[Installer] Upgrade the installer from WiX3 to WiX5 (#40877)

<!-- Enter a brief description/summary of your PR here. What does it
fix/what does it change/how was it tested (even manually, if necessary)?
-->
## Summary of the Pull Request
Background: The current PowerToys installer is built using Wix3, which
has now been deprecated. To improve security, service quality, and
community support, we’re upgrading the installer to Wix5.

Implementation:
Created Wix5-based projects(PowerToysSetupVext and
PowerToysSetupCustomActionsVNext) within the installer while retaining
the existing Wix3 project. Both versions are built to generate separate
installation packages. The Wix3-related code will be removed after
successful release testing confirms no issues.

Special case:
Wix5 has removed the property for 'ShowFilesInUse'. Now, whenever a file
is in use during installation, a FilesInUse pop-upwill automatically
appear asking for the next step. To ensure this doesn't interfere with
scenarios that require silent installation (e.g. Winget method), we’ve
handled it using the bafunction approach.



<!-- Please review the items on the PR checklist before submitting-->
## PR Checklist

- [ ] Closes: #xxx
- [ ] **Communication:** I've discussed this with core contributors
already. If the work hasn't been agreed, this work might be rejected
- [ ] **Tests:** Added/updated and all pass
- [ ] **Localization:** All end-user-facing strings can be localized
- [ ] **Dev docs:** Added/updated
- [ ] **New binaries:** Added on the required places
- [ ] [JSON for
signing](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ESRPSigning_core.json)
for new binaries
- [ ] [WXS for
installer](https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/Product.wxs)
for new binaries and localization folder
- [ ] [YML for CI
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ci/templates/build-powertoys-steps.yml)
for new test projects
- [ ] [YML for signed
pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/release.yml)
- [ ] **Documentation updated:** If checked, please file a pull request
on [our docs
repo](https://github.com/MicrosoftDocs/windows-uwp/tree/docs/hub/powertoys)
and link it here: #xxx

<!-- Provide a more detailed description of the PR, other things fixed,
or any additional comments/features here -->
## Detailed Description of the Pull Request / Additional comments

<!-- Describe how you validated the behavior. Add automated tests
wherever possible, but list manual validation steps taken as well -->
## Validation Steps Performed

---------

Co-authored-by: Jerry Xu <n.xu@outlook.com>
Co-authored-by: Kai Tao <69313318+vanzue@users.noreply.github.com>
Co-authored-by: leileizhang <leilzh@microsoft.com>
Co-authored-by: Kai Tao (from Dev Box) <kaitao@microsoft.com>
Co-authored-by: vanzue <vanzue@outlook.com>

.pipelines/ESRPSigning_installer.json

@@ -5,6 +5,8 @@
         {
             "MatchedPath": [
                 "PowerToysSetupCustomActions.dll",
+                "PowerToysSetupCustomActionsVNext.dll",
+                "SilentFilesInUseBAFunction.dll",
                 "PowerToys*Setup-*.exe",
                 "PowerToys*Setup-*.msi"
             ],

.pipelines/v2/release.yml

@@ -20,6 +20,11 @@ parameters:
     type: string
     default: '0.0.1'
 
+  - name: installerSuffix
+    type: string
+    displayName: "WiX5 installer suffix (e.g., 'wix5', 'vnext', etc.)"
+    default: "wix5"
+
   - name: buildConfigurations
     displayName: "Build Configurations"
     type: object
@@ -104,7 +109,8 @@ extends:
                 useManagedIdentity: $(SigningUseManagedIdentity)
                 clientId: $(SigningOriginalClientId)
               # Have msbuild use the release nuget config profile
-              additionalBuildOptions: /p:RestoreConfigFile="$(Build.SourcesDirectory)\.pipelines\release-nuget.config" /p:EnableCmdPalAOT=${{ parameters.enableAOT }}
+              additionalBuildOptions: /p:RestoreConfigFile="$(Build.SourcesDirectory)\.pipelines\release-nuget.config" /p:EnableCmdPalAOT=${{ parameters.enableAOT }} /p:InstallerSuffix=${{ parameters.installerSuffix }}
+              installerSuffix: ${{ parameters.installerSuffix }}
               beforeBuildSteps:
                 # Sets versions for all PowerToy created DLLs
                 - pwsh: |-

.pipelines/v2/templates/job-build-project.yml

@@ -62,6 +62,9 @@ parameters:
   - name: versionNumber
     type: string
     default: '0.0.1'
+  - name: installerSuffix
+    type: string
+    default: "wix5"
   - name: useLatestWinAppSDK
     type: boolean
     default: false
@@ -476,6 +479,23 @@ jobs:
       additionalBuildOptions: ${{ parameters.additionalBuildOptions }}
       buildUserInstaller: true # NOTE: This is the distinction between the above and below rules
 
+  - template: steps-build-installer-vnext.yml
+    parameters:
+      codeSign: ${{ parameters.codeSign }}
+      signingIdentity: ${{ parameters.signingIdentity }}
+      versionNumber: ${{ parameters.versionNumber }}
+      additionalBuildOptions: ${{ parameters.additionalBuildOptions }}
+      installerSuffix: ${{ parameters.installerSuffix }}
+
+  - template: steps-build-installer-vnext.yml
+    parameters:
+      codeSign: ${{ parameters.codeSign }}
+      signingIdentity: ${{ parameters.signingIdentity }}
+      versionNumber: ${{ parameters.versionNumber }}
+      additionalBuildOptions: ${{ parameters.additionalBuildOptions }}
+      installerSuffix: ${{ parameters.installerSuffix }}
+      buildUserInstaller: true # NOTE: This is the distinction between the above and below rules
+
   # This saves ~1GiB per architecture. We won't need these later.
   # Removes:
   # - All .pdb files from any static libs .libs (which were only used during linking)
@@ -494,7 +514,9 @@ jobs:
   - task: CopyFiles@2
     displayName: Stage Installers
     inputs:
-      contents: "**/PowerToys*Setup-*.exe"
+      contents: |-
+        **/PowerToys*Setup-*.exe
+        !**/PowerToysSetupVNext/obj/**
       flattenFolders: True
       targetFolder: $(JobOutputDirectory)
 
@@ -510,26 +532,48 @@ jobs:
 
   - pwsh: |-
       $p = "$(JobOutputDirectory)\"
-      $userHash = ((Get-Item $p\PowerToysUserSetup*.exe | Get-FileHash).Hash);
-      $machineHash = ((Get-Item $p\PowerToysSetup*.exe | Get-FileHash).Hash);
-      $userPlat = "hash_user_$(BuildPlatform).txt";
-      $machinePlat = "hash_machine_$(BuildPlatform).txt";
-      $combinedUserPath = $p + $userPlat;
-      $combinedMachinePath = $p + $machinePlat;
-
-      echo $p
-
-      echo $userPlat
-      echo $userHash
-      echo $combinedUserPath
-
-      echo $machinePlat
-      echo $machineHash
-      echo $combinedMachinePath
-
-      $userHash | out-file -filepath $combinedUserPath
-      $machineHash | out-file -filepath $combinedMachinePath
-    displayName: Calculate file hashes
+      $installerSuffix = "${{ parameters.installerSuffix }}"
+      
+      # Calculate hashes for regular installers (without custom suffix)
+      $userSetupFiles = Get-ChildItem -Path $p -Filter "PowerToysUserSetup*.exe" | Where-Object { $_.Name -notmatch "-$installerSuffix-" }
+      $machineSetupFiles = Get-ChildItem -Path $p -Filter "PowerToysSetup*.exe" | Where-Object { $_.Name -notmatch "-$installerSuffix-" -and $_.Name -notmatch "PowerToysUserSetup" }
+      
+      if ($userSetupFiles.Count -gt 0) {
+          $userHash = ($userSetupFiles[0] | Get-FileHash).Hash;
+          $userPlat = "hash_user_$(BuildPlatform).txt";
+          $combinedUserPath = $p + $userPlat;
+          echo "Regular User: $userHash"
+          $userHash | out-file -filepath $combinedUserPath
+      }
+      
+      if ($machineSetupFiles.Count -gt 0) {
+          $machineHash = ($machineSetupFiles[0] | Get-FileHash).Hash;
+          $machinePlat = "hash_machine_$(BuildPlatform).txt";
+          $combinedMachinePath = $p + $machinePlat;
+          echo "Regular Machine: $machineHash"
+          $machineHash | out-file -filepath $combinedMachinePath
+      }
+      
+      # Calculate hashes for VNext installers (with custom suffix)
+      $userVNextFiles = Get-ChildItem -Path $p -Filter "PowerToysUserSetup*-$installerSuffix-*.exe"
+      $machineVNextFiles = Get-ChildItem -Path $p -Filter "PowerToysSetup*-$installerSuffix-*.exe" | Where-Object { $_.Name -notmatch "PowerToysUserSetup" }
+      
+      if ($userVNextFiles.Count -gt 0) {
+          $userVNextHash = ($userVNextFiles[0] | Get-FileHash).Hash;
+          $userVNextPlat = "hash_user_vnext_$(BuildPlatform).txt";
+          $combinedUserVNextPath = $p + $userVNextPlat;
+          echo "VNext User: $userVNextHash"
+          $userVNextHash | out-file -filepath $combinedUserVNextPath
+      }
+      
+      if ($machineVNextFiles.Count -gt 0) {
+          $machineVNextHash = ($machineVNextFiles[0] | Get-FileHash).Hash;
+          $machineVNextPlat = "hash_machine_vnext_$(BuildPlatform).txt";
+          $combinedMachineVNextPath = $p + $machineVNextPlat;
+          echo "VNext Machine: $machineVNextHash"
+          $machineVNextHash | out-file -filepath $combinedMachineVNextPath
+      }
+    displayName: Calculate file hashes for all installers
 
   # Publishing the GPO files
   - pwsh: |-

.pipelines/v2/templates/steps-build-installer-vnext.yml

@@ -0,0 +1,208 @@
+parameters:
+  - name: versionNumber
+    type: string
+    default: "0.0.1"
+  - name: buildUserInstaller
+    type: boolean
+    default: false
+  - name: codeSign
+    type: boolean
+    default: false
+  - name: signingIdentity
+    type: object
+    default: {}
+  - name: additionalBuildOptions
+    type: string
+    default: ''
+  - name: installerSuffix
+    type: string
+    default: "wix5"
+
+steps:
+  # Install WiX 5.0.2 tools needed for VNext installer (matching project SDK)
+  - task: DotNetCoreCLI@2
+    displayName: Install WiX 5.0.2 tools
+    inputs:
+      command: 'custom'
+      custom: 'tool'
+      arguments: 'install --global wix --version 5.0.2'
+
+  - pwsh: |-
+      & git clean -xfd -e *exe -- .\installer\
+    displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Clean installer to reduce cross-contamination
+
+  - pwsh: |-
+      # Determine whether this is a per-user build
+      $IsPerUser = $${{ parameters.buildUserInstaller }}
+
+      # Build slug used to locate the artifacts
+      $InstallerBuildSlug = if ($IsPerUser) { 'UserSetup' } else { 'MachineSetup' }
+
+      # VNext bundle folder; base name intentionally omits the VNext suffix
+      $InstallerFolder = 'PowerToysSetupVNext'
+      if ($IsPerUser) {
+        $InstallerBasename = "PowerToysUserSetup-${{ parameters.versionNumber }}-${{ parameters.installerSuffix }}-$(BuildPlatform)"
+      }
+      else {
+        $InstallerBasename = "PowerToysSetup-${{ parameters.versionNumber }}-${{ parameters.installerSuffix }}-$(BuildPlatform)"
+      }
+
+      # Export variables for downstream steps
+      Write-Host "##vso[task.setvariable variable=InstallerBuildSlug]$InstallerBuildSlug"
+      Write-Host "##vso[task.setvariable variable=InstallerRelativePath]$(BuildPlatform)\$(BuildConfiguration)\$InstallerBuildSlug"
+      Write-Host "##vso[task.setvariable variable=InstallerBasename]$InstallerBasename"
+      Write-Host "##vso[task.setvariable variable=InstallerFolder]$InstallerFolder"
+    displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Prepare Installer variables
+
+  # This dll needs to be built and signed before building the MSI.
+  - task: VSBuild@1
+    displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Build PowerToysSetupCustomActionsVNext
+    inputs:
+      solution: "**/installer/PowerToysSetup.sln"
+      vsVersion: 17.0
+      msbuildArgs: >-
+        /t:PowerToysSetupCustomActionsVNext
+        /p:RunBuildEvents=true;PerUser=${{parameters.buildUserInstaller}};RestorePackagesConfig=true;CIBuild=true
+        /p:InstallerSuffix=${{ parameters.installerSuffix }}
+        -restore -graph
+        /bl:$(LogOutputDirectory)\installer-$(InstallerBuildSlug)-actions.binlog
+        ${{ parameters.additionalBuildOptions }}
+      platform: $(BuildPlatform)
+      configuration: $(BuildConfiguration)
+      clean: true
+      msbuildArchitecture: x64
+      maximumCpuCount: true
+
+  - ${{ if eq(parameters.codeSign, true) }}:
+    - template: steps-esrp-signing.yml
+      parameters:
+        displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Sign PowerToysSetupCustomActionsVNext
+        signingIdentity: ${{ parameters.signingIdentity }}
+        inputs:
+          FolderPath: 'installer/PowerToysSetupCustomActionsVNext/$(InstallerRelativePath)'
+          signType: batchSigning
+          batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json'
+          ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
+
+  ## INSTALLER START
+  #### MSI BUILDING AND SIGNING
+  - task: VSBuild@1
+    displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Build VNext MSI
+    inputs:
+      solution: "**/installer/PowerToysSetup.sln"
+      vsVersion: 17.0
+      msbuildArgs: >-
+        -restore
+        /t:PowerToysInstallerVNext
+        /p:RunBuildEvents=false;PerUser=${{parameters.buildUserInstaller}};BuildProjectReferences=false;CIBuild=true
+        /p:InstallerSuffix=${{ parameters.installerSuffix }}
+        /bl:$(LogOutputDirectory)\installer-$(InstallerBuildSlug)-msi.binlog
+        ${{ parameters.additionalBuildOptions }}
+      platform: $(BuildPlatform)
+      configuration: $(BuildConfiguration)
+      clean: false # don't undo our hard work above by deleting the CustomActions dll
+      msbuildArchitecture: x64
+      maximumCpuCount: true
+
+  - script: |-
+      wix msi decompile installer\$(InstallerFolder)\$(InstallerRelativePath)\$(InstallerBasename).msi -x $(build.sourcesdirectory)\extractedMsi
+      dir $(build.sourcesdirectory)\extractedMsi
+    displayName: "${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} WiX5: Extract and verify MSI"
+
+  # Check if deps.json files don't reference different dll versions.
+  - pwsh: |-
+      & '.pipelines/verifyDepsJsonLibraryVersions.ps1' -targetDir '$(build.sourcesdirectory)\extractedMsi\File'
+    displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Audit deps.json in MSI extracted files
+
+  - ${{ if eq(parameters.codeSign, true) }}:
+    - pwsh: |-
+        & .pipelines/versionAndSignCheck.ps1 -targetDir '$(build.sourcesdirectory)\extractedMsi\File'
+        & .pipelines/versionAndSignCheck.ps1 -targetDir '$(build.sourcesdirectory)\extractedMsi\Binary'
+        git clean -xfd ./extractedMsi
+      displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Verify all binaries are signed and versioned
+
+    - template: steps-esrp-signing.yml
+      parameters:
+        displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Sign VNext MSI
+        signingIdentity: ${{ parameters.signingIdentity }}
+        inputs:
+          FolderPath: 'installer/$(InstallerFolder)/$(InstallerRelativePath)'
+          signType: batchSigning
+          batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json'
+          ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
+
+  #### END MSI
+  #### BOOTSTRAP BUILDING AND SIGNING
+  - task: VSBuild@1
+    displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Build VNext Bootstrapper
+    inputs:
+      solution: "**/installer/PowerToysSetup.sln"
+      vsVersion: 17.0
+      msbuildArgs: >-
+        -restore
+        /t:PowerToysBootstrapperVNext
+        /p:PerUser=${{parameters.buildUserInstaller}};CIBuild=true
+        /p:InstallerSuffix=${{ parameters.installerSuffix }}
+        /bl:$(LogOutputDirectory)\installer-$(InstallerBuildSlug)-bootstrapper.binlog
+        -restore -graph
+        ${{ parameters.additionalBuildOptions }}
+      platform: $(BuildPlatform)
+      configuration: $(BuildConfiguration)
+      clean: false # don't undo our hard work above by deleting the MSI
+      msbuildArchitecture: x64
+      maximumCpuCount: true
+
+  # The entirety of bundle unpacking/re-packing is unnecessary if we are not code signing it.
+  - ${{ if eq(parameters.codeSign, true) }}:
+    - script: |-
+        wix burn detach installer\$(InstallerFolder)\$(InstallerRelativePath)\$(InstallerBasename).exe -engine installer\engine.exe
+      displayName: "${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} WiX5: Extract Engine from Bundle"
+
+    - template: steps-esrp-signing.yml
+      parameters:
+        displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Sign WiX Engine
+        signingIdentity: ${{ parameters.signingIdentity }}
+        inputs:
+          FolderPath: "installer"
+          Pattern: engine.exe
+          signConfigType: inlineSignParams
+          inlineOperation: |
+            [
+                {
+                    "KeyCode": "CP-230012",
+                    "OperationCode": "SigntoolSign",
+                    "Parameters": {
+                        "OpusName": "Microsoft",
+                        "OpusInfo": "http://www.microsoft.com",
+                        "FileDigest": "/fd \"SHA256\"",
+                        "PageHash": "/NPH",
+                        "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+                    },
+                    "ToolName": "sign",
+                    "ToolVersion": "1.0"
+                },
+                {
+                    "KeyCode": "CP-230012",
+                    "OperationCode": "SigntoolVerify",
+                    "Parameters": {},
+                    "ToolName": "sign",
+                    "ToolVersion": "1.0"
+                }
+            ]
+
+    - script: |-
+        wix burn reattach installer\$(InstallerFolder)\$(InstallerRelativePath)\$(InstallerBasename).exe -engine installer\engine.exe -o installer\$(InstallerFolder)\$(InstallerRelativePath)\$(InstallerBasename).exe
+      displayName: "${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} WiX5: Reattach Engine to Bundle"
+
+    - template: steps-esrp-signing.yml
+      parameters:
+        displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Sign Final Bootstrapper
+        signingIdentity: ${{ parameters.signingIdentity }}
+        inputs:
+          FolderPath: 'installer/$(InstallerFolder)/$(InstallerRelativePath)'
+          signType: batchSigning
+          batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json'
+          ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
+
+  #### END BOOTSTRAP
+  ## END INSTALLER