[XB1] Add self signed cert with updated instructions (#895)

Add a self-signed cert for the 'CommonName' publisher that's used as a default for external contributors. Update and open source the instructions for contributors to generate a self-signed cert for testing. Update packager to be runnable for much more streamlined local packaging into appx files. b/290831656 Change-Id: Id0bd72f7919714e4a3f8cb8ef5a27b5c3e57c862
youtube · Jul 13, 2023 · 9b87b36 · 9b87b36
1 parent dd95b94
commit 9b87b36
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 2 deletions.
diff --git a/starboard/xb1/cert/README.md b/starboard/xb1/cert/README.md
@@ -0,0 +1,32 @@
+This directory contains a cobalt.pfx cert for signing UWP appx packages.
+
+This cert is not for use with submitting to the Microsoft store. It
+is intended only to be used for running the Windows App Cert Kit. Note that
+you will need to regenerate this file to be able to sign a cobalt appx yourself.
+
+It was generated as follows, using tools in SDK 10.0.22621.0 run in PowerShell
+as an administrator:
+
+Create a new self-signed certificate with an extended key usage for code
+signing. The Subject must match the Publisher field in your AppxManifest.
+`New-SelfSignedCertificate -Type Custom -Subject "<Publisher information from AppxManifest.xml>" -FriendlyName "cobalt-cert" -KeyUsage DigitalSignature -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3")`
+
+Verify that the cert was created properly. You should see the new cert if you
+run the following command (Cert:\LocalMachine\My is the default cert store,
+yours may be in a different location).
+`Get-ChildItem Cert:\LocalMachine\My | Format-Table Subject, FriendlyName, Thumbprint`
+
+Export the certificate to a Personal Information Exchange (pfx) file.
+`Export-PfxCertificate -cert Cert:\LocalMachine\My\<Certificate Thumbprint> -FilePath <FilePath>.pfx -ProtectTo <Username or group name>`
+
+See the following for more information:
+
+https://learn.microsoft.com/en-us/windows/msix/package/create-certificate-package-signing
+
+It is recommended that you remove any certificates once they are no longer
+necessary to prevent them from being used maliciously. If you need to remove
+this certificate, run the following in PowerShell as an administrator.
+
+`Get-ChildItem Cert:\LocalMachine\My | Format-Table Subject, FriendlyName, Thumbprint`
+
+`Get-ChildItem Cert:\LocalMachine\My\<Certificate Thumbprint> | Remove-Item`
diff --git a/starboard/xb1/cert/cobalt.pfx b/starboard/xb1/cert/cobalt.pfx
diff --git a/starboard/xb1/tools/packager.py b/starboard/xb1/tools/packager.py
@@ -17,28 +17,40 @@
   Called by package_application.py
 """
 
+import argparse
 import logging
 import os
 import platform
 import shutil
 import subprocess
+import sys
 from xml.etree import ElementTree as ET
 import zipfile
 
 from starboard.tools import package
 
-_DEFAULT_CERT_PATH = os.path.join(
+_INTERNAL_CERT_PATH = os.path.join(
     os.path.dirname(os.path.realpath(__file__)), os.pardir, os.pardir,
     os.pardir, 'internal', 'starboard', 'xb1', 'cert', 'youtube.pfx')
+_EXTERNAL_CERT_PATH = os.path.join(
+    os.path.dirname(os.path.realpath(__file__)), os.pardir, os.pardir,
+    os.pardir, 'starboard', 'xb1', 'cert', 'cobalt.pfx')
 _APPX_MANIFEST_XML_NAMESPACE = \
     'http://schemas.microsoft.com/appx/manifest/foundation/windows10'
 _NAMESPACE_DICT = {'appx': _APPX_MANIFEST_XML_NAMESPACE}
 _PUBLISHER_XPATH = './appx:Identity[@Publisher]'
 _PRODUCT_APPX_NAME = {
+    'cobalt': 'cobalt',
     'youtube': 'cobalt',
     'mainappbeta': 'mainappbeta',
     'youtubetv': 'youtubetv'
 }
+_PRODUCT_CERT_PATH = {
+    'cobalt': _EXTERNAL_CERT_PATH,
+    'youtube': _INTERNAL_CERT_PATH,
+    'mainappbeta': _INTERNAL_CERT_PATH,
+    'youtubetv': _INTERNAL_CERT_PATH,
+}
 _DEFAULT_SDK_BIN_DIR = 'C:\\Program Files (x86)\\Windows Kits\\10\\bin'
 _DEFAULT_WIN_SDK_VERSION = '10.0.22000.0'
 _SOURCE_SPLASH_SCREEN_SUB_PATH = os.path.join('internal', 'cobalt', 'browser',
@@ -48,6 +60,7 @@
 _DESTINATION__SPLASH_SCREEN_SUB_PATH = os.path.join('appx', 'content', 'data',
                                                     'web', 'splash_screen')
 _SPLASH_SCREEN_FILE = {
+    'cobalt': '',
     'youtube': 'youtube_splash_screen.html',
     'youtubetv': 'ytv_splash_screen.html',
     'mainappbeta': 'youtube_splash_screen.html',
@@ -184,6 +197,7 @@ def Install(self, targets=None):
   @property
   def appx_folder_location(self):
     product_locations = {
+        'cobalt': 'appx',
         'youtube': 'appx',
         'mainappbeta': 'mainappbeta-appx',
         'youtubetv': 'youtubetv-appx'
@@ -229,7 +243,7 @@ def _BuildPackage(self):
     logging.info('Running %s', ' '.join(makeappx_args))
     subprocess.check_call(makeappx_args)
 
-    cert_path = _DEFAULT_CERT_PATH
+    cert_path = _PRODUCT_CERT_PATH[self.product]
 
     try:
       signtool_args = [
@@ -244,3 +258,40 @@ def _BuildPackage(self):
       raise  # Rethrow original error with original stack trace.
 
     return self.appx_location
+
+
+def main():
+  parser = argparse.ArgumentParser()
+  parser.add_argument(
+      '-s',
+      '--source',
+      required=True,
+      help='Source directory from which to create a package.')
+  parser.add_argument(
+      '-o',
+      '--output',
+      default=os.path.join(
+          os.path.dirname(os.path.realpath(__file__)), 'package'),
+      help='Output directory to place the packaged app. Defaults to ./package/')
+  parser.add_argument(
+      '-p',
+      '--product',
+      default='cobalt',
+      help=(
+          'Product name. This must be one of [cobalt, youtube, youtubetv,'
+          'mainappbeta]. Any builds that are not internal to YouTube should use'
+          'cobalt.'))
+  args, _ = parser.parse_known_args()
+
+  if not os.path.exists(args.output):
+    os.makedirs(args.output)
+
+  Package(
+      publisher=None,
+      product=args.product,
+      source_dir=args.source,
+      output_dir=args.output)
+
+
+if __name__ == '__main__':
+  sys.exit(main())