Support wixpack signing in Sign.proj #9721
Conversation
Wixpacks were implemented for post-build signing to allow us to sign MSIs and bundles after the build was done. They are a separate zip file that contains the files necessary to reconstruct an installer. Prior to post-build signing, repositories producing installers typically signed the files going into the installer, then created the installer, then signed it. Potentially there were other stages for nested installers, dealing with bundles, etc. There is a push to add back in-build signing. The in-build staged installer creation/signing steps have been removed from some repos. Rather than add these back, it makes more sense to enable signing installer as part of the normal signing process, which happens just before the publish stage of the build. Here the files to be signed are analyzed, unpacked, signed, and repacked. To do this, we need a tweak to Arcade to send the path to the wix tooling to the sign task. If a repo produces no installers or wixpacks, this tooling will be unused. While doing this, I also unified some of the wix tooling packages in use to use the same version of the package.
|
See https://dev.azure.com/dnceng/internal/_build/results?buildId=1831326&view=logs&j=09811346-8274-5b72-2d96-1dd38f87c84b&t=484aa08d-83e1-520a-76ed-fc8b43244d09&l=469 for an installer build where this was used. |
There was a problem hiding this comment.
Also plans to update the WixTools part of the SharedFramework SDK which is also outdated (can could benefit from using $(MicrosoftSignedWixVersion).
I would love to update it myself, but since this PR would make it needless I think it should be updated here as well.
missymessa
left a comment
missymessa
left a comment
There was a problem hiding this comment.
Looks like the build of this broke, but after that's fixed...
LGTM
Co-authored-by: AraHaan <[email protected]>
Co-authored-by: AraHaan <[email protected]>
@AraHaan Do you have the 1.0.0-v3.14.0.6526 package around? It's not available. |
|
@mmitche the WiX package we use is an internal build that is signed with additional certificates. It's currently produced from an internal pipeline. |
4 participants
Wixpacks were implemented for post-build signing to allow us to sign MSIs and bundles after the build was done. They are a separate zip file that contains the files necessary to reconstruct an installer. Prior to post-build signing, repositories producing installers typically signed the files going into the installer, then created the installer, then signed it. Potentially there were other stages for nested installers, dealing with bundles, etc.
There is a push to add back in-build signing. The in-build staged installer creation/signing steps have been removed from some repos. Rather than add these back, it makes more sense to enable signing installer as part of the normal signing process, which happens just before the publish stage of the build. Here the files to be signed are analyzed, unpacked, signed, and repacked.
To do this, we need a tweak to Arcade to send the path to the wix tooling to the sign task. If a repo produces no installers or wixpacks, this tooling will be unused.
While doing this, I also unified some of the wix tooling packages in use to use the same version of the package.
To double check: