Skip to content

Sign the MSIX files for the store #12582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TravisEz13 merged 15 commits into from
May 29, 2020
Merged

Sign the MSIX files for the store #12582

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
752ba91
Sign the msix files for the store
TravisEz13 May 5, 2020
816f115
Update tools/releaseBuild/azureDevOps/templates/windows-package-signi…
TravisEz13 May 5, 2020
82053f7
fix input validation
TravisEz13 May 5, 2020
6ad52c9
fix preview cert id
TravisEz13 May 5, 2020
0a8ac06
try to exclude release build from CI to save compute
TravisEz13 May 5, 2020
f2137ef
try again
TravisEz13 May 5, 2020
ece5d0b
target prerpod
TravisEz13 May 5, 2020
f47b3d9
use correct subject for preview
TravisEz13 May 8, 2020
ddf7e0f
Always use the release cert
TravisEz13 May 12, 2020
cba6ad7
add actually release cert EKU
TravisEz13 May 11, 2020
c77dfac
make it basically work like it did before
TravisEz13 May 27, 2020
9224364
move to production
TravisEz13 May 27, 2020
08102cf
go back to store cert
TravisEz13 May 27, 2020
9f35196
move msix to a private container
TravisEz13 May 27, 2020
c48ad93
Merge branch 'master' into sign-msix
TravisEz13 May 29, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .vsts-ci/linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ trigger:
include:
- '*'
exclude:
- /tools/releaseBuild/**/*
- /.vsts-ci/misc-analysis.yml
- /.github/ISSUE_TEMPLATE/*
- /.dependabot/config.yml
Expand All @@ -25,7 +24,8 @@ pr:
include:
- '*'
exclude:
- /tools/releaseBuild/**/*
- tools/releaseBuild/*
- tools/releaseBuild/azureDevOps/templates/*
- /.vsts-ci/misc-analysis.yml
- /.github/ISSUE_TEMPLATE/*
- /.dependabot/config.yml
Expand Down
3 changes: 2 additions & 1 deletion .vsts-ci/mac.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,11 @@ pr:
include:
- '*'
exclude:
- /tools/releaseBuild/**/*
- /.vsts-ci/misc-analysis.yml
- /.github/ISSUE_TEMPLATE/*
- /.dependabot/config.yml
- tools/releaseBuild/*
- tools/releaseBuild/azureDevOps/templates/*

variables:
DOTNET_CLI_TELEMETRY_OPTOUT: 1
Expand Down
2 changes: 2 additions & 0 deletions .vsts-ci/windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ pr:
- /.vsts-ci/misc-analysis.yml
- /.github/ISSUE_TEMPLATE/*
- /.dependabot/config.yml
- tools/releaseBuild/*
- tools/releaseBuild/azureDevOps/templates/*

variables:
GIT_CONFIG_PARAMETERS: "'core.autocrlf=false'"
Expand Down
2 changes: 1 addition & 1 deletion assets/AppxManifest.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
xmlns:desktop6="http://schemas.microsoft.com/appx/manifest/desktop/windows10/6"
xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities">

<Identity Name="Microsoft.$PRODUCTNAME$" ProcessorArchitecture="$ARCH$" Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" Version="$VERSION$" />
<Identity Name="Microsoft.$PRODUCTNAME$" ProcessorArchitecture="$ARCH$" Publisher="$PUBLISHER$" Version="$VERSION$" />

<Properties>
<DisplayName>$DISPLAYNAME$</DisplayName>
Expand Down
16 changes: 10 additions & 6 deletions tools/packaging/packaging.psm1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3183,9 +3183,18 @@ function New-MSIXPackage

Write-Verbose "Version: $productversion" -Verbose

$isPreview = Test-IsPreview -Version $ProductSemanticVersion
if ($isPreview) {
Write-Verbose "Using Preview assets" -Verbose
}

# Appx manifest needs to be in root of source path, but the embedded version needs to be updated
# cp-459155 is 'CN=Microsoft Windows Store Publisher (Store EKU), O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
# authenticodeFormer is 'CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
$releasePublisher = 'CN=Microsoft Windows Store Publisher (Store EKU), O=Microsoft Corporation, L=Redmond, S=Washington, C=US'

$appxManifest = Get-Content "$RepoRoot\assets\AppxManifest.xml" -Raw
$appxManifest = $appxManifest.Replace('$VERSION$', $ProductVersion).Replace('$ARCH$', $Architecture).Replace('$PRODUCTNAME$', $productName).Replace('$DISPLAYNAME$', $displayName)
$appxManifest = $appxManifest.Replace('$VERSION$', $ProductVersion).Replace('$ARCH$', $Architecture).Replace('$PRODUCTNAME$', $productName).Replace('$DISPLAYNAME$', $displayName).Replace('$PUBLISHER$', $releasePublisher)
Set-Content -Path "$ProductSourcePath\AppxManifest.xml" -Value $appxManifest -Force
# Necessary image assets need to be in source assets folder
$assets = @(
Expand All @@ -3200,11 +3209,6 @@ function New-MSIXPackage
$null = New-Item -ItemType Directory -Path "$ProductSourcePath\assets"
}

$isPreview = Test-IsPreview -Version $ProductSemanticVersion
if ($isPreview) {
Write-Verbose "Using Preview assets" -Verbose
}

$assets | ForEach-Object {
if ($isPreview) {
Copy-Item -Path "$RepoRoot\assets\$_-Preview.png" -Destination "$ProductSourcePath\assets\$_.png"
Expand Down
2 changes: 1 addition & 1 deletion tools/releaseBuild/azureDevOps/templates/upload.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,5 +61,5 @@ steps:
azureSubscription: '$(AzureFileCopySubscription)'
Destination: AzureBlob
storage: '$(StorageAccount)'
ContainerName: '$(AzureVersion)'
ContainerName: '$(AzureVersion)-private'
condition: and(succeeded(), eq('${{ parameters.msix }}', 'yes'), eq(variables['SHOULD_SIGN'], 'true'))
6 changes: 5 additions & 1 deletion tools/releaseBuild/azureDevOps/templates/windows-package-signing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,16 @@ jobs:
$authenticodefiles = @(
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x64.msi"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x86.msi"
)

$msixFiles = @(
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x86.msix"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x64.msix"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-arm32.msix"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-arm64.msix"
)
tools/releaseBuild/generatePackgeSigning.ps1 -AuthenticodeFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml"

tools/releaseBuild/generatePackgeSigning.ps1 -AuthenticodeFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml" -MsixCertType $env:MSIX_TYPE -MsixFiles $msixFiles
displayName: 'Generate Package Signing Xml'

- powershell: |
Expand Down
14 changes: 13 additions & 1 deletion tools/releaseBuild/generatePackgeSigning.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,18 @@ param(
[string[]] $NuPkgFiles,
[string[]] $MacDeveloperFiles,
[string[]] $LinuxFiles,
[string[]] $ThirdPartyFiles
[string[]] $ThirdPartyFiles,
[string[]] $MsixFiles,
[ValidateSet('release','preview')]
[string] $MsixCertType = 'preview'
)

if ((!$AuthenticodeDualFiles -or $AuthenticodeDualFiles.Count -eq 0) -and
(!$AuthenticodeFiles -or $AuthenticodeFiles.Count -eq 0) -and
(!$NuPkgFiles -or $NuPkgFiles.Count -eq 0) -and
(!$MacDeveloperFiles -or $MacDeveloperFiles.Count -eq 0) -and
(!$LinuxFiles -or $LinuxFiles.Count -eq 0) -and
(!$MsixFiles -or $MsixFiles.Count -eq 0) -and
(!$ThirdPartyFiles -or $ThirdPartyFiles.Count -eq 0))
{
throw "At least one file must be specified"
Expand Down Expand Up @@ -95,6 +99,14 @@ foreach ($file in $ThirdPartyFiles) {
New-FileElement -File $file -SignType 'ThirdParty' -XmlDoc $signingXml -Job $job
}

foreach ($file in $MsixFiles) {
# 'CP-459155' signs for the store only
# AuthenticodeFormer works only for sideloading
# ----------------------------------------------
# update releasePublisher in packaging.psm1 when this is changed
New-FileElement -File $file -SignType 'CP-459155' -XmlDoc $signingXml -Job $job
}

$signingXml.Save($path)
$updateScriptPath = Join-Path -Path $PSScriptRoot -ChildPath 'updateSigning.ps1'
& $updateScriptPath -SigningXmlPath $path
7 changes: 7 additions & 0 deletions tools/releaseBuild/setReleaseTag.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,13 +58,16 @@ function New-BuildInfoJson {
$branchOnly = $Branch -replace '^refs/heads/';
$branchOnly = $branchOnly -replace '[_\-]'

$msixType = 'preview'

$isDaily = $false

if($ReleaseTag -eq 'fromBranch' -or !$ReleaseTag)
{
# Branch is named release-<semver>
if($Branch -match '^.*(release[-/])')
{
$msixType = 'release'
Write-Verbose "release branch:" -Verbose
$releaseTag = $Branch -replace '^.*(release[-/])'
$vstsCommandString = "vso[task.setvariable variable=$Variable]$releaseTag"
Expand Down Expand Up @@ -127,4 +130,8 @@ $vstsCommandString = "vso[task.setvariable variable=IS_DAILY]$($isDaily.ToString
Write-Verbose -Message "$vstsCommandString" -Verbose
Write-Host -Object "##$vstsCommandString"

$vstsCommandString = "vso[task.setvariable variable=MSIX_TYPE]$msixType"
Write-Verbose -Message "$vstsCommandString" -Verbose
Write-Host -Object "##$vstsCommandString"

Write-Output $releaseTag