--file-list ignored

[tbolon]

Describe the bug
When using sign code azure-key-vault:

• we have to provide a list of files, even when a --file-list parameter is provided
• when we provide a list of files, the --file-list parameter seems to be simply ignored
• the example in the docs folder specify both a '*' as the list of files an a --file-list
• there is no documentation about the relationship between these two parameters

Repro steps

sign-list.txt:

myapp.exe
my.*.dll

dir:

myapp.exe
my.first.dll
my.second.dll
other.dll

Only file-list not accepted:

sign code azure-key-vault `
> -fl "D:\code\project1\sign-list.txt" `
> --base-directory "D:\code\project1\bin\Release\net10\" `
> --azure-key-vault-tenant-id "xxx" `
> --azure-key-vault-client-id "yyy" `
> --azure-key-vault-client-secret "zzz" `
> --azure-key-vault-url "https://xxx.vault.azure.net/" `
> --azure-key-vault-certificate "foo" `
> -d "My App" `
> -v Information `

Required argument missing for command: 'azure-key-vault'.

wildcard results in all files signed (file-list ignored):

sign code azure-key-vault `
> -fl "D:\code\project1\sign-list.txt" `
> --base-directory "D:\code\project1\bin\Release\net10\" `
> --azure-key-vault-tenant-id "xxx" `
> --azure-key-vault-client-id "yyy" `
> --azure-key-vault-client-secret "zzz" `
> --azure-key-vault-url "https://xxx.vault.azure.net/" `
> --azure-key-vault-certificate "foo" `
> -d "My App" `
> -v Information `
> *

Submitting D:\code\project1\bin\Release\net10\myapp.exe for signing.
Submitting D:\code\project1\bin\Release\net10\my.first.dll for signing.
Submitting D:\code\project1\bin\Release\net10\my.second.dll for signing.
Submitting D:\code\project1\bin\Release\net10\other.dll for signing.

single file results in only this file signed (file-list ignored):

sign code azure-key-vault `
> -fl "D:\code\project1\sign-list.txt" `
> --base-directory "D:\code\project1\bin\Release\net10\" `
> --azure-key-vault-tenant-id "xxx" `
> --azure-key-vault-client-id "yyy" `
> --azure-key-vault-client-secret "zzz" `
> --azure-key-vault-url "https://xxx.vault.azure.net/" `
> --azure-key-vault-certificate "foo" `
> -d "My App" `
> -v Information `
> myapp.exe

Submitting D:\code\project1\bin\Release\net10\myapp.exe for signing.

Expected behavior
There should be a clear relationship between files and --file-list:

• should be combined
• no files should be allowed when file-list is set
• documented

Actual behavior
--file-list seems to be ignored

Additional context
version 0.9.1-beta.25379.1+ba6e717abf74a693f0f9c5e891c0e3ef624956b3

[tbolon]

After reading the code, it seems the file-list is only used when scanning a IContainer, which can be a zip, an appx or a nupkg. That would explain the difference between the files argument and the file-list options.

Still, these kind of assumptions are hard to understand and should be documented: use files when you want to select which files should be signed, and use --file-list (which should be --container-file-list) to filter files to sign inside a container.