[ci][build]Sign PowerToysSetupCustomActions.dll (#18992)

* [ci]Sign PowerToysSetupCustomActions.dll * Specifically sign the Custom Actions dll * Proper dll build path * Verify if dll inside msi is really signed
2024-11-27 23:19:13 +08:00 · 2022-06-24 13:06:44 +01:00 · 2022-06-24 13:06:44 +01:00 · eeda2ec985
commit eeda2ec985
parent 7af8b930be
4 changed files with 32 additions and 7 deletions
--- a/.pipelines/ESRPSigning_core.json
+++ b/.pipelines/ESRPSigning_core.json
@ -6,8 +6,6 @@
            "MatchedPath": [
                "*.resources.dll",

-                "PowerToysSetupCustomActions.dll",
-                
                "PowerToys.ActionRunner.exe",
                "PowerToys.Update.exe",
                "PowerToys.BackgroundActivatorDLL.dll",
--- a/.pipelines/ESRPSigning_installer.json
+++ b/.pipelines/ESRPSigning_installer.json
@ -4,6 +4,7 @@
    "SignBatches": [
        {
            "MatchedPath": [
+                "PowerToysSetupCustomActions.dll",
                "PowerToysSetup-*.exe",
                "PowerToysSetup-*.msi"
            ],
--- a/.pipelines/release.yml
+++ b/.pipelines/release.yml
@ -279,23 +279,43 @@ jobs:
      configuration: $(BuildConfiguration)
      maximumCpuCount: true

+  - task: VSBuild@1
+    displayName: Build PowerToysSetupCustomActions DLL # This dll needs to be build and signed before building the MSI.
+    inputs:
+      solution: '**/installer/PowerToysSetup.sln'
+      vsVersion: 17.0
+      msbuildArgs: /p:CIBuild=true /bl:$(Build.SourcesDirectory)\msbuild.binlog /t:PowerToysSetupCustomActions
+      platform: $(BuildPlatform)
+      configuration: $(BuildConfiguration)
+      maximumCpuCount: true
+
 #### MAIN SIGNING AREA
 # reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver
 # https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents

+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+    displayName: Sign PowerToysSetupCustomActions DLL
+    inputs:
+      ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
+      FolderPath: 'installer/PowerToysSetupCustomActions/$(BuildPlatform)\$(BuildConfiguration)'
+      signType: batchSigning
+      batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json'
+      ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
+
  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    displayName: Sign Core PT
    inputs:
      ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
-      FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64.  This path will also work for PowerToysSetupCustomActions which is in a different root dir
+      FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64.
      signType: batchSigning
      batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_core.json'
      ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
+
  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    displayName: Sign x86 directshow VCM
    inputs:
      ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
-      FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64.  This path will also work for PowerToysSetupCustomActions which is in a different root dir
+      FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64.
      signType: batchSigning
      batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_vcm.json'
      ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
@ -312,7 +332,7 @@ jobs:
      msbuildArgs: /p:CIBuild=true /target:PowerToysInstaller /bl:$(Build.SourcesDirectory)\msbuild.binlog
      platform: $(BuildPlatform)
      configuration: $(BuildConfiguration)
-      clean: true
+      clean: false # don't undo our hard work above by deleting the CustomActions dll
      maximumCpuCount: true

  - task: CmdLine@2
@ -328,7 +348,13 @@ jobs:
    inputs:
      scriptName: .pipelines/versionAndSignCheck.ps1
      arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\File'
-      
+
+  - task: PowerShell@1
+    displayName: Verifying MSI Custom Actions DLL is signed
+    inputs:
+      scriptName: .pipelines/versionAndSignCheck.ps1
+      arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\Binary'
+
  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
    displayName: Sign MSI
    inputs:
--- a/.pipelines/versionAndSignCheck.ps1
+++ b/.pipelines/versionAndSignCheck.ps1
@ -7,7 +7,7 @@ Param(
 )

 $DirPath = $targetDir;  #this file is in pipeline, we need root.
-$items = Get-ChildItem -Path $DirPath -File -Include *.exe,*.dll,*.ttf -Recurse -Force -ErrorAction SilentlyContinue
+$items = Get-ChildItem -Path $DirPath -File -Include *.exe,*.dll,*.ttf,PTCustomActions -Recurse -Force -ErrorAction SilentlyContinue
 $totalFailure = 0;

 Write-Host $DirPath;