Files
PowerToys/src/PackageIdentity/BuildSparsePackage.ps1

423 lines
16 KiB
PowerShell
Raw Normal View History

Introduce shared sparse package identity for PowerToys (#42352) <!-- Enter a brief description/summary of your PR here. What does it fix/what does it change/how was it tested (even manually, if necessary)? --> ## Summary of the Pull Request This pull request adds support for building, installing, and managing a shared sparse MSIX package to grant package identity to select Win32 components in PowerToys. It introduces a new `PackageIdentity` project, updates the installer to handle the new MSIX package during install/uninstall, and provides developer documentation for working with the sparse package. Additionally, new dependencies and signing rules are included to support these changes. **Sparse Package Identity Support** * Added new `PackageIdentity` project to the solution for building the sparse MSIX package, and included it in solution/project build configurations (`PowerToys.sln`). [[1]](diffhunk://#diff-ca837ce490070b91656ffffe31cbad8865ba9174e0f020231f77baf35ff3f811R29) [[2]](diffhunk://#diff-ca837ce490070b91656ffffe31cbad8865ba9174e0f020231f77baf35ff3f811R54-R55) [[3]](diffhunk://#diff-ca837ce490070b91656ffffe31cbad8865ba9174e0f020231f77baf35ff3f811R873-R880) * Added developer documentation (`sparse-package.md`) and updated documentation indexes to describe how to build, register, and consume the sparse MSIX package. [[1]](diffhunk://#diff-b4e39fb55a49c6de336d5847d75a55dd1d14840578da0ed9130f0130b61b34aaR1-R87) [[2]](diffhunk://#diff-d0f204e503506a26ef2aa3605a8d64ac353393526fb5dcf48d4287c821f3edbcR31) [[3]](diffhunk://#diff-430296c8d28f70d8a0164b44d7dfc30ffb1fb32466dad181947f35885b7f28d1R13) **Installer Enhancements** * Implemented new custom actions in the installer to install and uninstall the `PowerToysSparse.msix` package, supporting both per-user and machine-level scenarios (`CustomAction.cpp`, `CustomAction.def`, `Product.wxs`). [[1]](diffhunk://#diff-a7680a20bf0315cff463a95588a100c99d2afc53030f6e947f1f1dcaca5eefd7R597-R806) [[2]](diffhunk://#diff-79daec0ccfcea63a2f3acb7d811b8b508529921123c754111bbccbea98b2bd74R36-R37) [[3]](diffhunk://#diff-c12203517db7cde9ad34df9e6611457d1d3c7bc8eb7d58e06739887d3c1034afR115) [[4]](diffhunk://#diff-c12203517db7cde9ad34df9e6611457d1d3c7bc8eb7d58e06739887d3c1034afR127) [[5]](diffhunk://#diff-c12203517db7cde9ad34df9e6611457d1d3c7bc8eb7d58e06739887d3c1034afR149) [[6]](diffhunk://#diff-c12203517db7cde9ad34df9e6611457d1d3c7bc8eb7d58e06739887d3c1034afR205-R210) **Build and Dependency Updates** * Added new NuGet package dependencies for Windows App SDK AI and Runtime to support MSIX and sparse package features (`Directory.Packages.props`). * Updated signing pipeline to include the new `PowerToysSparse.msix` artifact (`.pipelines/ESRPSigning_core.json`). <!-- Please review the items on the PR checklist before submitting--> ## PR Checklist - [ ] Closes: #xxx - [ ] **Communication:** I've discussed this with core contributors already. If the work hasn't been agreed, this work might be rejected - [ ] **Tests:** Added/updated and all pass - [ ] **Localization:** All end-user-facing strings can be localized - [ ] **Dev docs:** Added/updated - [ ] **New binaries:** Added on the required places - [ ] [JSON for signing](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ESRPSigning_core.json) for new binaries - [ ] [WXS for installer](https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/Product.wxs) for new binaries and localization folder - [ ] [YML for CI pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ci/templates/build-powertoys-steps.yml) for new test projects - [ ] [YML for signed pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/release.yml) - [ ] **Documentation updated:** If checked, please file a pull request on [our docs repo](https://github.com/MicrosoftDocs/windows-uwp/tree/docs/hub/powertoys) and link it here: #xxx <!-- Provide a more detailed description of the PR, other things fixed, or any additional comments/features here --> ## Detailed Description of the Pull Request / Additional comments <!-- Describe how you validated the behavior. Add automated tests wherever possible, but list manual validation steps taken as well --> ## Validation Steps Performed --------- Co-authored-by: Gordon Lam (SH) <yeelam@microsoft.com>
2025-10-20 08:52:49 +08:00
#Requires -Version 5.1
[CmdletBinding()]
Param(
[Parameter(Mandatory=$false)]
[ValidateSet("arm64", "x64")]
[string]$Platform = "x64",
[Parameter(Mandatory=$false)]
[ValidateSet("Debug", "Release")]
[string]$Configuration = "Release",
[switch]$Clean,
[switch]$ForceCert,
[switch]$NoSign,
[switch]$CIBuild
)
# PowerToys sparse packaging helper.
# Generates a sparse MSIX (no payload) that grants package identity to selected Win32 components.
# Multiple applications (PowerOCR, Settings UI, etc.) can share this single sparse identity.
$ErrorActionPreference = 'Stop'
$isCIBuild = $false
if ($CIBuild.IsPresent) {
$isCIBuild = $true
} elseif ($env:CIBuild) {
$isCIBuild = $env:CIBuild -ieq 'true'
}
$currentPublisherHint = $script:Config.CertSubject
# Configuration constants - centralized management
$script:Config = @{
IdentityName = "Microsoft.PowerToys.SparseApp"
SparseMsixName = "PowerToysSparse.msix"
CertPrefix = "PowerToysSparse"
CertSubject = 'CN=PowerToys Dev, O=PowerToys, L=Redmond, S=Washington, C=US'
CertValidMonths = 12
}
#region Helper Functions
function Find-WindowsSDKTool {
[CmdletBinding()]
param(
[Parameter(Mandatory)]
[string]$ToolName,
[Parameter(Mandatory=$false)]
[string]$Architecture = "x64"
)
# Simple fallback: check common Windows SDK locations
$commonPaths = @(
"${env:ProgramFiles}\Windows Kits\10\bin\*\$Architecture\$ToolName",
"${env:ProgramFiles(x86)}\Windows Kits\10\bin\*\$Architecture\$ToolName",
"${env:ProgramFiles(x86)}\Windows Kits\10\bin\*\x86\$ToolName" # SignTool fallback
)
foreach ($pattern in $commonPaths) {
$found = Get-ChildItem $pattern -ErrorAction SilentlyContinue |
Sort-Object Name -Descending |
Select-Object -First 1
if ($found) {
Write-BuildLog "Found $ToolName at: $($found.FullName)" -Level Info
return $found.FullName
}
}
throw "$ToolName not found. Please ensure Windows SDK is installed."
}
function Test-CertificateValidity {
param([string]$ThumbprintFile)
if (-not (Test-Path $ThumbprintFile)) { return $false }
try {
$thumb = (Get-Content $ThumbprintFile -Raw).Trim()
if (-not $thumb) { return $false }
$cert = Get-Item "cert:\CurrentUser\My\$thumb" -ErrorAction Stop
return $cert.HasPrivateKey -and $cert.NotAfter -gt (Get-Date)
} catch {
return $false
}
}
function Write-BuildLog {
param([string]$Message, [string]$Level = "Info")
$colors = @{ Error = "Red"; Warning = "Yellow"; Success = "Green"; Info = "Cyan" }
$color = if ($colors.ContainsKey($Level)) { $colors[$Level] } else { "White" }
Write-Host "[$(Get-Date -f 'HH:mm:ss')] $Message" -ForegroundColor $color
}
function Stop-FileProcesses {
[CmdletBinding()]
param(
[Parameter(Mandatory)]
[string]$FilePath
)
# This function is kept for compatibility but simplified since
# the staging directory approach resolves the file lock issues
Write-Verbose "File process check for: $FilePath"
}
#endregion
# Environment diagnostics for troubleshooting
Write-BuildLog "Starting PackageIdentity build process..." -Level Info
Write-BuildLog "PowerShell Version: $($PSVersionTable.PSVersion)" -Level Info
try {
$execPolicy = Get-ExecutionPolicy
Write-BuildLog "Execution Policy: $execPolicy" -Level Info
} catch {
Write-BuildLog "Execution Policy: Unable to determine (MSBuild environment)" -Level Info
}
Write-BuildLog "Current User: $env:USERNAME" -Level Info
Write-BuildLog "Build Platform: $Platform, Configuration: $Configuration" -Level Info
# Check for Visual Studio environment
if ($env:VSINSTALLDIR) {
Write-BuildLog "Running in Visual Studio environment: $env:VSINSTALLDIR" -Level Info
}
# Ensure certificate provider is available
try {
# Force load certificate provider for MSBuild environment
if (-not (Get-PSProvider -PSProvider Certificate -ErrorAction SilentlyContinue)) {
Write-BuildLog "Loading certificate provider..." -Level Warning
Import-Module Microsoft.PowerShell.Security -Force
}
if (-not (Test-Path 'Cert:\CurrentUser')) {
Write-BuildLog "Certificate drive not available, attempting to initialize..." -Level Warning
Import-Module PKI -ErrorAction SilentlyContinue
# Try to access the certificate store to force initialization
Get-ChildItem "Cert:\CurrentUser\My" -ErrorAction SilentlyContinue | Out-Null
}
} catch {
Write-BuildLog ("Note: Certificate provider setup may need manual configuration: {0}" -f $_) -Level Warning
}
# Project root folder (now set to current script folder for local builds)
$ProjectRoot = $PSScriptRoot
$UserFolder = Join-Path $ProjectRoot '.user'
if (-not (Test-Path $UserFolder)) { New-Item -ItemType Directory -Path $UserFolder | Out-Null }
# Certificate file paths using configuration
$prefix = $script:Config.CertPrefix
$CertThumbFile, $CertCerFile = @('.thumbprint', '.cer') |
ForEach-Object { Join-Path $UserFolder "$prefix.certificate.sample$_" }
# Clean option: remove bin/obj and uninstall existing sparse package if present
if ($Clean) {
Write-BuildLog "Cleaning build artifacts..." -Level Info
'bin','obj' | ForEach-Object {
$target = Join-Path $ProjectRoot $_
if (Test-Path $target) { Remove-Item $target -Recurse -Force }
}
Write-BuildLog "Attempting to remove existing sparse package (best effort)" -Level Info
try { Get-AppxPackage -Name $script:Config.IdentityName | Remove-AppxPackage } catch {}
}
# Force certificate regeneration if requested
if ($ForceCert -and (Test-Path $UserFolder)) {
Write-BuildLog "ForceCert specified: removing existing certificate artifacts..." -Level Warning
Remove-Item $UserFolder -Recurse -Force
New-Item -ItemType Directory -Path $UserFolder | Out-Null
}
# Ensure dev cert (development only; not for production use) - skip if NoSign specified
$needNewCert = -not $NoSign -and (-not (Test-Path $CertThumbFile) -or $ForceCert -or -not (Test-CertificateValidity -ThumbprintFile $CertThumbFile))
if ($needNewCert) {
Write-BuildLog "Generating development certificate (prefix=$($script:Config.CertPrefix))..." -Level Info
# Clear stale files in the certificate cache
if (Test-Path $UserFolder) {
Get-ChildItem -Path $UserFolder | ForEach-Object {
if ($_.PSIsContainer) {
Remove-Item $_.FullName -Recurse -Force
} else {
Remove-Item $_.FullName -Force
}
}
}
if (-not (Test-Path $UserFolder)) {
New-Item -ItemType Directory -Path $UserFolder | Out-Null
}
$now = Get-Date
$expiration = $now.AddMonths($script:Config.CertValidMonths)
# Subject MUST match <Identity Publisher="..."> inside AppxManifest.xml
$friendlyName = "PowerToys Dev Sparse Cert Create=$now"
$keyFriendly = "PowerToys Dev Sparse Key Create=$now"
$certStore = 'cert:\CurrentUser\My'
$ekuOid = '2.5.29.37'
$ekuValue = '1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13'
$eku = "$ekuOid={text}$ekuValue"
$cert = New-SelfSignedCertificate -CertStoreLocation $certStore `
-NotAfter $expiration `
-Subject $script:Config.CertSubject `
-FriendlyName $friendlyName `
-KeyFriendlyName $keyFriendly `
-KeyDescription $keyFriendly `
-TextExtension $eku
# Export certificate files
Set-Content -Path $CertThumbFile -Value $cert.Thumbprint -Force
Export-Certificate -Cert $cert -FilePath $CertCerFile -Force | Out-Null
}
# Determine output directory - using PowerToys standard structure
# Navigate to PowerToys root (two levels up from src/PackageIdentity)
$PowerToysRoot = Split-Path (Split-Path $ProjectRoot -Parent) -Parent
$outDir = Join-Path $PowerToysRoot "$Platform\$Configuration"
if (-not (Test-Path $outDir)) {
Write-BuildLog "Creating output directory: $outDir" -Level Info
New-Item -ItemType Directory -Path $outDir -Force | Out-Null
}
# PackageIdentity folder (this script location) containing the sparse manifest and assets
$sparseDir = $PSScriptRoot
$manifestPath = Join-Path $sparseDir 'AppxManifest.xml'
if (-not (Test-Path $manifestPath)) { throw "Missing AppxManifest.xml in PackageIdentity folder: $manifestPath" }
$versionPropsPath = Join-Path $PowerToysRoot 'src\Version.props'
$targetManifestVersion = $null
$versionCandidate = $null
if (Test-Path $versionPropsPath) {
try {
[xml]$propsXml = Get-Content -Path $versionPropsPath -Raw
$versionCandidate = $propsXml.Project.PropertyGroup.Version
} catch {
Write-BuildLog ("Unable to read version from {0}: {1}" -f $versionPropsPath, $_) -Level Warning
}
} else {
Write-BuildLog "Version.props not found at $versionPropsPath; manifest version will remain unchanged." -Level Warning
}
if ($versionCandidate) {
$targetManifestVersion = $versionCandidate.Trim()
if (($targetManifestVersion -split '\.').Count -lt 4) {
$targetManifestVersion = "$targetManifestVersion.0"
}
Write-BuildLog "Using sparse package version from Version.props: $targetManifestVersion" -Level Info
} else {
Write-BuildLog "No version value provided; manifest version will remain unchanged." -Level Info
}
# Find MakeAppx.exe from Windows SDK
try {
$hostSdkArchitecture = if ([System.Environment]::Is64BitProcess) { 'x64' } else { 'x86' }
$makeAppxPath = Find-WindowsSDKTool -ToolName "makeappx.exe" -Architecture $hostSdkArchitecture
} catch {
Write-Error "MakeAppx.exe not found. Please ensure Windows SDK is installed."
exit 1
}
# Pack sparse MSIX from PackageIdentity folder
$msixPath = Join-Path $outDir $script:Config.SparseMsixName
# Clean up existing MSIX file
if (Test-Path $msixPath) {
Write-BuildLog "Removing existing MSIX file..." -Level Info
try {
Remove-Item $msixPath -Force -ErrorAction Stop
Write-BuildLog "Successfully removed existing MSIX file" -Level Success
} catch {
Write-BuildLog ("Warning: Could not remove existing MSIX file: {0}" -f $_) -Level Warning
}
}
# Create a clean staging directory to avoid file lock issues
$stagingDir = Join-Path $outDir "staging"
if (Test-Path $stagingDir) {
Remove-Item $stagingDir -Recurse -Force -ErrorAction SilentlyContinue
}
New-Item -ItemType Directory -Path $stagingDir -Force | Out-Null
try {
Write-BuildLog "Creating clean staging directory for packaging..." -Level Info
# Copy only essential files to staging directory to avoid file locks
$essentialFiles = @(
"AppxManifest.xml"
"Images\*"
)
foreach ($filePattern in $essentialFiles) {
$sourcePath = Join-Path $sparseDir $filePattern
$relativePath = $filePattern
if ($filePattern.Contains('\')) {
$targetDir = Join-Path $stagingDir (Split-Path $relativePath -Parent)
if (-not (Test-Path $targetDir)) {
New-Item -ItemType Directory -Path $targetDir -Force | Out-Null
}
}
if ($filePattern.EndsWith('\*')) {
# Copy directory contents
$sourceDir = $sourcePath.TrimEnd('\*')
$targetDir = Join-Path $stagingDir (Split-Path $relativePath.TrimEnd('\*') -Parent)
if (Test-Path $sourceDir) {
Copy-Item -Path "$sourceDir\*" -Destination $targetDir -Force -ErrorAction SilentlyContinue
}
} else {
# Copy single file
$targetPath = Join-Path $stagingDir $relativePath
if (Test-Path $sourcePath) {
Copy-Item -Path $sourcePath -Destination $targetPath -Force -ErrorAction SilentlyContinue
}
}
}
# Ensure publisher matches the dev certificate for local builds
$manifestStagingPath = Join-Path $stagingDir 'AppxManifest.xml'
$shouldUseDevPublisher = -not $isCIBuild
if (Test-Path $manifestStagingPath) {
try {
[xml]$manifestXml = Get-Content -Path $manifestStagingPath -Raw
$identityNode = $manifestXml.Package.Identity
$manifestChanged = $false
if ($identityNode) {
$currentPublisherHint = $identityNode.Publisher
}
if ($identityNode) {
if ($targetManifestVersion -and $identityNode.Version -ne $targetManifestVersion) {
Write-BuildLog "Updating manifest version to $targetManifestVersion" -Level Info
$identityNode.SetAttribute('Version', $targetManifestVersion)
$manifestChanged = $true
}
if ($shouldUseDevPublisher -and $identityNode.Publisher -ne $script:Config.CertSubject) {
Write-BuildLog "Updating manifest publisher for local build" -Level Warning
$identityNode.SetAttribute('Publisher', $script:Config.CertSubject)
$manifestChanged = $true
}
$currentPublisherHint = $identityNode.Publisher
}
if ($manifestChanged) {
$manifestXml.Save($manifestStagingPath)
}
} catch {
Write-BuildLog ("Unable to adjust manifest metadata: {0}" -f $_) -Level Warning
}
}
Write-BuildLog "Staging directory prepared with essential files only" -Level Success
# Pack MSIX using staging directory
Write-BuildLog "Packing sparse MSIX ($($script:Config.SparseMsixName)) from staging -> $msixPath" -Level Info
& $makeAppxPath pack /d $stagingDir /p $msixPath /nv /o
if ($LASTEXITCODE -eq 0 -and (Test-Path $msixPath)) {
Write-BuildLog "MSIX packaging completed successfully" -Level Success
} else {
Write-BuildLog "MakeAppx failed with exit code $LASTEXITCODE" -Level Error
exit 1
}
} finally {
# Clean up staging directory
if (Test-Path $stagingDir) {
try {
Remove-Item $stagingDir -Recurse -Force -ErrorAction SilentlyContinue
Write-BuildLog "Cleaned up staging directory" -Level Info
} catch {
Write-BuildLog ("Warning: Could not clean up staging directory: {0}" -f $_) -Level Warning
}
}
}
# Sign package (skip if NoSign specified for CI scenarios)
if ($NoSign) {
Write-BuildLog "Skipping signing (NoSign specified for CI build)" -Level Warning
} else {
# Use certificate thumbprint for signing (safer, no password)
$certThumbprint = (Get-Content -Path $CertThumbFile -Raw).Trim()
try {
$signToolPath = Find-WindowsSDKTool -ToolName "signtool.exe"
} catch {
Write-Error "SignTool.exe not found. Please ensure Windows SDK is installed."
exit 1
}
Write-BuildLog "Signing sparse MSIX using cert thumbprint $certThumbprint..." -Level Info
& $signToolPath sign /fd SHA256 /sha1 $certThumbprint $msixPath
if ($LASTEXITCODE -ne 0) {
Write-Warning "SignTool failed (exit $LASTEXITCODE). Ensure the certificate is in CurrentUser\\My and try -ForceCert if needed."
exit $LASTEXITCODE
}
}
$publisherHintFile = Join-Path $UserFolder "$($script:Config.CertPrefix).publisher.txt"
try {
Set-Content -Path $publisherHintFile -Value $currentPublisherHint -Force -NoNewline
} catch {
Write-BuildLog ("Unable to write publisher hint: {0}" -f $_) -Level Warning
}
Write-BuildLog "`nPackage created: $msixPath" -Level Success
if ($NoSign) {
Write-BuildLog "UNSIGNED package created for CI build. Sign before deployment." -Level Warning
} else {
Write-BuildLog "Install the dev certificate (once): $CertCerFile" -Level Info
Write-BuildLog "Identity Name: $($script:Config.IdentityName)" -Level Info
}
Write-BuildLog "Register sparse package:" -Level Info
Write-BuildLog " Add-AppxPackage -Path `"$msixPath`" -ExternalLocation `"$outDir`"" -Level Warning
Write-BuildLog "(If already installed and you changed manifest only): Add-AppxPackage -Register `"$manifestPath`" -ExternalLocation `"$outDir`" -ForceApplicationShutdown" -Level Warning