[link.exe /INTEGRITYCHECK] fix -- ":NO" suffix doesn't work, so update the docs

[glenn-slayden]

The doc mentions /INTEGRITYCHECK:NO, but this does not appear to be a valid command line option with the current link.exe releases. My version of link rejects that syntax entirely.

I don't know where the official link.exe source code is kept, but it likely has the exact same bug in the code that I found in the link below. Due to this obvious bug that I point out in the source code, there seems to be no way to explicilty assert /INTEGRITYCHECK in the negative, except by simply removing the option.

https://github.com/microsoft/BuildXL/blob/main/Public/Sdk/Experimental/Msvc/Native/Tools/Link/Link.dsc#L303-L307

I would welcome a link developer to fix the program itself, so it works as described, but in the meantime, at least the docs can be changed to reflect the current situation.

[prmerger-automator]

@glenn-slayden : Thanks for your contribution! The author(s) have been notified to review your proposed change.

[glenn-slayden]

c.f. oops... glenn-slayden#1

[learn-build-service-prod]

Learn Build status updates of commit cfe6833:

✅ Validation status: passed

File	Status	Preview URL	Details
docs/build/reference/integritycheck-require-signature-check.md	✅Succeeded

For more details, please refer to the build report.

For any questions, please:

• Try searching the learn.microsoft.com contributor guides
• Post your question in the Learn support channel

[Court72]

@TylerMSFT

Can you review the proposed changes?

When the changes are ready for publication, add a #sign-off comment to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

[TylerMSFT]

Thanks, @glenn-slayden. I'll take this up with a dev on the linker team and see what direction they'd like to go.

[TylerMSFT]

The dev who works on the linker went through the source code history, and sees no evidence of it ever supporting the :NO portion. So that's a strange doc artifact, that your update fixes. Thank you!

[TylerMSFT]

See what you think of the small suggestion I made. What I'm trying to avoid is people thinking the feature is somehow on unless they do something.

[TylerMSFT]

This might be slightly clearer if we say "This feature is off unless turned on with /INTEGRITYCHECK."

[TylerMSFT]

I updated this. If you have something you'd like better, let me know. In the meantime I'll get your changes through.

[learn-build-service-prod]

Learn Build status updates of commit 146ff9f:

✅ Validation status: passed

File	Status	Preview URL	Details
docs/build/reference/integritycheck-require-signature-check.md	✅Succeeded

For more details, please refer to the build report.

For any questions, please:

• Try searching the learn.microsoft.com contributor guides
• Post your question in the Learn support channel

[TylerMSFT]

#sign-off

[glenn-slayden]

@TylerMSFT Sorry for the late remark after this is closed, but my original text was also not the best:

" • To build an image which requires digital signature verification, in order to be loaded,..."

...would be less ambiguous. It would avoid the incorrect/nonsensical reading where it is somehow the "verification" (as opposed to, correctly, the image) which must be "loaded".

[TylerMSFT]

No worries, @glenn-slayden. I don't actually that sentence the way you do, but since I'm in this folder today, anyway, I tweaked it like so:

1. To create a digitally-signed image, include /INTEGRITYCHECK in the Additional Options command line. A digitally-signed image must pass a verification check before it is loaded. This feature is disabled by default.

[glenn-slayden]

Super, thanks.