From eeda2ec98573cca4f337506ce5564c439dec4423 Mon Sep 17 00:00:00 2001 From: Jaime Bernardo Date: Fri, 24 Jun 2022 13:06:44 +0100 Subject: [PATCH] [ci][build]Sign PowerToysSetupCustomActions.dll (#18992) * [ci]Sign PowerToysSetupCustomActions.dll * Specifically sign the Custom Actions dll * Proper dll build path * Verify if dll inside msi is really signed --- .pipelines/ESRPSigning_core.json | 2 -- .pipelines/ESRPSigning_installer.json | 1 + .pipelines/release.yml | 34 +++++++++++++++++++++++---- .pipelines/versionAndSignCheck.ps1 | 2 +- 4 files changed, 32 insertions(+), 7 deletions(-) diff --git a/.pipelines/ESRPSigning_core.json b/.pipelines/ESRPSigning_core.json index 351a97070f..b8a7fedff5 100644 --- a/.pipelines/ESRPSigning_core.json +++ b/.pipelines/ESRPSigning_core.json @@ -6,8 +6,6 @@ "MatchedPath": [ "*.resources.dll", - "PowerToysSetupCustomActions.dll", - "PowerToys.ActionRunner.exe", "PowerToys.Update.exe", "PowerToys.BackgroundActivatorDLL.dll", diff --git a/.pipelines/ESRPSigning_installer.json b/.pipelines/ESRPSigning_installer.json index 8a2804dd45..dea4efc7f4 100644 --- a/.pipelines/ESRPSigning_installer.json +++ b/.pipelines/ESRPSigning_installer.json @@ -4,6 +4,7 @@ "SignBatches": [ { "MatchedPath": [ + "PowerToysSetupCustomActions.dll", "PowerToysSetup-*.exe", "PowerToysSetup-*.msi" ], diff --git a/.pipelines/release.yml b/.pipelines/release.yml index 6d93a0f4ac..15a02b90ca 100644 --- a/.pipelines/release.yml +++ b/.pipelines/release.yml @@ -279,23 +279,43 @@ jobs: configuration: $(BuildConfiguration) maximumCpuCount: true + - task: VSBuild@1 + displayName: Build PowerToysSetupCustomActions DLL # This dll needs to be build and signed before building the MSI. + inputs: + solution: '**/installer/PowerToysSetup.sln' + vsVersion: 17.0 + msbuildArgs: /p:CIBuild=true /bl:$(Build.SourcesDirectory)\msbuild.binlog /t:PowerToysSetupCustomActions + platform: $(BuildPlatform) + configuration: $(BuildConfiguration) + maximumCpuCount: true + #### MAIN SIGNING AREA # reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver # https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: Sign PowerToysSetupCustomActions DLL + inputs: + ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection' + FolderPath: 'installer/PowerToysSetupCustomActions/$(BuildPlatform)\$(BuildConfiguration)' + signType: batchSigning + batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json' + ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml' + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 displayName: Sign Core PT inputs: ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection' - FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64. This path will also work for PowerToysSetupCustomActions which is in a different root dir + FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64. signType: batchSigning batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_core.json' ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml' + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 displayName: Sign x86 directshow VCM inputs: ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection' - FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64. This path will also work for PowerToysSetupCustomActions which is in a different root dir + FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64. signType: batchSigning batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_vcm.json' ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml' @@ -312,7 +332,7 @@ jobs: msbuildArgs: /p:CIBuild=true /target:PowerToysInstaller /bl:$(Build.SourcesDirectory)\msbuild.binlog platform: $(BuildPlatform) configuration: $(BuildConfiguration) - clean: true + clean: false # don't undo our hard work above by deleting the CustomActions dll maximumCpuCount: true - task: CmdLine@2 @@ -328,7 +348,13 @@ jobs: inputs: scriptName: .pipelines/versionAndSignCheck.ps1 arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\File' - + + - task: PowerShell@1 + displayName: Verifying MSI Custom Actions DLL is signed + inputs: + scriptName: .pipelines/versionAndSignCheck.ps1 + arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\Binary' + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 displayName: Sign MSI inputs: diff --git a/.pipelines/versionAndSignCheck.ps1 b/.pipelines/versionAndSignCheck.ps1 index 4ebd06dad1..d795758f7b 100644 --- a/.pipelines/versionAndSignCheck.ps1 +++ b/.pipelines/versionAndSignCheck.ps1 @@ -7,7 +7,7 @@ Param( ) $DirPath = $targetDir; #this file is in pipeline, we need root. -$items = Get-ChildItem -Path $DirPath -File -Include *.exe,*.dll,*.ttf -Recurse -Force -ErrorAction SilentlyContinue +$items = Get-ChildItem -Path $DirPath -File -Include *.exe,*.dll,*.ttf,PTCustomActions -Recurse -Force -ErrorAction SilentlyContinue $totalFailure = 0; Write-Host $DirPath;