Forcing build to validate signing and versioning (#15432)

* ps script for validation * intentionally breaking for testing * including script in release * fixing script * removing old ignore * Fixing unit tests to be versioned * fixing version path * Authenticode * Update release.yml * Update versionAndSignCheck.ps1 * Update release.yml * Update versionAndSignCheck.ps1 * Update release.yml * Update versionAndSignCheck.ps1 * Update versionAndSignCheck.ps1 * Update versionAndSignCheck.ps1 * Update versionAndSignCheck.ps1 * Update versionAndSignCheck.ps1 * Update release.yml * Update versionAndSignCheck.ps1 * Update versionAndSignCheck.ps1 * Update release.yml * Update versionAndSignCheck.ps1 * Update ESRPSigning_core.json * Update versionAndSignCheck.ps1 * Update versionAndSignCheck.ps1 * Update versionAndSignCheck.ps1 * Update release.yml
2025-12-15 11:17:53 +01:00 · 2022-01-10 18:26:27 -08:00
parent cf0c45a319
commit f303c29d4c
6 changed files with 76 additions and 6 deletions
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -108,6 +108,7 @@ Attribs
 attrs
 aumid
 Aut
+Authenticode
 AUTHN
 autogenerated
 autogenerates
--- a/.pipelines/ESRPSigning_core.json
+++ b/.pipelines/ESRPSigning_core.json
@@ -8,7 +8,6 @@

                "PowerToysSetupCustomActions.dll",
                
-                
                "PowerToys.ActionRunner.exe",
                "PowerToys.Update.exe",
                "PowerToys.BackgroundActivatorDLL.dll",
@@ -24,6 +23,9 @@
                "PowerToys.Common.UI.dll",
                "PowerToys.Settings.UI.Lib.dll",

+                "modules\\AlwaysOnTop\\PowerToys.AlwaysOnTop.exe",
+                "modules\\AlwaysOnTop\\PowerToys.AlwaysOnTopModuleInterface.dll",
+                
                "modules\\ColorPicker\\ColorPicker.dll",
                "modules\\ColorPicker\\ColorPickerUI.dll",
                "modules\\ColorPicker\\ColorPickerUI.exe",
@@ -32,9 +34,6 @@
                "modules\\ColorPicker\\PowerToys.ColorPickerUI.dll",
                "modules\\ColorPicker\\PowerToys.ColorPickerUI.exe",

-                "modules\\AlwaysOnTop\\PowerToys.AlwaysOnTop.exe",
-                "modules\\AlwaysOnTop\\PowerToys.AlwaysOnTopModuleInterface.dll",
-
                "modules\\Awake\\PowerToys.AwakeModuleInterface.dll",
                "modules\\Awake\\PowerToys.Awake.exe",
                "modules\\Awake\\PowerToys.Awake.dll",
--- a/.pipelines/release.yml
+++ b/.pipelines/release.yml
@@ -217,6 +217,20 @@ jobs:
      clean: true
      maximumCpuCount: true

+  - task: CmdLine@2
+    displayName: 'Extracting MSI to verify contents'
+    inputs:
+      script: |
+        .\installer\packages\WiX.3.11.2\tools\dark.exe -x $(build.sourcesdirectory)\extractedMsi installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\PowerToysSetup-${{ parameters.versionNumber }}-$(BuildPlatform).msi 
+        dir $(build.sourcesdirectory)\extractedMsi
+
+# Did we sign all files
+  - task: PowerShell@1
+    displayName: Verifying entire build is signed and version set
+    inputs:
+      scriptName: .pipelines/versionAndSignCheck.ps1
+      arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\File'
+      
  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    displayName: Sign MSI
    inputs:
--- a/.pipelines/versionAndSignCheck.ps1
+++ b/.pipelines/versionAndSignCheck.ps1
@@ -0,0 +1,53 @@
+[CmdletBinding()]
+# todo: send in arch / conf, could send in actual path
+Param(
+  [Parameter(Mandatory=$True,Position=1)]
+  [AllowEmptyString()]
+  [string]$targetDir = $PSScriptRoot + '/../extractedMsi/File'
+)
+
+$DirPath = $targetDir;  #this file is in pipeline, we need root.
+$items = Get-ChildItem -Path $DirPath -File -Include *.exe,*.dll -Recurse -Force -ErrorAction SilentlyContinue
+$totalFailure = 0;
+
+Write-Host $DirPath;
+
+if(-not (Test-Path $DirPath))
+{  
+    Write-Host "Folder does not exist!"
+}
+
+Write-Host "Total items: " $items.Count
+
+if($items.Count -eq 0)
+{
+	# no items means something bad happened.  We should fail ASAP
+	exit 1;
+}
+
+$items | ForEach-Object { 
+    if($_.VersionInfo.FileVersion -eq "1.0.0.0" )
+	{
+		if(-not $_.Name.EndsWith("Microsoft.Search.Interop.dll"))
+		{
+			Write-Host "Version not set: " + $_.FullName
+			$totalFailure++;
+		}
+	}
+}
+
+$items | ForEach-Object { 
+	$auth = Get-AuthenticodeSignature $_.FullName
+	if($auth.SignerCertificate -eq $null)
+	{
+		Write-Host "Not Signed: " + $_.FullName
+		$totalFailure++;
+	}
+}
+
+if($totalFailure -gt 0)
+{
+	exit 1
+}
+
+exit 0
--- a/src/modules/colorPicker/UnitTest-ColorPickerUI/UnitTest-ColorPickerUI.csproj
+++ b/src/modules/colorPicker/UnitTest-ColorPickerUI/UnitTest-ColorPickerUI.csproj
@@ -1,4 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
+<Import Project="..\..\..\Version.props" />
 	
  <PropertyGroup>
    <TargetFramework>netcoreapp3.1</TargetFramework>
@@ -11,6 +12,7 @@
    <PlatformTarget>x64</PlatformTarget>
    <Platforms>x64</Platforms>
    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+	<Version>$(Version).0</Version>
  </PropertyGroup>

  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
--- a/src/settings-ui/Settings.UI.UnitTests/Settings.UI.UnitTests.csproj
+++ b/src/settings-ui/Settings.UI.UnitTests/Settings.UI.UnitTests.csproj
@@ -1,9 +1,10 @@
 <Project Sdk="Microsoft.NET.Sdk">
-
+  <Import Project="..\..\Version.props" />
  <PropertyGroup>
    <TargetFramework>netcoreapp3.1</TargetFramework>
    <IsPackable>false</IsPackable>
    <Platforms>x64</Platforms>
+	<Version>$(Version).0</Version>
    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
  </PropertyGroup>