Component .pkgs that were signed using SignTool are being reported as "not signed"

[ellahathaway]

Related to dotnet/arcade#15489

After adding the SignCheck logic to check .pkg signatures, I discovered that component (nested) pkgs are being reported as "unsigned". I validated this locally by pulling a signed installer pkg, unpacking the installer, and verifying the component pkg. When I did this, the component pkg was reported to not have a signature. This is despite SignTool + MicroBuild binlogs showing that the component pkg was submitted for signing and was signed successfully.

Interestingly, when I then repacked the installer pkg and reverified it's signature, it was reported to not be signed. This suggests that the repack logic is likely modifying the package.

We should investigate this further.

cc @mmitche

[ellahathaway]

@mmitche - Heads up that I added this to the board under preview4 since I think this is something that should get addressed by that deadline.

[mmitche]

Yep thanks.

[mmitche]

The pkgs lose their signature on unpack. That said, we do need to properly notarize them first, so doing that. dotnet/runtime#114027 and dotnet/sdk#47996

[mmitche]

Closing in favor of #4994