mirror/PowerToys
1
0
Fork 0
mirror of https://github.com/microsoft/PowerToys.git synced 2025-06-07 17:42:45 +08:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

[ci][build]Sign PowerToysSetupCustomActions.dll (#18992)

Browse Source 
* [ci]Sign PowerToysSetupCustomActions.dll

* Specifically sign the Custom Actions dll

* Proper dll build path

* Verify if dll inside msi is really signed
This commit is contained in:
Jaime Bernardo 2022-06-24 13:06:44 +01:00 committed by GitHub
parent 7af8b930be
commit eeda2ec985
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 32 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.pipelines/ESRPSigning_core.json
View File

@ -6,8 +6,6 @@
"MatchedPath": [ "MatchedPath": [
"*.resources.dll", "*.resources.dll",
"PowerToysSetupCustomActions.dll",
"PowerToys.ActionRunner.exe", "PowerToys.ActionRunner.exe",
"PowerToys.Update.exe", "PowerToys.Update.exe",
"PowerToys.BackgroundActivatorDLL.dll", "PowerToys.BackgroundActivatorDLL.dll",

1
.pipelines/ESRPSigning_installer.json
View File

@ -4,6 +4,7 @@
"SignBatches": [ "SignBatches": [
{ {
"MatchedPath": [ "MatchedPath": [
"PowerToysSetupCustomActions.dll",
"PowerToysSetup-*.exe", "PowerToysSetup-*.exe",
"PowerToysSetup-*.msi" "PowerToysSetup-*.msi"
], ],

34
.pipelines/release.yml
View File

@ -279,23 +279,43 @@ jobs:
configuration: $(BuildConfiguration) configuration: $(BuildConfiguration)
maximumCpuCount: true maximumCpuCount: true
- task: VSBuild@1
displayName: Build PowerToysSetupCustomActions DLL # This dll needs to be build and signed before building the MSI.
inputs:
solution: '**/installer/PowerToysSetup.sln'
vsVersion: 17.0
msbuildArgs: /p:CIBuild=true /bl:$(Build.SourcesDirectory)\msbuild.binlog /t:PowerToysSetupCustomActions
platform: $(BuildPlatform)
configuration: $(BuildConfiguration)
maximumCpuCount: true
#### MAIN SIGNING AREA #### MAIN SIGNING AREA
# reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver # reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver
# https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents # https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: Sign PowerToysSetupCustomActions DLL
inputs:
ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
FolderPath: 'installer/PowerToysSetupCustomActions/$(BuildPlatform)\$(BuildConfiguration)'
signType: batchSigning
batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json'
ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: Sign Core PT displayName: Sign Core PT
inputs: inputs:
ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection' ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64. This path will also work for PowerToysSetupCustomActions which is in a different root dir FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64.
signType: batchSigning signType: batchSigning
batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_core.json' batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_core.json'
ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml' ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: Sign x86 directshow VCM displayName: Sign x86 directshow VCM
inputs: inputs:
ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection' ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64. This path will also work for PowerToysSetupCustomActions which is in a different root dir FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64.
signType: batchSigning signType: batchSigning
batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_vcm.json' batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_vcm.json'
ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml' ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
@ -312,7 +332,7 @@ jobs:
msbuildArgs: /p:CIBuild=true /target:PowerToysInstaller /bl:$(Build.SourcesDirectory)\msbuild.binlog msbuildArgs: /p:CIBuild=true /target:PowerToysInstaller /bl:$(Build.SourcesDirectory)\msbuild.binlog
platform: $(BuildPlatform) platform: $(BuildPlatform)
configuration: $(BuildConfiguration) configuration: $(BuildConfiguration)
clean: true clean: false # don't undo our hard work above by deleting the CustomActions dll
maximumCpuCount: true maximumCpuCount: true
- task: CmdLine@2 - task: CmdLine@2
@ -328,7 +348,13 @@ jobs:
inputs: inputs:
scriptName: .pipelines/versionAndSignCheck.ps1 scriptName: .pipelines/versionAndSignCheck.ps1
arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\File' arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\File'
- task: PowerShell@1
displayName: Verifying MSI Custom Actions DLL is signed
inputs:
scriptName: .pipelines/versionAndSignCheck.ps1
arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\Binary'
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: Sign MSI displayName: Sign MSI
inputs: inputs:

2
.pipelines/versionAndSignCheck.ps1
View File

@ -7,7 +7,7 @@ Param(
) )
$DirPath = $targetDir; #this file is in pipeline, we need root. $DirPath = $targetDir; #this file is in pipeline, we need root.
$items = Get-ChildItem -Path $DirPath -File -Include *.exe,*.dll,*.ttf -Recurse -Force -ErrorAction SilentlyContinue $items = Get-ChildItem -Path $DirPath -File -Include *.exe,*.dll,*.ttf,PTCustomActions -Recurse -Force -ErrorAction SilentlyContinue
$totalFailure = 0; $totalFailure = 0;
Write-Host $DirPath; Write-Host $DirPath;