aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Mensching <rob@firegiant.com>2023-09-12 14:08:34 -0700
committerRob Mensching <rob@firegiant.com>2023-09-13 12:39:38 -0700
commite570ce580afa981d3cf7750bea1d129309b48a06 (patch)
tree816e7daec7b5177a54e044156045bc24d9557516
parent409d3b63bff29df0859a217ba2843b85d65d2efe (diff)
downloadwix-e570ce580afa981d3cf7750bea1d129309b48a06.tar.gz
wix-e570ce580afa981d3cf7750bea1d129309b48a06.tar.bz2
wix-e570ce580afa981d3cf7750bea1d129309b48a06.zip
Update to latest signing infrastructure
Fixes 7546
Diffstat
-rw-r--r--.github/workflows/build.yml21
-rw-r--r--src/Directory.Build.targets42
-rw-r--r--src/internal/SetBuildNumber/SetBuildNumber.proj9
-rw-r--r--src/signing-empty-file-list.txt1
-rw-r--r--src/signing.json13
5 files changed, 38 insertions, 48 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 47297ac5..4d10017e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,6 +24,9 @@ jobs:
24 build: 24 build:
25 name: Build 25 name: Build
26 runs-on: windows-2022 26 runs-on: windows-2022
27 permissions:
28 packages: write
29 id-token: write
27 steps: 30 steps:
28 - name: Checkout code 31 - name: Checkout code
29 uses: actions/checkout@v3 32 uses: actions/checkout@v3
@@ -34,6 +37,11 @@ jobs:
34 # shell: cmd 37 # shell: cmd
35 # run: ./src/vs_config.cmd 38 # run: ./src/vs_config.cmd
36 39
40 - name: Install sign tool
41 if: (github.ref == 'refs/heads/master')
42 shell: cmd
43 run: dotnet tool install --tool-path build\.tools sign --version 0.9.1-beta.23356.1
44
37 - name: Configure automated logging and crash dumps 45 - name: Configure automated logging and crash dumps
38 shell: cmd 46 shell: cmd
39 run: | 47 run: |
@@ -46,13 +54,22 @@ jobs:
46 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpCount /d 10 /f 54 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpCount /d 10 /f
47 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpType /d 1 55 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpType /d 1
48 56
57 - name: 'Az CLI login'
58 if: (github.ref == 'refs/heads/master')
59 uses: azure/login@v1
60 with:
61 allow-no-subscriptions: true
62 client-id: ${{ secrets.WIX_SIGNING_CLIENTID }}
63 tenant-id: ${{ secrets.WIX_SIGNING_TENANTID }}
64 subscription-id: ${{ secrets.WIX_SIGNING_SUBSCRIPTIONID }}
65
49 - name: Build wix4 66 - name: Build wix4
50 shell: cmd 67 shell: cmd
51 run: ./src/build_official.cmd 68 run: ./src/build_official.cmd
52 env: 69 env:
53 RuntimeTestsEnabled: true 70 RuntimeTestsEnabled: true
54 SigningUser: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_USER || '' }} 71 SigningVaultUri: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_VAULTURI || '' }}
55 SigningSecret: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_SECRET || '' }} 72 SigningCertName: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_CERTNAME || '' }}
56 73
57 - name: Validate test results 74 - name: Validate test results
58 shell: cmd 75 shell: cmd
diff --git a/src/Directory.Build.targets b/src/Directory.Build.targets
index 0dd56353..74a381ba 100644
--- a/src/Directory.Build.targets
+++ b/src/Directory.Build.targets
@@ -4,9 +4,9 @@
4<Project> 4<Project>
5 <PropertyGroup> 5 <PropertyGroup>
6 <SigningToolFolder>$(ToolsFolder)</SigningToolFolder> 6 <SigningToolFolder>$(ToolsFolder)</SigningToolFolder>
7 <SigningToolExe>$(SigningToolFolder)\SignClient.exe</SigningToolExe> 7 <SigningToolExe>$(SigningToolFolder)\sign.exe</SigningToolExe>
8 <SigningFilelist>$(SigningToolFolder)\empty-filelist.txt</SigningFilelist> 8 <SigningFilelist>$(MSBuildThisFileDirectory)signing-empty-file-list.txt</SigningFilelist>
9 <SigningConfiguration>$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), signing.json))\signing.json</SigningConfiguration> 9 <SigningConfiguration>--description "WiX Toolset" --description-url "https://wixtoolset.org/" --timestamp-url "http://timestamp.digicert.com" --file-list "$(SigningFilelist)" --azure-key-vault-managed-identity true --azure-key-vault-url "$(SigningVaultUri)" --azure-key-vault-certificate "$(SigningCertName)"</SigningConfiguration>
10 </PropertyGroup> 10 </PropertyGroup>
11 11
12 <PropertyGroup Condition=" '$(IsWixTestSupportProject)'=='true' "> 12 <PropertyGroup Condition=" '$(IsWixTestSupportProject)'=='true' ">
@@ -113,47 +113,39 @@
113 </ItemGroup> 113 </ItemGroup>
114 </Target> 114 </Target>
115 115
116 <Target Name="_GetSignClient" 116 <Target Name="SignOutput" AfterTargets="AfterBuild"
117 Condition=" !Exists('$(SigningToolExe)') "> 117 Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' and
118
119 <WriteLinesToFile File='$(SigningFilelist)' Lines='do-not-sign-files-in-nupkg' Overwrite='true' />
120
121 <Exec Command='dotnet.exe tool install --tool-path "$(SigningToolFolder)" SignClient' IgnoreExitCode='true' />
122 </Target>
123
124 <Target Name="SignOutput" DependsOnTargets="_GetSignClient" AfterTargets="AfterBuild"
125 Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' and
126 ('$(MSBuildProjectExtension)'=='.csproj' or ('$(MSBuildProjectExtension)'=='.vcxproj' and '$(ConfigurationType)'!='StaticLibrary'))"> 118 ('$(MSBuildProjectExtension)'=='.csproj' or ('$(MSBuildProjectExtension)'=='.vcxproj' and '$(ConfigurationType)'!='StaticLibrary'))">
127 119
128 <Message Importance="high" Text="Signing file: $(TargetPath) using configuration from: $(SigningConfiguration)" /> 120 <Message Importance="high" Text="Signing file: $(TargetPath)" />
129 121
130 <Exec Command='"$(SigningToolExe)" sign -i $(TargetPath) -c "$(SigningConfiguration)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"' 122 <Exec Command='"$(SigningToolExe)" code azure-key-vault $(TargetPath) $(SigningConfiguration)'
131 WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" /> 123 WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
132 </Target> 124 </Target>
133 125
134 <Target Name="SignNupkg" DependsOnTargets="_GetSignClient" AfterTargets="Pack;PackNative" 126 <Target Name="SignNupkg" AfterTargets="Pack;PackNative"
135 Condition=" '$(SigningUser)'!='' and '@(NuGetPackOutput)'!='' and '$(SignNupkg)'!='false' "> 127 Condition=" '$(SigningCertName)'!='' and '@(NuGetPackOutput)'!='' and '$(SignNupkg)'!='false' ">
136 <ItemGroup> 128 <ItemGroup>
137 <SigningNupkgs Include="@(NuGetPackOutput)" Condition=" '%(Extension)'=='.nupkg' " /> 129 <SigningNupkgs Include="@(NuGetPackOutput)" Condition=" '%(Extension)'=='.nupkg' " />
138 </ItemGroup> 130 </ItemGroup>
139 131
140 <Message Importance="high" Text="Signing nupkg: @(SigningNupkgs->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" /> 132 <Message Importance="high" Text="Signing nupkg: @(SigningNupkgs->&apos;%(Identity)&apos;)" />
141 133
142 <Exec Command='"$(SigningToolExe)" sign -i "@(SigningNupkgs->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"' 134 <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SigningNupkgs->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
143 WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" /> 135 WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
144 </Target> 136 </Target>
145 137
146 <Target Name="SignBundleEngine" DependsOnTargets="_GetSignClient" Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' "> 138 <Target Name="SignBundleEngine" Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' ">
147 <Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" /> 139 <Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;)" />
148 140
149 <Exec Command='"$(SigningToolExe)" sign -i "@(SignBundleEngine->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"' 141 <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SignBundleEngine->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
150 WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" /> 142 WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
151 </Target> 143 </Target>
152 144
153 <Target Name="SignBundle" DependsOnTargets="_GetSignClient" Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' "> 145 <Target Name="SignBundle" Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' ">
154 <Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" /> 146 <Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;)" />
155 147
156 <Exec Command='"$(SigningToolExe)" sign -i "@(SignBundle->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"' 148 <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SignBundle->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
157 WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" /> 149 WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
158 </Target> 150 </Target>
159 151
diff --git a/src/internal/SetBuildNumber/SetBuildNumber.proj b/src/internal/SetBuildNumber/SetBuildNumber.proj
index cf98234e..9ff4e7c3 100644
--- a/src/internal/SetBuildNumber/SetBuildNumber.proj
+++ b/src/internal/SetBuildNumber/SetBuildNumber.proj
@@ -22,8 +22,7 @@
22 GitThisAssembly; 22 GitThisAssembly;
23 SetGlobalJson; 23 SetGlobalJson;
24 SetDirectoryPackagesProps; 24 SetDirectoryPackagesProps;
25 SetOverallWixVersions; 25 SetOverallWixVersions
26 InstallSigningClient
27 </SetBuildNumbersDependsOn> 26 </SetBuildNumbersDependsOn>
28 27
29 <GlobalJsonPath>$([System.IO.Path]::GetFullPath($(MSBuildThisFileDirectory)..\..\..\global.json))</GlobalJsonPath> 28 <GlobalJsonPath>$([System.IO.Path]::GetFullPath($(MSBuildThisFileDirectory)..\..\..\global.json))</GlobalJsonPath>
@@ -106,12 +105,6 @@
106 </Target> 105 </Target>
107 106
108 107
109 <Target Name="InstallSigningClient"
110 DependsOnTargets="_GetSignClient"
111 Condition=" '$(SigningUser)'!='' ">
112 </Target>
113
114
115 <Target Name="SetBuildNumbers" 108 <Target Name="SetBuildNumbers"
116 DependsOnTargets="$(SetBuildNumbersDependsOn)" 109 DependsOnTargets="$(SetBuildNumbersDependsOn)"
117 BeforeTargets="AfterBuild" /> 110 BeforeTargets="AfterBuild" />
diff --git a/src/signing-empty-file-list.txt b/src/signing-empty-file-list.txt
new file mode 100644
index 00000000..246cc9b6
--- /dev/null
+++ b/src/signing-empty-file-list.txt
@@ -0,0 +1 @@
this-file-prevents-files-from-being-signed-in-nupkgs \ No newline at end of file
diff --git a/src/signing.json b/src/signing.json
deleted file mode 100644
index fe1c8c9b..00000000
--- a/src/signing.json
+++ /dev/null
@@ -1,13 +0,0 @@
1{
2 "SignClient": {
3 "AzureAd": {
4 "AADInstance": "https://login.microsoftonline.com/",
5 "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8",
6 "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e"
7 },
8 "Service": {
9 "Url": "https://codesign.dotnetfoundation.org/",
10 "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001"
11 }
12 }
13}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 22:04:40 +0000