Sign the MSIX files for the store (#12582)

Co-authored-by: Aditya Patwardhan <adityap@microsoft.com>
This commit is contained in:
Travis Plunk 2020-05-29 10:26:30 -07:00 committed by GitHub
parent b80375f497
commit 2fe34993c3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 43 additions and 13 deletions

View file

@ -11,7 +11,6 @@ trigger:
include:
- '*'
exclude:
- /tools/releaseBuild/**/*
- /.vsts-ci/misc-analysis.yml
- /.github/ISSUE_TEMPLATE/*
- /.dependabot/config.yml
@ -25,7 +24,8 @@ pr:
include:
- '*'
exclude:
- /tools/releaseBuild/**/*
- tools/releaseBuild/*
- tools/releaseBuild/azureDevOps/templates/*
- /.vsts-ci/misc-analysis.yml
- /.github/ISSUE_TEMPLATE/*
- /.dependabot/config.yml

View file

@ -25,10 +25,11 @@ pr:
include:
- '*'
exclude:
- /tools/releaseBuild/**/*
- /.vsts-ci/misc-analysis.yml
- /.github/ISSUE_TEMPLATE/*
- /.dependabot/config.yml
- tools/releaseBuild/*
- tools/releaseBuild/azureDevOps/templates/*
variables:
DOTNET_CLI_TELEMETRY_OPTOUT: 1

View file

@ -27,6 +27,8 @@ pr:
- /.vsts-ci/misc-analysis.yml
- /.github/ISSUE_TEMPLATE/*
- /.dependabot/config.yml
- tools/releaseBuild/*
- tools/releaseBuild/azureDevOps/templates/*
variables:
GIT_CONFIG_PARAMETERS: "'core.autocrlf=false'"

View file

@ -9,7 +9,7 @@
xmlns:desktop6="http://schemas.microsoft.com/appx/manifest/desktop/windows10/6"
xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities">
<Identity Name="Microsoft.$PRODUCTNAME$" ProcessorArchitecture="$ARCH$" Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" Version="$VERSION$" />
<Identity Name="Microsoft.$PRODUCTNAME$" ProcessorArchitecture="$ARCH$" Publisher="$PUBLISHER$" Version="$VERSION$" />
<Properties>
<DisplayName>$DISPLAYNAME$</DisplayName>

View file

@ -3183,9 +3183,18 @@ function New-MSIXPackage
Write-Verbose "Version: $productversion" -Verbose
$isPreview = Test-IsPreview -Version $ProductSemanticVersion
if ($isPreview) {
Write-Verbose "Using Preview assets" -Verbose
}
# Appx manifest needs to be in root of source path, but the embedded version needs to be updated
# cp-459155 is 'CN=Microsoft Windows Store Publisher (Store EKU), O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
# authenticodeFormer is 'CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
$releasePublisher = 'CN=Microsoft Windows Store Publisher (Store EKU), O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
$appxManifest = Get-Content "$RepoRoot\assets\AppxManifest.xml" -Raw
$appxManifest = $appxManifest.Replace('$VERSION$', $ProductVersion).Replace('$ARCH$', $Architecture).Replace('$PRODUCTNAME$', $productName).Replace('$DISPLAYNAME$', $displayName)
$appxManifest = $appxManifest.Replace('$VERSION$', $ProductVersion).Replace('$ARCH$', $Architecture).Replace('$PRODUCTNAME$', $productName).Replace('$DISPLAYNAME$', $displayName).Replace('$PUBLISHER$', $releasePublisher)
Set-Content -Path "$ProductSourcePath\AppxManifest.xml" -Value $appxManifest -Force
# Necessary image assets need to be in source assets folder
$assets = @(
@ -3200,11 +3209,6 @@ function New-MSIXPackage
$null = New-Item -ItemType Directory -Path "$ProductSourcePath\assets"
}
$isPreview = Test-IsPreview -Version $ProductSemanticVersion
if ($isPreview) {
Write-Verbose "Using Preview assets" -Verbose
}
$assets | ForEach-Object {
if ($isPreview) {
Copy-Item -Path "$RepoRoot\assets\$_-Preview.png" -Destination "$ProductSourcePath\assets\$_.png"

View file

@ -61,5 +61,5 @@ steps:
azureSubscription: '$(AzureFileCopySubscription)'
Destination: AzureBlob
storage: '$(StorageAccount)'
ContainerName: '$(AzureVersion)'
ContainerName: '$(AzureVersion)-private'
condition: and(succeeded(), eq('${{ parameters.msix }}', 'yes'), eq(variables['SHOULD_SIGN'], 'true'))

View file

@ -38,12 +38,16 @@ jobs:
$authenticodefiles = @(
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x64.msi"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x86.msi"
)
$msixFiles = @(
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x86.msix"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x64.msix"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-arm32.msix"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-arm64.msix"
)
tools/releaseBuild/generatePackgeSigning.ps1 -AuthenticodeFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml"
tools/releaseBuild/generatePackgeSigning.ps1 -AuthenticodeFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml" -MsixCertType $env:MSIX_TYPE -MsixFiles $msixFiles
displayName: 'Generate Package Signing Xml'
- powershell: |

View file

@ -8,7 +8,10 @@ param(
[string[]] $NuPkgFiles,
[string[]] $MacDeveloperFiles,
[string[]] $LinuxFiles,
[string[]] $ThirdPartyFiles
[string[]] $ThirdPartyFiles,
[string[]] $MsixFiles,
[ValidateSet('release','preview')]
[string] $MsixCertType = 'preview'
)
if ((!$AuthenticodeDualFiles -or $AuthenticodeDualFiles.Count -eq 0) -and
@ -16,6 +19,7 @@ if ((!$AuthenticodeDualFiles -or $AuthenticodeDualFiles.Count -eq 0) -and
(!$NuPkgFiles -or $NuPkgFiles.Count -eq 0) -and
(!$MacDeveloperFiles -or $MacDeveloperFiles.Count -eq 0) -and
(!$LinuxFiles -or $LinuxFiles.Count -eq 0) -and
(!$MsixFiles -or $MsixFiles.Count -eq 0) -and
(!$ThirdPartyFiles -or $ThirdPartyFiles.Count -eq 0))
{
throw "At least one file must be specified"
@ -95,6 +99,14 @@ foreach ($file in $ThirdPartyFiles) {
New-FileElement -File $file -SignType 'ThirdParty' -XmlDoc $signingXml -Job $job
}
foreach ($file in $MsixFiles) {
# 'CP-459155' signs for the store only
# AuthenticodeFormer works only for sideloading
# ----------------------------------------------
# update releasePublisher in packaging.psm1 when this is changed
New-FileElement -File $file -SignType 'CP-459155' -XmlDoc $signingXml -Job $job
}
$signingXml.Save($path)
$updateScriptPath = Join-Path -Path $PSScriptRoot -ChildPath 'updateSigning.ps1'
& $updateScriptPath -SigningXmlPath $path

View file

@ -58,6 +58,8 @@ function New-BuildInfoJson {
$branchOnly = $Branch -replace '^refs/heads/';
$branchOnly = $branchOnly -replace '[_\-]'
$msixType = 'preview'
$isDaily = $false
if($ReleaseTag -eq 'fromBranch' -or !$ReleaseTag)
@ -65,6 +67,7 @@ if($ReleaseTag -eq 'fromBranch' -or !$ReleaseTag)
# Branch is named release-<semver>
if($Branch -match '^.*(release[-/])')
{
$msixType = 'release'
Write-Verbose "release branch:" -Verbose
$releaseTag = $Branch -replace '^.*(release[-/])'
$vstsCommandString = "vso[task.setvariable variable=$Variable]$releaseTag"
@ -127,4 +130,8 @@ $vstsCommandString = "vso[task.setvariable variable=IS_DAILY]$($isDaily.ToString
Write-Verbose -Message "$vstsCommandString" -Verbose
Write-Host -Object "##$vstsCommandString"
$vstsCommandString = "vso[task.setvariable variable=MSIX_TYPE]$msixType"
Write-Verbose -Message "$vstsCommandString" -Verbose
Write-Host -Object "##$vstsCommandString"
Write-Output $releaseTag