Gate was already skipped because no tests were detected; no gate verification was re-run.
• Public PR metadata and review comments were available, but gh CLI authentication was unavailable, so required-check status is undetermined.
• Prior MauiBot/code-review findings identify unresolved target-ordering issues: the target runs on ordinary Windows builds and can run too late for dotnet pack --no-build.
• Impacted UI categories: none; this is a templates packaging/signing change.

Code Review Summary

Verdict: NEEDS_CHANGES
Confidence: low
Errors: 1 | Warnings: 0 | Suggestions: 0

Key code review findings:

• ❌ src/Templates/src/Microsoft.Maui.Templates.csproj:131-140 — GenerateCatalogFiles is hooked into the wrong lifecycle: it runs after every Windows Build with -ErrorIfMakecatNotFound, and BeforeTargets="Pack" can be too late for no-build pack flows because package content may already have been collected.

Failure-mode probes and blast radius:

• dotnet build on Windows without Windows SDK makecat.exe: fails even when not packing/signing.
• dotnet pack --no-build: .cat can be generated after package item collection and omitted from the nupkg while ReconnectModal.razor.js is no longer Authenticode-signed.
• Blast radius is limited to the MAUI templates package and signing pipeline; no Android runtime code is affected.

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
PR	PR #35547	Skip Authenticode for ReconnectModal.razor.js, generate maui-template-content.cat after Build/before Pack, include it as package content, and sign .cat files	⚠️ SKIPPED (Gate: no tests detected)	eng/Signing.props, eng/generate-catalog.ps1, src/Templates/src/Microsoft.Maui.Templates.csproj	Original PR; code review found unresolved target lifecycle issues

---

Code Review — Deep Analysis

Code Review — PR #35547

Independent Assessment

What this changes: Disables direct Authenticode signing for ReconnectModal.razor.js, adds a PowerShell makecat.exe catalog generator, includes a generated .cat in the template package, and configures .cat signing.
Inferred motivation: The JS file is shipped as editable template content, so direct Authenticode signing is incompatible with user modification while compliance still needs signed integrity coverage.

Reconciliation with PR Narrative

Author claims: Matches the code intent: skip Authenticode for editable template JS and catalog-sign it instead.
Agreement/disagreement: Intent matches, but the MSBuild hook still has packaging/build-order problems.

Prior Review Reconciliation

Prior ❌ Error Finding	Source	Status	Evidence
GenerateCatalogFiles can run too late for dotnet pack --no-build	MauiBot inline/top-level reviews	❌ Unresolved	Current src/Templates/src/Microsoft.Maui.Templates.csproj:131-140 still uses BeforeTargets="Pack" plus AfterTargets="Build".
Normal Windows builds now hard-require makecat.exe	MauiBot inline review	❌ Unresolved	Current line 140 always passes -ErrorIfMakecatNotFound whenever the Windows AfterTargets="Build" target runs.

Blast Radius Assessment

• Runs for all instances: yes, for all Windows builds of the templates project.
• Startup impact: no runtime app startup impact.
• Static/shared state: no.

CI Status

• Required-check result: tool-unavailable/undetermined.
• Classification: undetermined.
• Action taken: gh is unauthenticated; public API/prior review data showed build status was not fully established, so confidence is capped low.

Findings

❌ Error — Catalog generation target is hooked into the wrong build/pack lifecycle

src/Templates/src/Microsoft.Maui.Templates.csproj:131-140 runs after every Windows Build and hard-fails if makecat.exe is absent, even when not packing/signing. It also relies on BeforeTargets="Pack", which is too late for dotnet pack --no-build because package item collection can occur before the Pack target body. The .cat may be omitted while the JS is no longer directly signed.

Failure-Mode Probing

• dotnet build on Windows without Windows SDK makecat.exe: fails due to -ErrorIfMakecatNotFound.
• dotnet pack --no-build: catalog target may run after content collection, omitting .cat.
• Non-Windows builds: target is skipped, so no catalog is produced there.

Verdict: NEEDS_CHANGES

Confidence: low
Summary: The signing strategy is reasonable, but the MSBuild integration remains unsafe for normal Windows builds and no-build pack flows. Prior major findings remain unresolved, and CI is undetermined.

---

Fix — Analysis & Comparison

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
1	code-review + maui-expert-reviewer	Move catalog generation into BeforePack and remove AfterTargets="Build"/BeforeTargets="Pack" from GenerateCatalogFiles	✅ PASS	2 files	Better than PR fix: pack-only execution and pack --no-build catalog inclusion before package content collection
PR	PR #35547	Generate catalog after Build/before Pack target body while skipping direct Authenticode for editable JS	⚠️ SKIPPED (Gate: no tests detected); code review found issue	3 files	Original PR can require makecat.exe during ordinary Windows builds and can generate .cat too late for no-build pack

Cross-Pollination

Model	Round	New Ideas?	Details
maui-expert-reviewer	1	Yes	Proposed the BeforePack dependency hook candidate and recommended testing build non-invocation plus pack --no-build package inclusion.

Exhausted: No — stopped because candidate #1 passed all available focused tests and is demonstrably better than the PR's current target hookup.
Selected Fix: Candidate #1 — It preserves the PR's signing/catalog intent while fixing target ordering and avoiding makecat.exe requirements for ordinary builds.

Candidate Details

See CustomAgentLogsTmp/PRState/35547/PRAgent/try-fix-1/content.md for the full approach, scoped diff, test results, and analysis.

---

Report — Final Recommendation

Comparative Report — PR #35547

Candidates compared

Rank	Candidate	Regression result	Assessment
1	pr-plus-reviewer	✅ PASS via same implementation as try-fix-1 focused checks	Best candidate. Keeps the PR's catalog-signing approach and applies expert feedback so catalog generation is pack-scoped through BeforePack and runs before package content collection.
2	try-fix-1	✅ PASS	Technically equivalent to pr-plus-reviewer; ranked second only because pr-plus-reviewer is the PR fix with expert feedback applied, making it the preferred merge path.
3	pr	⚠️ Gate skipped; expert review found major issue	Correct high-level signing intent, but GenerateCatalogFiles runs after ordinary Windows builds and can run too late for dotnet pack --no-build, risking build failures and missing catalog coverage.

No candidate failed regression tests. Per the ranking rule, candidates with passing focused regression evidence are ranked above the raw PR candidate, whose gate was skipped and whose expert review found an actionable major issue.

Analysis

The raw PR fix makes ReconnectModal.razor.js unsigned directly and adds catalog signing, which is the right compliance direction for customer-editable template content. The flaw is the MSBuild integration: AfterTargets="Build" makes Windows builds depend on makecat.exe even when not packing, and BeforeTargets="Pack" can be too late for no-build pack flows because package content may already have been collected before the generated .cat is added to @(Content).

try-fix-1 fixes that by appending GenerateCatalogFiles to the existing BeforePack property and removing the explicit Build/Pack target hooks. Focused validation showed that ordinary build target hooking is removed and dotnet pack --no-build includes content/maui-template-content.cat.

pr-plus-reviewer applies the expert reviewer's actionable feedback to the PR fix and is implementation-equivalent to try-fix-1. It is the best candidate because it preserves the PR author's intended signing model while incorporating the independently validated lifecycle fix.

Winner

pr-plus-reviewer wins.

Rationale: It is the PR fix with the expert reviewer's necessary MSBuild lifecycle correction applied. It has the same passing validation evidence as try-fix-1, avoids the raw PR's normal-build and no-build-pack failure modes, and remains the most direct path to merge because it is an incremental correction to the submitted PR.

---

Future Action — review latest findings

No alternative fix was selected for this run. Review the session findings and CI results before merging.

[kubaflo]

Could you check the ai's suggestions?