[Tool] Script to build an installer locally (#39017)

* add script to build a installer * minor fix * fix search path for msix file * fix sign * fix sign * fix spelling * Fix powershell5 can't recognize emoji * ensure-wix * bring cmdpal available during local build * remove early quit * fix marco * add logger * doc * add a note * self review * fix macro def * add functionality to export cert so that other machine can install it. * spelling
2025-12-15 19:27:56 +01:00 · 2025-04-25 09:57:42 +08:00
parent f63fcfd91c
commit fc804a8156
9 changed files with 411 additions and 10 deletions
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -198,6 +198,7 @@ CLIPBOARDUPDATE
 CLIPCHILDREN
 CLIPSIBLINGS
 closesocket
 clp
 CLSCTX
 clsids
 Clusion
@@ -1045,6 +1046,7 @@ NOINHERITLAYOUT
 NOINTERFACE
 NOINVERT
 NOLINKINFO
 nologo
 NOMCX
 NOMINMAX
 NOMIRRORBITMAP
@@ -1277,6 +1279,7 @@ pstm
 PStr
 pstream
 pstrm
 pswd
 PSYSTEM
 psz
 ptb
@@ -1423,6 +1426,7 @@ searchterm
 SEARCHUI
 SECONDARYDISPLAY
 secpol
 securestring
 SEEMASKINVOKEIDLIST
 SELCHANGE
 SENDCHANGE
--- a/installer/PowerToysSetup/Product.wxs
+++ b/installer/PowerToysSetup/Product.wxs
@@ -79,10 +79,7 @@
      <ComponentGroupRef Id="ToolComponentGroup" />
      <ComponentGroupRef Id="MonacoSRCHeatGenerated" />
      <ComponentGroupRef Id="WorkspacesComponentGroup" />
-
+      <ComponentGroupRef Id="CmdPalComponentGroup" />
      <?if $(var.CIBuild) = "true" ?>
        <ComponentGroupRef Id="CmdPalComponentGroup" />
      <?endif?>
    </Feature>
    <SetProperty Id="ARPINSTALLLOCATION" Value="[INSTALLFOLDER]" After="CostFinalize" />
--- a/src/common/utils/package.h
+++ b/src/common/utils/package.h
@@ -301,6 +301,7 @@ namespace package
        if (!std::filesystem::exists(directoryPath))
        {
            Logger::error(L"The directory '" + directoryPath + L"' does not exist.");
            return {};
        }
        const std::regex pattern(R"(^.+\.(appx|msix|msixbundle)$)", std::regex_constants::icase);
--- a/src/modules/cmdpal/CmdPalModuleInterface/CmdPalModuleInterface.vcxproj
+++ b/src/modules/cmdpal/CmdPalModuleInterface/CmdPalModuleInterface.vcxproj
@@ -2,6 +2,7 @@
 <Project DefaultTargets="Build"
  xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Import Project="..\..\..\..\packages\Microsoft.Windows.CppWinRT.2.0.240111.5\build\native\Microsoft.Windows.CppWinRT.props" Condition="Exists('..\..\..\..\packages\Microsoft.Windows.CppWinRT.2.0.240111.5\build\native\Microsoft.Windows.CppWinRT.props')" />
  <Import Project="..\Microsoft.CmdPal.UI\CmdPal.pre.props" Condition="Exists('..\Microsoft.CmdPal.UI\CmdPal.pre.prop')" />
  <PropertyGroup Label="Globals">
    <VCProjectVersion>17.0</VCProjectVersion>
    <Keyword>Win32Proj</Keyword>
@@ -49,13 +50,21 @@
  </ItemGroup>
  <ItemDefinitionGroup>
    <ClCompile>
-      <PreprocessorDefinitions>EXAMPLEPOWERTOY_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>
        EXAMPLEPOWERTOY_EXPORTS;_WINDOWS;_USRDLL;
        %(PreprocessorDefinitions);
        $(CommandPaletteBranding)
      </PreprocessorDefinitions>
      <PreprocessorDefinitions Condition="'$(CommandPaletteBranding)'=='' or '$(CommandPaletteBranding)'=='Dev'">
        IS_DEV_BRANDING;%(PreprocessorDefinitions)
      </PreprocessorDefinitions>
      <AdditionalIncludeDirectories>..\..\..\common\inc;..\..\..\common\Telemetry;..\..\;..\..\..\;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
    </ClCompile>
    <Link>
      <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
    </Link>
  </ItemDefinitionGroup>
  <ItemGroup>
    <ClInclude Include="pch.h" />
    <ClInclude Include="resource.h" />
--- a/src/modules/cmdpal/CmdPalModuleInterface/dllmain.cpp
+++ b/src/modules/cmdpal/CmdPalModuleInterface/dllmain.cpp
@@ -208,7 +208,7 @@ public:
        try
        {
            std::wstring packageName = L"Microsoft.CommandPalette";
-#ifdef _DEBUG
+#ifdef IS_DEV_BRANDING
            packageName = L"Microsoft.CommandPalette.Dev";
 #endif
            if (!package::GetRegisteredPackage(packageName, false).has_value())
@@ -245,12 +245,21 @@ public:
            errorMessage += e.what();
            Logger::error(errorMessage);
        }
-
+        try
-#if _DEBUG
+        {
-        LaunchApp(std::wstring{ L"shell:AppsFolder\\" } + L"Microsoft.CommandPalette.Dev_8wekyb3d8bbwe!App", L"RunFromPT", false);
+#ifdef IS_DEV_BRANDING
            LaunchApp(std::wstring{ L"shell:AppsFolder\\" } + L"Microsoft.CommandPalette.Dev_8wekyb3d8bbwe!App", L"RunFromPT", false);
 #else
-        LaunchApp(std::wstring{ L"shell:AppsFolder\\" } + L"Microsoft.CommandPalette_8wekyb3d8bbwe!App", L"RunFromPT", false);
+            LaunchApp(std::wstring{ L"shell:AppsFolder\\" } + L"Microsoft.CommandPalette_8wekyb3d8bbwe!App", L"RunFromPT", false);
 #endif
        }
        catch (std::exception& e)
        {
            std::string errorMessage{ "Exception thrown while trying to launch CmdPal: " };
            errorMessage += e.what();
            Logger::error(errorMessage);
            throw;
        }
    }
    virtual void disable()
--- a/tools/build/build-installer.ps1
+++ b/tools/build/build-installer.ps1
@@ -0,0 +1,122 @@
 <#
 .SYNOPSIS
 Build and package PowerToys (CmdPal and installer) for a specific platform and configuration LOCALLY.
 .DESCRIPTION
 This script automates the end-to-end build and packaging process for PowerToys, including:
 - Restoring and building all necessary solutions (CmdPal, BugReportTool, StylesReportTool, etc.)
 - Cleaning up old output
 - Signing generated .msix packages
 - Building the WiX-based MSI and bootstrapper installers
 It is designed to work in local development.
 .PARAMETER Platform
 Specifies the target platform for the build (e.g., 'arm64', 'x64'). Default is 'arm64'.
 .PARAMETER Configuration
 Specifies the build configuration (e.g., 'Debug', 'Release'). Default is 'Release'.
 .EXAMPLE
 .\build-installer.ps1
 Runs the installer build pipeline for ARM64 Release (default).
 .EXAMPLE
 .\build-installer.ps1 -Platform x64 -Configuration Release
 Runs the pipeline for x64 Debug.
 .NOTES
 - Requires MSBuild, WiX Toolset, and Git to be installed and accessible from your environment.
 - Make sure to run this script from a Developer PowerShell (e.g., VS2022 Developer PowerShell).
 - Generated MSIX files will be signed using cert-sign-package.ps1.
 - This script will clean previous outputs under the build directories and installer directory (except *.exe files).
 - First time run need admin permission to trust the certificate.
 - The built installer will be placed under: installer/PowerToysSetup/[Platform]/[Configuration]/UserSetup 
  relative to the solution root directory.
 - The installer can't be run right after the build, I need to copy it to another file before it can be run.
 #>
 param (
    [string]$Platform = 'arm64',
    [string]$Configuration = 'Release'
 )
 $repoRoot = Resolve-Path "$PSScriptRoot\..\.."
 Set-Location $repoRoot
 function RunMSBuild {
    param (
        [string]$Solution, 
        [string]$ExtraArgs  
    )
    $base = @(
        $Solution
        "/p:Platform=`"$Platform`""
        "/p:Configuration=$Configuration"
        '/verbosity:normal'
        '/clp:Summary;PerformanceSummary;ErrorsOnly;WarningsOnly'
        '/nologo'
    )
    $cmd = $base + ($ExtraArgs -split ' ')
    Write-Host ("[MSBUILD] {0} {1}" -f $Solution, ($cmd -join ' '))
    & msbuild.exe @cmd
    if ($LASTEXITCODE -ne 0) {
        Write-Error ("Build failed: {0}  {1}" -f $Solution, $ExtraArgs)
        exit $LASTEXITCODE
    }
 }
 function RestoreThenBuild {
    param ([string]$Solution)
    # 1) restore
    RunMSBuild $Solution '/t:restore /p:RestorePackagesConfig=true'
    # 2) build  -------------------------------------------------
    RunMSBuild $Solution '/m'
 }
 Write-Host ("Make sure wix is installed and available")
 & "$PSScriptRoot\ensure-wix.ps1"
 Write-Host ("[PIPELINE] Start | Platform={0} Configuration={1}" -f $Platform, $Configuration)
 Write-Host ''
 $cmdpalOutputPath = Join-Path $repoRoot "$Platform\$Configuration\WinUI3Apps\CmdPal"
 if (Test-Path $cmdpalOutputPath) {
    Write-Host "[CLEAN] Removing previous output: $cmdpalOutputPath"
    Remove-Item $cmdpalOutputPath -Recurse -Force -ErrorAction Ignore
 }
 RestoreThenBuild '.\PowerToys.sln'
 $msixSearchRoot = Join-Path $repoRoot "$Platform\$Configuration"
 $msixFiles = Get-ChildItem -Path $msixSearchRoot -Recurse -Filter *.msix |
 Select-Object -ExpandProperty FullName
 if ($msixFiles.Count) {
    Write-Host ("[SIGN] .msix file(s): {0}" -f ($msixFiles -join '; '))
    & "$PSScriptRoot\cert-sign-package.ps1" -TargetPaths $msixFiles
 }
 else {
    Write-Warning "[SIGN] No .msix files found in $msixSearchRoot"
 }
 RestoreThenBuild '.\tools\BugReportTool\BugReportTool.sln'
 RestoreThenBuild '.\tools\StylesReportTool\StylesReportTool.sln'
 Write-Host '[CLEAN] installer (keep *.exe)'
 git clean -xfd -e '*.exe' -- .\installer\ | Out-Null
 RunMSBuild  '.\installer\PowerToysSetup.sln' '/t:restore /p:RestorePackagesConfig=true'
 RunMSBuild '.\installer\PowerToysSetup.sln' '/m /t:PowerToysInstaller /p:PerUser=true'
 RunMSBuild '.\installer\PowerToysSetup.sln' '/m /t:PowerToysBootstrapper /p:PerUser=true'
 Write-Host '[PIPELINE] Completed'
--- a/tools/build/cert-management.ps1
+++ b/tools/build/cert-management.ps1
@@ -0,0 +1,159 @@
 <#
 .SYNOPSIS
 Ensures a code signing certificate exists and is trusted in all necessary certificate stores.
 .DESCRIPTION
 This script provides two functions:
 1. EnsureCertificate:
   - Searches for an existing code signing certificate by subject name.
   - If not found, creates a new self-signed certificate.
   - Exports the certificate and attempts to import it into:
     - CurrentUser\TrustedPeople
     - CurrentUser\Root
     - LocalMachine\Root (admin privileges may be required)
 2. ImportAndVerifyCertificate:
   - Imports a `.cer` file into the specified certificate store if not already present.
   - Verifies the certificate is successfully imported by checking thumbprint.
 This is useful in build or signing pipelines to ensure a valid and trusted certificate is available before signing MSIX or executable files.
 .PARAMETER certSubject
 The subject name of the certificate to search for or create. Default is:
 "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
 .PARAMETER cerPath
 (ImportAndVerifyCertificate only) The file path to a `.cer` certificate file to import.
 .PARAMETER storePath
 (ImportAndVerifyCertificate only) The destination certificate store path (e.g. Cert:\CurrentUser\Root).
 .EXAMPLE
 $cert = EnsureCertificate
 Ensures the default certificate exists and is trusted, and returns the certificate object.
 .EXAMPLE
 ImportAndVerifyCertificate -cerPath "$env:TEMP\temp_cert.cer" -storePath "Cert:\CurrentUser\Root"
 Imports a certificate into the CurrentUser Root store and verifies its presence.
 .NOTES
 - For full trust, administrative privileges may be needed to import into LocalMachine\Root.
 - Certificates are created using RSA and SHA256 and marked as CodeSigningCert.
 #>
 function ImportAndVerifyCertificate {
    param (
        [string]$cerPath,
        [string]$storePath
    )
    $thumbprint = (Get-PfxCertificate -FilePath $cerPath).Thumbprint
    $existingCert = Get-ChildItem -Path $storePath | Where-Object { $_.Thumbprint -eq $thumbprint }
    if ($existingCert) {
        Write-Host "Certificate already exists in $storePath"
        return $true
    }
    try {
        $null = Import-Certificate -FilePath $cerPath -CertStoreLocation $storePath -ErrorAction Stop
    } catch {
        Write-Warning "Failed to import certificate to $storePath : $_"
        return $false
    }
    $imported = Get-ChildItem -Path $storePath | Where-Object { $_.Thumbprint -eq $thumbprint }
    if ($imported) {
        Write-Host "Certificate successfully imported to $storePath"
        return $true
    } else {
        Write-Warning "Certificate not found in $storePath after import"
        return $false
    }
 }
 function EnsureCertificate {
    param (
        [string]$certSubject = "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
    )
    $cert = Get-ChildItem -Path Cert:\CurrentUser\My |
        Where-Object { $_.Subject -eq $certSubject } |
        Sort-Object NotAfter -Descending |
        Select-Object -First 1
    if (-not $cert) {
        Write-Host "Certificate not found. Creating a new one..."
        $cert = New-SelfSignedCertificate -Subject $certSubject `
            -CertStoreLocation "Cert:\CurrentUser\My" `
            -KeyAlgorithm RSA `
            -Type CodeSigningCert `
            -HashAlgorithm SHA256
        if (-not $cert) {
            Write-Error "Failed to create a new certificate."
            return $null
        }
        Write-Host "New certificate created with thumbprint: $($cert.Thumbprint)"
    }
    else {
        Write-Host "Using existing certificate with thumbprint: $($cert.Thumbprint)"
    }
    $cerPath = "$env:TEMP\temp_cert.cer"
    [void](Export-Certificate -Cert $cert -FilePath $cerPath -Force)
    if (-not (ImportAndVerifyCertificate -cerPath $cerPath -storePath "Cert:\CurrentUser\TrustedPeople")) { return $null }
    if (-not (ImportAndVerifyCertificate -cerPath $cerPath -storePath "Cert:\CurrentUser\Root")) { return $null }
    if (-not (ImportAndVerifyCertificate -cerPath $cerPath -storePath "Cert:\LocalMachine\Root")) {
        Write-Warning "Failed to import to LocalMachine\Root (admin may be required)"
        return $null
    }
    return $cert
 }
 function Export-CertificateFiles {
    param (
        [System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate,
        [string]$CerPath,
        [string]$PfxPath,
        [securestring]$PfxPassword
    )
    if (-not $Certificate) {
        Write-Error "No certificate provided to export."
        return
    }
    if ($CerPath) {
        try {
            Export-Certificate -Cert $Certificate -FilePath $CerPath -Force | Out-Null
            Write-Host "Exported CER to: $CerPath"
        } catch {
            Write-Warning "Failed to export CER file: $_"
        }
    }
    if ($PfxPath -and $PfxPassword) {
        try {
            Export-PfxCertificate -Cert $Certificate -FilePath $PfxPath -Password $PfxPassword -Force | Out-Null
            Write-Host "Exported PFX to: $PfxPath"
        } catch {
            Write-Warning "Failed to export PFX file: $_"
        }
    }
    if (-not $CerPath -and -not $PfxPath) {
        Write-Warning "No output path specified. Nothing was exported."
    }
 }
 $cert = EnsureCertificate
 $pswd = ConvertTo-SecureString -String "MySecurePassword123!" -AsPlainText -Force
 Export-CertificateFiles -Certificate $cert -CerPath "$env:TEMP\cert.cer" -PfxPath "$env:TEMP\cert.pfx" -PfxPassword $pswd
--- a/tools/build/cert-sign-package.ps1
+++ b/tools/build/cert-sign-package.ps1
@@ -0,0 +1,29 @@
 param (
    [string]$certSubject = "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
    [string[]]$TargetPaths = "C:\PowerToys\ARM64\Release\WinUI3Apps\CmdPal\AppPackages\Microsoft.CmdPal.UI_0.0.1.0_Test\Microsoft.CmdPal.UI_0.0.1.0_arm64.msix"
 )
 . "$PSScriptRoot\cert-management.ps1"
 $cert = EnsureCertificate -certSubject $certSubject
 if (-not $cert) {
    Write-Error "Failed to prepare certificate."
    exit 1
 }
 Write-Host "Certificate ready: $($cert.Thumbprint)"
 if (-not $TargetPaths -or $TargetPaths.Count -eq 0) {
    Write-Error "No target files provided to sign."
    exit 1
 }
 foreach ($filePath in $TargetPaths) {
    if (-not (Test-Path $filePath)) {
        Write-Warning "Skipping: File does not exist - $filePath"
        continue
    }
    Write-Host "Signing: $filePath"
    & signtool sign /sha1 $($cert.Thumbprint) /fd SHA256 /t http://timestamp.digicert.com "$filePath"
 }
--- a/tools/build/ensure-wix.ps1
+++ b/tools/build/ensure-wix.ps1
@@ -0,0 +1,71 @@
 <#
 .SYNOPSIS
    Ensure WiX Toolset 3.14 (build 3141) is installed and ready to use.
 .DESCRIPTION
    - Skips installation if the toolset is already installed (unless -Force is used).
    - Otherwise downloads the official installer and binaries, verifies SHA-256, installs silently,
      and copies wix.targets into the installation directory.
 .PARAMETER Force
    Forces reinstallation even if the toolset is already detected.
 .PARAMETER InstallDir
    The target installation path. Default is 'C:\Program Files (x86)\WiX Toolset v3.14'.
 .EXAMPLE
    .\EnsureWix.ps1          # Ensure WiX is installed
    .\EnsureWix.ps1 -Force   # Force reinstall
 #>
 [CmdletBinding()]
 param(
    [switch]$Force,
    [string]$InstallDir = 'C:\Program Files (x86)\WiX Toolset v3.14'
 )
 $ErrorActionPreference = 'Stop'
 $ProgressPreference    = 'SilentlyContinue'
 # Download URLs and expected SHA-256 hashes
 $WixDownloadUrl         = 'https://github.com/wixtoolset/wix3/releases/download/wix3141rtm/wix314.exe'
 $WixBinariesDownloadUrl = 'https://github.com/wixtoolset/wix3/releases/download/wix3141rtm/wix314-binaries.zip'
 $InstallerHashExpected  = '6BF6D03D6923D9EF827AE1D943B90B42B8EBB1B0F68EF6D55F868FA34C738A29'
 $BinariesHashExpected   = '6AC824E1642D6F7277D0ED7EA09411A508F6116BA6FAE0AA5F2C7DAA2FF43D31'
 # Check if WiX is already installed
 $candlePath = Join-Path $InstallDir 'bin\candle.exe'
 if (-not $Force -and (Test-Path $candlePath)) {
    Write-Host "WiX Toolset is already installed at `"$InstallDir`". Skipping installation."
    return
 }
 # Temp file paths
 $tmpDir      = [IO.Path]::GetTempPath()
 $installer   = Join-Path $tmpDir 'wix314.exe'
 $binariesZip = Join-Path $tmpDir 'wix314-binaries.zip'
 # Download installer and binaries
 Write-Host 'Downloading WiX installer...'
 Invoke-WebRequest -Uri $WixDownloadUrl         -OutFile $installer    -UseBasicParsing
 Write-Host 'Downloading WiX binaries...'
 Invoke-WebRequest -Uri $WixBinariesDownloadUrl -OutFile $binariesZip  -UseBasicParsing
 # Verify SHA-256 hashes
 Write-Host 'Verifying installer hash...'
 if ((Get-FileHash -Algorithm SHA256 $installer).Hash -ne $InstallerHashExpected) {
    throw 'wix314.exe SHA256 hash mismatch'
 }
 Write-Host 'Verifying binaries hash...'
 if ((Get-FileHash -Algorithm SHA256 $binariesZip).Hash -ne $BinariesHashExpected) {
    throw 'wix314-binaries.zip SHA256 hash mismatch'
 }
 # Perform silent installation
 Write-Host 'Installing WiX Toolset silently...'
 Start-Process -FilePath $installer -ArgumentList '/install','/quiet' -Wait
 # Extract binaries and copy wix.targets
 $expandDir = Join-Path $tmpDir 'wix-binaries'
 if (Test-Path $expandDir) { Remove-Item $expandDir -Recurse -Force }
 Expand-Archive -Path $binariesZip -DestinationPath $expandDir -Force
 Copy-Item -Path (Join-Path $expandDir 'wix.targets') `
          -Destination (Join-Path $InstallDir  'wix.targets') -Force
 Write-Host "WiX Toolset has been successfully installed at: $InstallDir"