From ccd33c1e318a48da2e2d07a3828837e3f51d074c Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Sun, 22 Sep 2024 21:48:00 -0700 Subject: [PATCH 01/11] fix: moving cscInfo logic into signtoolManager to distinguish the logic between custom sign, csc info, and azure signing - logs error if signing cscInfo cannot be identified during signtool execution. Return false for quick exit with logging --- .changeset/tiny-knives-behave.md | 5 ++ .../src/codeSign/windowsSignToolManager.ts | 27 +++++++++- .../src/targets/nsis/NsisTarget.ts | 2 +- packages/app-builder-lib/src/winPackager.ts | 49 +++---------------- 4 files changed, 38 insertions(+), 45 deletions(-) create mode 100644 .changeset/tiny-knives-behave.md diff --git a/.changeset/tiny-knives-behave.md b/.changeset/tiny-knives-behave.md new file mode 100644 index 00000000000..d65bcbafae8 --- /dev/null +++ b/.changeset/tiny-knives-behave.md @@ -0,0 +1,5 @@ +--- +"app-builder-lib": patch +--- + +fix: moving cscInfo logic into signtoolManager to distinguish the logic between custom sign, csc info, and azure signing diff --git a/packages/app-builder-lib/src/codeSign/windowsSignToolManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignToolManager.ts index 8dbfc0708a5..1e744be4a50 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignToolManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignToolManager.ts @@ -174,11 +174,36 @@ export class WindowsSignToolManager { hashes = Array.isArray(hashes) ? hashes : [hashes] } - const cscInfo = await this.cscInfo.value const name = this.packager.appInfo.productName const site = await this.packager.appInfo.computePackageUrl() const customSign = await resolveFunction(this.packager.appInfo.type, chooseNotNull(options.options.signtoolOptions?.sign, options.options.sign), "sign") + + const cscInfo = await this.cscInfo.value + if (cscInfo) { + let logInfo: any = { + file: log.filePath(options.path), + } + if ("file" in cscInfo) { + logInfo = { + ...logInfo, + certificateFile: cscInfo.file, + } + } else { + logInfo = { + ...logInfo, + subject: cscInfo.subject, + thumbprint: cscInfo.thumbprint, + store: cscInfo.store, + user: cscInfo.isLocalMachineStore ? "local machine" : "current user", + } + } + log.info(logInfo, "signing") + } else if (!customSign) { + log.error({ signHook: customSign, cscInfo }, "no signing info identified, signing is skipped") + return false + } + const executor = customSign || ((config: CustomWindowsSignTaskConfiguration, packager: WinPackager) => this.doSign(config, packager)) let isNest = false for (const hash of hashes) { diff --git a/packages/app-builder-lib/src/targets/nsis/NsisTarget.ts b/packages/app-builder-lib/src/targets/nsis/NsisTarget.ts index db818983798..d1abbe7ffaa 100644 --- a/packages/app-builder-lib/src/targets/nsis/NsisTarget.ts +++ b/packages/app-builder-lib/src/targets/nsis/NsisTarget.ts @@ -403,7 +403,7 @@ export class NsisTarget extends Target { } else { await execWine(installerPath, null, [], { env: { __COMPAT_LAYER: "RunAsInvoker" } }) } - await packager.sign(uninstallerPath, "signing NSIS uninstaller") + await packager.sign(uninstallerPath) delete defines.BUILD_UNINSTALLER // platform-specific path, not wine diff --git a/packages/app-builder-lib/src/winPackager.ts b/packages/app-builder-lib/src/winPackager.ts index 32cadcc3dcf..467e05b4d00 100644 --- a/packages/app-builder-lib/src/winPackager.ts +++ b/packages/app-builder-lib/src/winPackager.ts @@ -122,56 +122,19 @@ export class WinPackager extends PlatformPackager { ) } - async sign(file: string, logMessagePrefix?: string): Promise { + async sign(file: string): Promise { const signOptions: WindowsSignOptions = { path: file, options: this.platformSpecificBuildOptions, } - const cscInfo = await (await this.signtoolManager.value).cscInfo.value - if (cscInfo == null) { - if (chooseNotNull(this.platformSpecificBuildOptions.signtoolOptions?.sign, this.platformSpecificBuildOptions.sign) != null) { - return signWindows(signOptions, this) - } else if (this.forceCodeSigning) { - throw new InvalidConfigurationError( - `App is not signed and "forceCodeSigning" is set to true, please ensure that code signing configuration is correct, please see https://electron.build/code-signing` - ) - } - return false - } - - if (logMessagePrefix == null) { - logMessagePrefix = "signing" - } - - if ("file" in cscInfo) { - log.info( - { - file: log.filePath(file), - certificateFile: cscInfo.file, - }, - logMessagePrefix - ) - } else { - const info = cscInfo - log.info( - { - file: log.filePath(file), - subject: info.subject, - thumbprint: info.thumbprint, - store: info.store, - user: info.isLocalMachineStore ? "local machine" : "current user", - }, - logMessagePrefix + const didSignSuccessfully = await this.doSign(signOptions) + if (!didSignSuccessfully && this.forceCodeSigning) { + throw new InvalidConfigurationError( + `App is not signed and "forceCodeSigning" is set to true, please ensure that code signing configuration is correct, please see https://electron.build/code-signing` ) } - - return this.doSign({ - ...signOptions, - options: { - ...this.platformSpecificBuildOptions, - }, - }) + return didSignSuccessfully } private async doSign(options: WindowsSignOptions) { From 9b8583a69c0dc88bb9cd1a08610086831f78d863 Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Mon, 23 Sep 2024 08:28:26 -0700 Subject: [PATCH 02/11] add unit test and check env vars before installing require package provider and modules --- .../src/codeSign/windowsSignAzureManager.ts | 14 +++++++------- test/snapshots/windows/winCodeSignTest.js.snap | 2 ++ test/src/windows/winCodeSignTest.ts | 18 +++++++++++++++++- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts index 044749d86e2..5aaeb93850a 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts @@ -7,13 +7,6 @@ export class WindowsSignAzureManager { constructor(private readonly packager: WinPackager) {} async initializeProviderModules() { - const vm = await this.packager.vm.value - const ps = await getPSCmd(vm) - - log.debug(null, "installing required package provider (NuGet) and module (TrustedSigning) with scope CurrentUser") - await vm.exec(ps, ["Install-PackageProvider", "-Name", "NuGet", "-MinimumVersion", "2.8.5.201", "-Force", "-Scope", "CurrentUser"]) - await vm.exec(ps, ["Install-Module", "-Name", "TrustedSigning", "-RequiredVersion", "0.4.1", "-Force", "-Repository", "PSGallery", "-Scope", "CurrentUser"]) - // Preemptively check env vars once during initialization // Options: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet#definition log.info(null, "verifying env vars for authenticating to Microsoft Entra ID") @@ -23,6 +16,13 @@ export class WindowsSignAzureManager { `Unable to find valid azure env configuration for signing. Missing field(s) can be debugged via "DEBUG=electron-builder". Please refer to: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet#definition` ) } + + const vm = await this.packager.vm.value + const ps = await getPSCmd(vm) + + log.debug(null, "installing required package provider (NuGet) and module (TrustedSigning) with scope CurrentUser") + await vm.exec(ps, ["Install-PackageProvider", "-Name", "NuGet", "-MinimumVersion", "2.8.5.201", "-Force", "-Scope", "CurrentUser"]) + await vm.exec(ps, ["Install-Module", "-Name", "TrustedSigning", "-RequiredVersion", "0.4.1", "-Force", "-Repository", "PSGallery", "-Scope", "CurrentUser"]) } verifyRequiredEnvVars() { diff --git a/test/snapshots/windows/winCodeSignTest.js.snap b/test/snapshots/windows/winCodeSignTest.js.snap index 304ccebb1a3..0620c5af5c3 100644 --- a/test/snapshots/windows/winCodeSignTest.js.snap +++ b/test/snapshots/windows/winCodeSignTest.js.snap @@ -1,5 +1,7 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP +exports[`azure signing without credentials 1`] = `"ERR_ELECTRON_BUILDER_INVALID_CONFIGURATION"`; + exports[`electronDist 1`] = `"ENOENT"`; exports[`forceCodeSigning 1`] = `"ERR_ELECTRON_BUILDER_INVALID_CONFIGURATION"`; diff --git a/test/src/windows/winCodeSignTest.ts b/test/src/windows/winCodeSignTest.ts index 39166d23620..33ca0883478 100644 --- a/test/src/windows/winCodeSignTest.ts +++ b/test/src/windows/winCodeSignTest.ts @@ -106,9 +106,25 @@ test.ifAll.ifNotCiMac( test.ifAll.ifNotCiMac( "electronDist", appThrows({ - targets: Platform.WINDOWS.createTarget(DIR_TARGET), + targets: windowsDirTarget, config: { electronDist: "foo", }, }) ) + +test.ifAll.ifNotCiMac( + "azure signing without credentials", + appThrows({ + targets: windowsDirTarget, + config: { + forceCodeSigning: true, + win: { + azureSignOptions: { + endpoint: "https://weu.codesigning.azure.net/", + certificateProfileName: "profilenamehere" + } + } + }, + }) +) From 1ddf48c3fe333100884c424bf9af104121f81eb8 Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Mon, 23 Sep 2024 08:35:14 -0700 Subject: [PATCH 03/11] move back installation provider and module to test as part of CI flow --- .../src/codeSign/windowsSignAzureManager.ts | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts index 5aaeb93850a..d5b200d47a2 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts @@ -7,6 +7,13 @@ export class WindowsSignAzureManager { constructor(private readonly packager: WinPackager) {} async initializeProviderModules() { + const vm = await this.packager.vm.value + const ps = await getPSCmd(vm) + + log.info(null, "installing required package provider (NuGet) and module (TrustedSigning) with scope CurrentUser") + await vm.exec(ps, ["Install-PackageProvider", "-Name", "NuGet", "-MinimumVersion", "2.8.5.201", "-Force", "-Scope", "CurrentUser"]) + await vm.exec(ps, ["Install-Module", "-Name", "TrustedSigning", "-RequiredVersion", "0.4.1", "-Force", "-Repository", "PSGallery", "-Scope", "CurrentUser"]) + // Preemptively check env vars once during initialization // Options: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet#definition log.info(null, "verifying env vars for authenticating to Microsoft Entra ID") @@ -16,13 +23,6 @@ export class WindowsSignAzureManager { `Unable to find valid azure env configuration for signing. Missing field(s) can be debugged via "DEBUG=electron-builder". Please refer to: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet#definition` ) } - - const vm = await this.packager.vm.value - const ps = await getPSCmd(vm) - - log.debug(null, "installing required package provider (NuGet) and module (TrustedSigning) with scope CurrentUser") - await vm.exec(ps, ["Install-PackageProvider", "-Name", "NuGet", "-MinimumVersion", "2.8.5.201", "-Force", "-Scope", "CurrentUser"]) - await vm.exec(ps, ["Install-Module", "-Name", "TrustedSigning", "-RequiredVersion", "0.4.1", "-Force", "-Repository", "PSGallery", "-Scope", "CurrentUser"]) } verifyRequiredEnvVars() { From 635b1b04d5dfb28a3f923114eeb90485fb51c73a Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Mon, 23 Sep 2024 08:40:57 -0700 Subject: [PATCH 04/11] add `-NoProfile -NonInteractive -Command` to pwsh.exe commands --- .../src/codeSign/windowsSignAzureManager.ts | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts index d5b200d47a2..c29e9b0f49c 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts @@ -11,8 +11,8 @@ export class WindowsSignAzureManager { const ps = await getPSCmd(vm) log.info(null, "installing required package provider (NuGet) and module (TrustedSigning) with scope CurrentUser") - await vm.exec(ps, ["Install-PackageProvider", "-Name", "NuGet", "-MinimumVersion", "2.8.5.201", "-Force", "-Scope", "CurrentUser"]) - await vm.exec(ps, ["Install-Module", "-Name", "TrustedSigning", "-RequiredVersion", "0.4.1", "-Force", "-Repository", "PSGallery", "-Scope", "CurrentUser"]) + await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser"]) + await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser"]) // Preemptively check env vars once during initialization // Options: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet#definition @@ -80,10 +80,12 @@ export class WindowsSignAzureManager { CertificateProfileName: certificateProfileName, Files: options.path, } - const paramsString = Object.entries(params).reduce((res, [field, value]) => { - return [...res, `-${field}`, value] - }, [] as string[]) - await vm.exec(ps, ["Invoke-TrustedSigning", ...paramsString]) + const paramsString = Object.entries(params) + .reduce((res, [field, value]) => { + return [...res, `-${field}`, value] + }, [] as string[]) + .join(" ") + await vm.exec(ps, ["-NoProfile", "-NonInteractive", `-Command Invoke-TrustedSigning ${paramsString}`]) return true } From 21f9fac38044bbf638585328e067d3f82ff9f628 Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Mon, 23 Sep 2024 08:54:22 -0700 Subject: [PATCH 05/11] test different params being passed in for powershell.exe versus pwsh.exe --- .../app-builder-lib/src/codeSign/windowsSignAzureManager.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts index c29e9b0f49c..cf05475d289 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts @@ -11,8 +11,8 @@ export class WindowsSignAzureManager { const ps = await getPSCmd(vm) log.info(null, "installing required package provider (NuGet) and module (TrustedSigning) with scope CurrentUser") - await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser"]) - await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser"]) + await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser"]) + await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser"]) // Preemptively check env vars once during initialization // Options: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet#definition @@ -85,7 +85,7 @@ export class WindowsSignAzureManager { return [...res, `-${field}`, value] }, [] as string[]) .join(" ") - await vm.exec(ps, ["-NoProfile", "-NonInteractive", `-Command Invoke-TrustedSigning ${paramsString}`]) + await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", `Invoke-TrustedSigning ${paramsString}`]) return true } From 3b2a0a0e77bd2b23f17dd37bb86b3fd7a0e69896 Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Mon, 23 Sep 2024 09:11:52 -0700 Subject: [PATCH 06/11] test another command approach for pwsh.exe --- .../src/codeSign/windowsSignAzureManager.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts index cf05475d289..945ef6ddd21 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts @@ -11,7 +11,12 @@ export class WindowsSignAzureManager { const ps = await getPSCmd(vm) log.info(null, "installing required package provider (NuGet) and module (TrustedSigning) with scope CurrentUser") - await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser"]) + await vm.exec(ps, [ + "-NoProfile", + "-NonInteractive", + "-Command", + "Get-PackageProvider | where name -eq 'nuget' | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser", + ]) await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser"]) // Preemptively check env vars once during initialization From 61c8956018b7d50873c08cae094ec31490523875 Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Mon, 23 Sep 2024 09:18:05 -0700 Subject: [PATCH 07/11] register package source before attempting installation --- .../app-builder-lib/src/codeSign/windowsSignAzureManager.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts index 945ef6ddd21..d4c9c743107 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts @@ -15,8 +15,9 @@ export class WindowsSignAzureManager { "-NoProfile", "-NonInteractive", "-Command", - "Get-PackageProvider | where name -eq 'nuget' | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser", + "Register-PackageSource -Name nuget.org -ProviderName NuGet -Location https://api.nuget.org/v3/index.json -Trusted", ]) + await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser"]) await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser"]) // Preemptively check env vars once during initialization From 60f3d4e686d49a2348ec39ce671638cd2adac299 Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Mon, 23 Sep 2024 09:28:13 -0700 Subject: [PATCH 08/11] Register-PackageSource --- .../src/codeSign/windowsSignAzureManager.ts | 7 +------ test/src/windows/winCodeSignTest.ts | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts index d4c9c743107..9272b4b057d 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts @@ -11,12 +11,7 @@ export class WindowsSignAzureManager { const ps = await getPSCmd(vm) log.info(null, "installing required package provider (NuGet) and module (TrustedSigning) with scope CurrentUser") - await vm.exec(ps, [ - "-NoProfile", - "-NonInteractive", - "-Command", - "Register-PackageSource -Name nuget.org -ProviderName NuGet -Location https://api.nuget.org/v3/index.json -Trusted", - ]) + await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Register-PackageSource -Name MyNuGet -Location https://www.nuget.org/api/v2 -ProviderName NuGet"]) await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser"]) await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser"]) diff --git a/test/src/windows/winCodeSignTest.ts b/test/src/windows/winCodeSignTest.ts index 33ca0883478..ea2401893a2 100644 --- a/test/src/windows/winCodeSignTest.ts +++ b/test/src/windows/winCodeSignTest.ts @@ -113,7 +113,7 @@ test.ifAll.ifNotCiMac( }) ) -test.ifAll.ifNotCiMac( +test.only( "azure signing without credentials", appThrows({ targets: windowsDirTarget, From ed76586d9c57aa189adf1974f6a290d8a2c6c228 Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Mon, 23 Sep 2024 09:44:40 -0700 Subject: [PATCH 09/11] maybe nuget isn't needed on GH runner? --- .github/workflows/test.yaml | 6 +++--- .../app-builder-lib/src/codeSign/windowsSignAzureManager.ts | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 27ee1c47856..46b763235b6 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -101,9 +101,9 @@ jobs: fail-fast: false matrix: testFiles: - - winCodeSignTest,differentialUpdateTest - - installerTest,appxTest,msiTest,portableTest,assistedInstallerTest,protonTest - - BuildTest,oneClickInstallerTest,winPackagerTest,nsisUpdaterTest,webInstallerTest + - winCodeSignTest # ,differentialUpdateTest + # - installerTest,appxTest,msiTest,portableTest,assistedInstallerTest,protonTest + # - BuildTest,oneClickInstallerTest,winPackagerTest,nsisUpdaterTest,webInstallerTest steps: - name: Checkout code repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts index 9272b4b057d..7f4bc0af50f 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts @@ -11,8 +11,8 @@ export class WindowsSignAzureManager { const ps = await getPSCmd(vm) log.info(null, "installing required package provider (NuGet) and module (TrustedSigning) with scope CurrentUser") - await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Register-PackageSource -Name MyNuGet -Location https://www.nuget.org/api/v2 -ProviderName NuGet"]) - await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser"]) + // await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Register-PackageSource -Name MyNuGet -Location https://www.nuget.org/api/v2 -ProviderName NuGet"]) + // await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser"]) await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser"]) // Preemptively check env vars once during initialization From c810f2a976b7197ca9604c9167c73b26dc305575 Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Mon, 23 Sep 2024 09:49:59 -0700 Subject: [PATCH 10/11] clean up? --- .github/workflows/test.yaml | 6 +++--- .../src/codeSign/windowsSignAzureManager.ts | 11 ++++++++--- test/src/windows/winCodeSignTest.ts | 2 +- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 46b763235b6..27ee1c47856 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -101,9 +101,9 @@ jobs: fail-fast: false matrix: testFiles: - - winCodeSignTest # ,differentialUpdateTest - # - installerTest,appxTest,msiTest,portableTest,assistedInstallerTest,protonTest - # - BuildTest,oneClickInstallerTest,winPackagerTest,nsisUpdaterTest,webInstallerTest + - winCodeSignTest,differentialUpdateTest + - installerTest,appxTest,msiTest,portableTest,assistedInstallerTest,protonTest + - BuildTest,oneClickInstallerTest,winPackagerTest,nsisUpdaterTest,webInstallerTest steps: - name: Checkout code repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts index 7f4bc0af50f..0dfa3b45113 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts @@ -10,9 +10,14 @@ export class WindowsSignAzureManager { const vm = await this.packager.vm.value const ps = await getPSCmd(vm) - log.info(null, "installing required package provider (NuGet) and module (TrustedSigning) with scope CurrentUser") - // await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Register-PackageSource -Name MyNuGet -Location https://www.nuget.org/api/v2 -ProviderName NuGet"]) - // await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser"]) + log.info(null, "installing required module (TrustedSigning) with scope CurrentUser") + try { + await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser"]) + } catch (error: any) { + // Might not be needed, seems GH runners already have NuGet set up. + // Logging to debug just in case users run into this. If NuGet isn't present, Install-Module -Name TrustedSigning will fail, so we'll get the logs at that point + log.debug({ message: error.message || error.stack }, "unable to install PackageProvider Nuget. Might be a false alarm though as some systems already have it installed") + } await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser"]) // Preemptively check env vars once during initialization diff --git a/test/src/windows/winCodeSignTest.ts b/test/src/windows/winCodeSignTest.ts index ea2401893a2..33ca0883478 100644 --- a/test/src/windows/winCodeSignTest.ts +++ b/test/src/windows/winCodeSignTest.ts @@ -113,7 +113,7 @@ test.ifAll.ifNotCiMac( }) ) -test.only( +test.ifAll.ifNotCiMac( "azure signing without credentials", appThrows({ targets: windowsDirTarget, From b88144e8116f12d28283a51e7b78d6d9ad3097d8 Mon Sep 17 00:00:00 2001 From: Mike Maietta Date: Mon, 23 Sep 2024 10:57:02 -0700 Subject: [PATCH 11/11] formatting and adding default FileDigest value --- .../app-builder-lib/src/codeSign/windowsSignAzureManager.ts | 3 ++- test/src/windows/winCodeSignTest.ts | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts index 0dfa3b45113..321c72286c7 100644 --- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts +++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts @@ -81,7 +81,8 @@ export class WindowsSignAzureManager { const { endpoint, certificateProfileName, ...extraSigningArgs }: WindowsAzureSigningConfiguration = options.options.azureSignOptions! const params = { - ...extraSigningArgs, + FileDigest: "SHA256", + ...extraSigningArgs, // allows overriding FileDigest if provided in config Endpoint: endpoint, CertificateProfileName: certificateProfileName, Files: options.path, diff --git a/test/src/windows/winCodeSignTest.ts b/test/src/windows/winCodeSignTest.ts index 33ca0883478..97711a77b2e 100644 --- a/test/src/windows/winCodeSignTest.ts +++ b/test/src/windows/winCodeSignTest.ts @@ -122,9 +122,9 @@ test.ifAll.ifNotCiMac( win: { azureSignOptions: { endpoint: "https://weu.codesigning.azure.net/", - certificateProfileName: "profilenamehere" - } - } + certificateProfileName: "profilenamehere", + }, + }, }, }) )