Sign internals of EXE package so that it works correctly when signed #15132
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ghost
assigned
TravisEz13
force-pushed
the
rebuild/v7.2.0-rebuild.4
branch
from
8bcd0f7 to
40ab073
Compare
calculate product name suffix
TravisEz13
force-pushed
the
rebuild/v7.2.0-rebuild.4
branch
from
40ab073 to
f559332
Compare
TravisEz13
requested review from
adityapatwardhan,
anmenaga and
daxian-dbw
as code owners
rjmholt
reviewed
Apr 5, 2021
Collaborator
rjmholt
left a comment
rjmholt
left a comment
There was a problem hiding this comment.
I'd like to get someone who understand this better to review it as well if I can. @adityapatwardhan, @anmenaga or possibly @andschwa.
| New-ExePackage -ProductVersion '$(version)' -MsiLocationPath $msiPath -ProductTargetArchitecture ${{ parameters.architecture }} | ||
| $exePath = Get-ChildItem '.\PowerShell-*.exe' | Select-Object -First 1 -ExpandProperty fullname | ||
| $enginePath = Join-Path -Path '$(System.ArtifactsDirectory)\unsignedEngine' -ChildPath engine.exe | ||
| Dismount-ExePackageEngine -ExePath $exePath -EnginePath $enginePath |
Collaborator
There was a problem hiding this comment.
I'm mostly not clear on the Mount/Dismount-ExePackageEngine uses here:
- Why is it
Mount/Dismount? What does it leave on the filesystem? - Why do we dismount in one task and then mount later in another?
- Are we depending on filesystem state between tasks?
Member
Author
There was a problem hiding this comment.
It's more like an archive.... so perhaps... Expand/Compress
Collaborator
There was a problem hiding this comment.
That makes some sense. What is exe package engine? What does each command do? Can we add comments that contain the answers to those questions and ideally the questions above?
Member
Author
There was a problem hiding this comment.
The engine of the exe is the installer engine provided by WiX
Collaborator
There was a problem hiding this comment.
Ok having read a bit about insignia, here are my recommendations:
- Rename the functions to
Disconnect-/Connect-ExePackageEngine - Add a comment in the function definitions like
Needed to detach the WIX Burn engine from the exe for signingandNeeded to reattach the WIX Burn engine to the exe after signing - Add a comment in the YAML-embedded script where we detach saying
Detach the packaging engine so we can sign the exe - Add a similar comment when we re-attach saying
Re-attach the packaging engine to the now-signed exe so we can create the MSI
It's not clear from this file why we need to re-attach Burn at the end though. We seem to do the following:
- sign the exe
- re-attach Burn to the exe
- upload it (but the display name says unsigned??)
I don't follow this sequence.
rjmholt
reviewed
Apr 6, 2021
| New-ExePackage -ProductVersion '$(version)' -MsiLocationPath $msiPath -ProductTargetArchitecture ${{ parameters.architecture }} | ||
| $exePath = Get-ChildItem '.\PowerShell-*.exe' | Select-Object -First 1 -ExpandProperty fullname | ||
| $enginePath = Join-Path -Path '$(System.ArtifactsDirectory)\unsignedEngine' -ChildPath engine.exe | ||
| Dismount-ExePackageEngine -ExePath $exePath -EnginePath $enginePath |
Collaborator
There was a problem hiding this comment.
Ok having read a bit about insignia, here are my recommendations:
- Rename the functions to
Disconnect-/Connect-ExePackageEngine - Add a comment in the function definitions like
Needed to detach the WIX Burn engine from the exe for signingandNeeded to reattach the WIX Burn engine to the exe after signing - Add a comment in the YAML-embedded script where we detach saying
Detach the packaging engine so we can sign the exe - Add a similar comment when we re-attach saying
Re-attach the packaging engine to the now-signed exe so we can create the MSI
It's not clear from this file why we need to re-attach Burn at the end though. We seem to do the following:
- sign the exe
- re-attach Burn to the exe
- upload it (but the display name says unsigned??)
I don't follow this sequence.
Co-authored-by: Robert Holt <rjmholt@gmail.com>
Co-authored-by: Robert Holt <rjmholt@gmail.com>
Co-authored-by: Robert Holt <rjmholt@gmail.com>
Co-authored-by: Robert Holt <rjmholt@gmail.com>
Member
Author
|
disconnect/connect are not data verbs |
adityapatwardhan
approved these changes
Apr 8, 2021
TravisEz13
commented
Apr 8, 2021
TravisEz13
added
the
CL-BuildPackaging
|
🎉 Handy links: |
TravisEz13
added a commit
that referenced
this pull request
Apr 16, 2021
[7.2.0-preview.5] - 2021-04-14 * Breaking Changes - Make PowerShell Linux deb and RPM packages universal (#15109) - Enforce AppLocker Deny configuration before Execution Policy Bypass configuration (#15035) - Disallow mixed dash and slash in command line parameter prefix (#15142) (Thanks @davidBar-On!) * Experimental Features - `PSNativeCommandArgumentPassing`: Use `ArgumentList` for native executable invocation (breaking change) (#14692) * Engine Updates and Fixes - Add `IArgumentCompleterFactory` for parameterized `ArgumentCompleters` (#12605) (Thanks @powercode!) * General Cmdlet Updates and Fixes - Fix SSH remoting connection never finishing with misconfigured endpoint (#15175) - Respect `TERM` and `NO_COLOR` environment variables for `$PSStyle` rendering (#14969) - Use `ProgressView.Classic` when Virtual Terminal is not supported (#15048) - Fix `Get-Counter` issue with `-Computer` parameter (#15166) (Thanks @krishnayalavarthi!) - Fix redundant iteration while splitting lines (#14851) (Thanks @hez2010!) - Enhance `Remove-Item -Recurse` to work with OneDrive (#14902) (Thanks @iSazonov!) - Change minimum depth to 0 for `ConvertTo-Json` (#14830) (Thanks @kvprasoon!) - Allow `Set-Clipboard` to accept empty string (#14579) - Turn on and off `DECCKM` to modify keyboard mode for Unix native commands to work correctly (#14943) - Fall back to `CopyAndDelete()` when `MoveTo()` fails due to an `IOException` (#15077) * Code Cleanup <details> <summary> <p>We thank the following contributors!</p> <p>@xtqqczze, @iSazonov, @ZhiZe-ZG</p> </summary> <ul> <li>Update .NET to <code>6.0.0-preview.3</code> (#15221)</li> <li>Add space before comma to hosting test to fix error reported by <code>SA1001</code> (#15224)</li> <li>Add <code>SecureStringHelper.FromPlainTextString</code> helper method for efficient secure string creation (#14124) (Thanks @xtqqczze!)</li> <li>Use static lambda keyword (#15154) (Thanks @iSazonov!)</li> <li>Remove unnecessary <code>Array</code> -> <code>List</code> -> <code>Array</code> conversion in <code>ProcessBaseCommand.AllProcesses</code> (#15052) (Thanks @xtqqczze!)</li> <li>Standardize grammar comments in Parser.cs (#15114) (Thanks @ZhiZe-ZG!)</li> <li>Enable <code>SA1001</code>: Commas should be spaced correctly (#14171) (Thanks @xtqqczze!)</li> <li>Refactor <code>MultipleServiceCommandBase.AllServices</code> (#15053) (Thanks @xtqqczze!)</li> </ul> </details> * Tools - Use Unix line endings for shell scripts (#15180) (Thanks @xtqqczze!) * Tests - Add the missing tag in Host Utilities tests (#14983) - Update `copy-props` version in `package.json` (#15124) * Build and Packaging Improvements <details> <summary> <p>We thank the following contributors!</p> <p>@JustinGrote</p> </summary> <ul> <li>Fix <code>yarn-lock</code> for <code>copy-props</code> (#15225)</li> <li>Make package validation regex accept universal Linux packages (#15226)</li> <li>Bump NJsonSchema from 10.4.0 to 10.4.1 (#15190)</li> <li>Make MSI and EXE signing always copy to fix daily build (#15191)</li> <li>Sign internals of EXE package so that it works correctly when signed (#15132)</li> <li>Bump Microsoft.NET.Test.Sdk from 16.9.1 to 16.9.4 (#15141)</li> <li>Update daily release tag format to work with new Microsoft Update work (#15164)</li> <li>Feature: Add Ubuntu 20.04 Support to install-powershell.sh (#15095) (Thanks @JustinGrote!)</li> <li>Treat rebuild branches like release branches (#15099)</li> <li>Update WiX to 3.11.2 (#15097)</li> <li>Bump NJsonSchema from 10.3.11 to 10.4.0 (#15092)</li> <li>Allow patching of preview releases (#15074)</li> <li>Bump Newtonsoft.Json from 12.0.3 to 13.0.1 (#15084, #15085)</li> <li>Update the <code>minSize</code> build package filter to be explicit (#15055)</li> <li>Bump NJsonSchema from 10.3.10 to 10.3.11 (#14965)</li> </ul> </details> * Documentation and Help Content - Merge `7.2.0-preview.4` changes to master (#15056) - Update `README` and `metadata.json` (#15046) - Fix broken links for `dotnet` CLI (#14937) [7.2.0-preview.5]: v7.2.0-preview.4...v7.2.0-preview.5
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR Summary
Sign internals of EXE package so that it works correctly when signed
PR Context
The extracted EXE and MSI of the wrapper must be signed if the EXE is signed or install will fail.
PR Checklist
.h,.cpp,.cs,.ps1and.psm1files have the correct copyright headerWIP:or[ WIP ]to the beginning of the title (theWIPbot will keep its status check atPendingwhile the prefix is present) and remove the prefix when the PR is ready.(which runs in a different PS Host).