[ci][build]Sign PowerToysSetupCustomActions.dll (#18992)

* [ci]Sign PowerToysSetupCustomActions.dll * Specifically sign the Custom Actions dll * Proper dll build path * Verify if dll inside msi is really signed
2025-12-15 11:17:53 +01:00 · 2022-06-24 13:06:44 +01:00
parent 7af8b930be
commit eeda2ec985
4 changed files with 32 additions and 7 deletions
--- a/.pipelines/release.yml
+++ b/.pipelines/release.yml
@@ -279,23 +279,43 @@ jobs:
      configuration: $(BuildConfiguration)
      maximumCpuCount: true

+  - task: VSBuild@1
+    displayName: Build PowerToysSetupCustomActions DLL # This dll needs to be build and signed before building the MSI.
+    inputs:
+      solution: '**/installer/PowerToysSetup.sln'
+      vsVersion: 17.0
+      msbuildArgs: /p:CIBuild=true /bl:$(Build.SourcesDirectory)\msbuild.binlog /t:PowerToysSetupCustomActions
+      platform: $(BuildPlatform)
+      configuration: $(BuildConfiguration)
+      maximumCpuCount: true
+
 #### MAIN SIGNING AREA
 # reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver
 # https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents

+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+    displayName: Sign PowerToysSetupCustomActions DLL
+    inputs:
+      ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
+      FolderPath: 'installer/PowerToysSetupCustomActions/$(BuildPlatform)\$(BuildConfiguration)'
+      signType: batchSigning
+      batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json'
+      ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
+
  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    displayName: Sign Core PT
    inputs:
      ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
-      FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64.  This path will also work for PowerToysSetupCustomActions which is in a different root dir
+      FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64.
      signType: batchSigning
      batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_core.json'
      ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
+
  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    displayName: Sign x86 directshow VCM
    inputs:
      ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
-      FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64.  This path will also work for PowerToysSetupCustomActions which is in a different root dir
+      FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64.
      signType: batchSigning
      batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_vcm.json'
      ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
@@ -312,7 +332,7 @@ jobs:
      msbuildArgs: /p:CIBuild=true /target:PowerToysInstaller /bl:$(Build.SourcesDirectory)\msbuild.binlog
      platform: $(BuildPlatform)
      configuration: $(BuildConfiguration)
-      clean: true
+      clean: false # don't undo our hard work above by deleting the CustomActions dll
      maximumCpuCount: true

  - task: CmdLine@2
@@ -328,7 +348,13 @@ jobs:
    inputs:
      scriptName: .pipelines/versionAndSignCheck.ps1
      arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\File'
-      
+
+  - task: PowerShell@1
+    displayName: Verifying MSI Custom Actions DLL is signed
+    inputs:
+      scriptName: .pipelines/versionAndSignCheck.ps1
+      arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\Binary'
+
  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    displayName: Sign MSI
    inputs: