Issue with 'AfterTargets="Publish"' and PublishAot

[SCLDGit]

Description

We have a build target similar to the following in our project file:

<Target Name="SignPublishExe" AfterTargets="Publish" Condition="'$(Configuration)'=='Signed Release'">
    <Exec Command="&quot;C:\Path\To\signtool.exe&quot; sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f &quot;C:\Path\To\Certificate.cer&quot; /csp &quot;eToken Base Cryptographic Provider&quot; /kc &quot;[{{$(signing_key_pass)}}]=$(signing_key_id)&quot; &quot;\\?\$(PublishDir)$(TargetName).exe&quot;" />
  </Target>

It is intended to sign our published exe automatically after build. It works properly for all of our projects, except for our most recent addition, which uses PublishAot. The console output shows that the signing was successful, but upon inspection, the file in the actual publish location is not signed.

It appears that, at some point after the AfterTargets="Publish" step has completed in the build process, the file written to the location specified with the --output is overwritten by the executable that is created in the bin/x64/native directory. If we hardcode a build target to sign that file before the publish step, the executable in the --output location at the end of the process is signed.

Is there a separate build target for properly targeting this file? If not, how might we replace \\?\$(PublishDir)$(TargetName).exe in order to properly create a new build target for the executable in the native directory without having to hardcode the path in our .csproj files?

Reproduction Steps

1.) Create a project that makes use of PublishAot.
2.) Add the specified build target to the .csproj file.
3.) Run dotnet publish --output "Some/Path".

Expected behavior

Final output exe should be signed

Actual behavior

After the successful signing step, the executable is replaced with an unsigned copy of the executable from the native bin directory

Regression?

No response

Known Workarounds

Hardcode the path to the native executable and add an additional signing AfterTargets="Build" target that signs that exe prior to the AfterTargets="Publish" target.

Configuration

.NET 8
Windows 10 and 11
x64

Other information

No response

[SCLDGit]

Duplicate of dotnet/sdk#39549, which has a solution.

[dotnet-policy-service]

Tagging subscribers to this area: @agocke, @MichalStrehovsky, @jkotas
See info in area-owners.md if you want to be subscribed.

[MichalStrehovsky]

We don't have any documented way to do this. What you got will probably work for .NET8/9.

We have open issues (known bugs) on how AOT compilation hooks up into publish infrastructures and we're going to standardize it with how PublishSingleFile and PublishTrimmed works (#108909). Closing as a duplicate of that.