Sign.proj and Tools.proj unconditionally require both WiX 3 and WiX 5 toolsets #16611
Description
Summary
Sign.proj and Tools.proj unconditionally reference both WiX 3 (Microsoft.Signed.Wix) and WiX 5 (Microsoft.WixToolset.Sdk) toolset packages, forcing every repo using Arcade SDK 10 to download and validate both — even repos that produce no MSI/WiX installers at all.
This was introduced by PR #15962 ("Wix 5 signing support", merged 2025-07-14).
Repro
Any repo onboarded to Arcade SDK 10.0.0-beta.* (e.g. a NuGet-only repo with no WiX usage) will restore both WiX packages and SignToolTask will validate both tool paths exist.
Root Cause
Three files contribute to the problem:
1. DefaultVersions.props — unconditionally sets both versions
<MicrosoftSignedWixVersion Condition="'$(MicrosoftSignedWixVersion)' == ''">3.14.1-9323.2545153</MicrosoftSignedWixVersion>
<MicrosoftWixToolsetSdkVersion Condition="'$(MicrosoftWixToolsetSdkVersion)' == ''">5.0.2-dotnet.2811440</MicrosoftWixToolsetSdkVersion>2. Tools.proj — unconditionally downloads both packages (no opt-in gate)
<PackageReference Include="Microsoft.Signed.Wix" Version="$(MicrosoftSignedWixVersion)" IsImplicitlyDefined="true" />
<PackageReference Include="Microsoft.WixToolset.Sdk" Version="$(MicrosoftWixToolsetSdkVersion)" IsImplicitlyDefined="true" />Compare with Microsoft.DotNet.Build.Tasks.VisualStudio which is gated behind UsingToolVSSDK:
<PackageReference Include="Microsoft.DotNet.Build.Tasks.VisualStudio" ... Condition="'$(UsingToolVSSDK)' == 'true'" />3. Sign.proj — unconditionally passes both tool paths to SignToolTask
Wix3ToolsPath="$(WixInstallPath)"
WixToolsPath="$(NuGetPackageRoot)microsoft.wixtoolset.sdk\$(MicrosoftWixToolsetSdkVersion)\tools\net472\x64"4. SignToolTask — validates both paths and errors if set but missing
if (Wix3ToolsPath != null && !Directory.Exists(Wix3ToolsPath))
Log.LogError($"Wix3ToolsPath ('{ Wix3ToolsPath}') does not exist.");
if (WixToolsPath != null && !Directory.Exists(WixToolsPath))
Log.LogError($"WixToolsPath ('{ WixToolsPath}') does not exist.");Impact
- Repos that only produce NuGet packages (no MSIs/wixpacks) are forced to download ~100MB+ of WiX tooling they never use
- If WiX packages fail to restore (feed issues, network), signing breaks even though no WiX artifacts exist
- The wixpack files used to zip and sign MSIs differ between WiX 3 and WiX 5, and
SignToolTaskexpects both toolsets to be present even if only one version is in use
Suggested Fix
Gate WiX toolset references behind an opt-in property (similar to UsingToolVSSDK):
<!-- Tools.proj -->
<PackageReference Include="Microsoft.Signed.Wix" ... Condition="'$(UsingToolWix3)' == 'true' or '$(UsingToolWix)' == 'true'" />
<PackageReference Include="Microsoft.WixToolset.Sdk" ... Condition="'$(UsingToolWix5)' == 'true' or '$(UsingToolWix)' == 'true'" /><!-- Sign.proj -->
Wix3ToolsPath="$(WixInstallPath)" Condition="'$(UsingToolWix3)' == 'true' or '$(UsingToolWix)' == 'true'"
WixToolsPath="..." Condition="'$(UsingToolWix5)' == 'true' or '$(UsingToolWix)' == 'true'"Or at minimum, only pass the tool paths when the corresponding version property is explicitly set by the repo (not just defaulted).
Environment
- Arcade SDK:
10.0.0-beta.26168.104 - Source: dotnet/dotnet VMR @
73b3b5ac0e4a5658c7a0555b67d91a22ad39de4b - Affected repo: dotnet/maui-labs (NuGet packages only, no WiX installers)