Skip to content

Commit

Permalink
Update to latest signing infrastructure
Browse files Browse the repository at this point in the history
Fixes 7546
  • Loading branch information
robmen committed Sep 12, 2023
1 parent 5fa7308 commit bd9aa41
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 48 deletions.
18 changes: 16 additions & 2 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@ jobs:
# shell: cmd
# run: ./src/vs_config.cmd

- name: Install sign tool
if: (github.ref == 'refs/heads/master')
shell: cmd
run: dotnet tool install --tool-path build\.tools sign --version 0.9.1-beta.23356.1

- name: Configure automated logging and crash dumps
shell: cmd
run: |
Expand All @@ -50,13 +55,22 @@ jobs:
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpCount /d 10 /f
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpType /d 1
- name: 'Az CLI login'
if: (github.ref == 'refs/heads/master')
uses: azure/login@v1
with:
allow-no-subscriptions: true
client-id: ${{ secrets.WIX_SIGNING_CLIENTID }}
tenant-id: ${{ secrets.WIX_SIGNING_TENANTID }}
subscription-id: ${{ secrets.WIX_SIGNING_SUBSCRIPTIONID }}

- name: Build wix4
shell: cmd
run: ./src/build_official.cmd
env:
RuntimeTestsEnabled: true
SigningUser: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_USER || '' }}
SigningSecret: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_SECRET || '' }}
SigningVaultUri: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_VAULTURI || '' }}
SigningCertName: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_CERTNAME || '' }}

- name: Validate test results
shell: cmd
Expand Down
42 changes: 17 additions & 25 deletions src/Directory.Build.targets
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@
<Project>
<PropertyGroup>
<SigningToolFolder>$(ToolsFolder)</SigningToolFolder>
<SigningToolExe>$(SigningToolFolder)\SignClient.exe</SigningToolExe>
<SigningFilelist>$(SigningToolFolder)\empty-filelist.txt</SigningFilelist>
<SigningConfiguration>$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), signing.json))\signing.json</SigningConfiguration>
<SigningToolExe>$(SigningToolFolder)\sign.exe</SigningToolExe>
<SigningFilelist>$(MSBuildThisFileDirectory)signing-empty-file-list.txt</SigningFilelist>
<SigningConfiguration>--description "WiX Toolset" --description-url "https://wixtoolset.org/" --timestamp-url "http://timestamp.digicert.com" --file-list "$(SigningFilelist)" --azure-key-vault-managed-identity true --azure-key-vault-url "$(SigningVaultUri)" --azure-key-vault-certificate "$(SigningCertName)"</SigningConfiguration>
</PropertyGroup>

<PropertyGroup Condition=" '$(IsWixTestSupportProject)'=='true' ">
Expand Down Expand Up @@ -113,47 +113,39 @@
</ItemGroup>
</Target>

<Target Name="_GetSignClient"
Condition=" !Exists('$(SigningToolExe)') ">

<WriteLinesToFile File='$(SigningFilelist)' Lines='do-not-sign-files-in-nupkg' Overwrite='true' />

<Exec Command='dotnet.exe tool install --tool-path "$(SigningToolFolder)" SignClient' IgnoreExitCode='true' />
</Target>

<Target Name="SignOutput" DependsOnTargets="_GetSignClient" AfterTargets="AfterBuild"
Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' and
<Target Name="SignOutput" AfterTargets="AfterBuild"
Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' and
('$(MSBuildProjectExtension)'=='.csproj' or ('$(MSBuildProjectExtension)'=='.vcxproj' and '$(ConfigurationType)'!='StaticLibrary'))">

<Message Importance="high" Text="Signing file: $(TargetPath) using configuration from: $(SigningConfiguration)" />
<Message Importance="high" Text="Signing file: $(TargetPath)" />

<Exec Command='"$(SigningToolExe)" sign -i $(TargetPath) -c "$(SigningConfiguration)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
<Exec Command='"$(SigningToolExe)" code $(TargetPath) $(SigningConfiguration)'
WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
</Target>

<Target Name="SignNupkg" DependsOnTargets="_GetSignClient" AfterTargets="Pack;PackNative"
Condition=" '$(SigningUser)'!='' and '@(NuGetPackOutput)'!='' and '$(SignNupkg)'!='false' ">
<Target Name="SignNupkg" AfterTargets="Pack;PackNative"
Condition=" '$(SigningCertName)'!='' and '@(NuGetPackOutput)'!='' and '$(SignNupkg)'!='false' ">
<ItemGroup>
<SigningNupkgs Include="@(NuGetPackOutput)" Condition=" '%(Extension)'=='.nupkg' " />
</ItemGroup>

<Message Importance="high" Text="Signing nupkg: @(SigningNupkgs->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
<Message Importance="high" Text="Signing nupkg: @(SigningNupkgs->&apos;%(Identity)&apos;)" />

<Exec Command='"$(SigningToolExe)" sign -i "@(SigningNupkgs->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
<Exec Command='"$(SigningToolExe)" code "@(SigningNupkgs->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
</Target>

<Target Name="SignBundleEngine" DependsOnTargets="_GetSignClient" Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' ">
<Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
<Target Name="SignBundleEngine" Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' ">
<Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;)" />

<Exec Command='"$(SigningToolExe)" sign -i "@(SignBundleEngine->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
<Exec Command='"$(SigningToolExe)" code "@(SignBundleEngine->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
</Target>

<Target Name="SignBundle" DependsOnTargets="_GetSignClient" Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' ">
<Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
<Target Name="SignBundle" Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' ">
<Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;)" />

<Exec Command='"$(SigningToolExe)" sign -i "@(SignBundle->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
<Exec Command='"$(SigningToolExe)" code "@(SignBundle->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
</Target>

Expand Down
9 changes: 1 addition & 8 deletions src/internal/SetBuildNumber/SetBuildNumber.proj
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,7 @@
GitThisAssembly;
SetGlobalJson;
SetDirectoryPackagesProps;
SetOverallWixVersions;
InstallSigningClient
SetOverallWixVersions
</SetBuildNumbersDependsOn>

<GlobalJsonPath>$([System.IO.Path]::GetFullPath($(MSBuildThisFileDirectory)..\..\..\global.json))</GlobalJsonPath>
Expand Down Expand Up @@ -106,12 +105,6 @@
</Target>


<Target Name="InstallSigningClient"
DependsOnTargets="_GetSignClient"
Condition=" '$(SigningUser)'!='' ">
</Target>


<Target Name="SetBuildNumbers"
DependsOnTargets="$(SetBuildNumbersDependsOn)"
BeforeTargets="AfterBuild" />
Expand Down
1 change: 1 addition & 0 deletions src/signing-empty-file-list.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
this-file-prevents-files-from-being-signed-in-nupkgs
13 changes: 0 additions & 13 deletions src/signing.json

This file was deleted.

0 comments on commit bd9aa41

Please sign in to comment.