Sign the MSIX files for the store (PowerShell#12582)

Co-authored-by: Aditya Patwardhan <adityap@microsoft.com>

.vsts-ci/linux.yml

@@ -11,7 +11,6 @@ trigger:
     include:
     - '*'
     exclude:
-    - /tools/releaseBuild/**/*
     - /.vsts-ci/misc-analysis.yml
     - /.github/ISSUE_TEMPLATE/*
     - /.dependabot/config.yml
@@ -25,7 +24,8 @@ pr:
     include:
     - '*'
     exclude:
-    - /tools/releaseBuild/**/*
+    - tools/releaseBuild/*
+    - tools/releaseBuild/azureDevOps/templates/*
     - /.vsts-ci/misc-analysis.yml
     - /.github/ISSUE_TEMPLATE/*
     - /.dependabot/config.yml

.vsts-ci/mac.yml

@@ -25,10 +25,11 @@ pr:
     include:
     - '*'
     exclude:
-    - /tools/releaseBuild/**/*
     - /.vsts-ci/misc-analysis.yml
     - /.github/ISSUE_TEMPLATE/*
     - /.dependabot/config.yml
+    - tools/releaseBuild/*
+    - tools/releaseBuild/azureDevOps/templates/*
 
 variables:
   DOTNET_CLI_TELEMETRY_OPTOUT: 1

.vsts-ci/windows.yml

@@ -27,6 +27,8 @@ pr:
     - /.vsts-ci/misc-analysis.yml
     - /.github/ISSUE_TEMPLATE/*
     - /.dependabot/config.yml
+    - tools/releaseBuild/*
+    - tools/releaseBuild/azureDevOps/templates/*
 
 variables:
   GIT_CONFIG_PARAMETERS: "'core.autocrlf=false'"

assets/AppxManifest.xml

@@ -9,7 +9,7 @@
   xmlns:desktop6="http://schemas.microsoft.com/appx/manifest/desktop/windows10/6"
   xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities">
 
-  <Identity Name="Microsoft.$PRODUCTNAME$" ProcessorArchitecture="$ARCH$" Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" Version="$VERSION$" />
+  <Identity Name="Microsoft.$PRODUCTNAME$" ProcessorArchitecture="$ARCH$" Publisher="$PUBLISHER$" Version="$VERSION$" />
 
   <Properties>
     <DisplayName>$DISPLAYNAME$</DisplayName>

tools/packaging/packaging.psm1

@@ -3183,9 +3183,18 @@ function New-MSIXPackage
 
     Write-Verbose "Version: $productversion" -Verbose
 
+    $isPreview = Test-IsPreview -Version $ProductSemanticVersion
+    if ($isPreview) {
+        Write-Verbose "Using Preview assets" -Verbose
+    }
+
     # Appx manifest needs to be in root of source path, but the embedded version needs to be updated
+    # cp-459155 is 'CN=Microsoft Windows Store Publisher (Store EKU), O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
+    # authenticodeFormer is 'CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
+    $releasePublisher = 'CN=Microsoft Windows Store Publisher (Store EKU), O=Microsoft Corporation, L=Redmond, S=Washington, C=US'
+
     $appxManifest = Get-Content "$RepoRoot\assets\AppxManifest.xml" -Raw
-    $appxManifest = $appxManifest.Replace('$VERSION$', $ProductVersion).Replace('$ARCH$', $Architecture).Replace('$PRODUCTNAME$', $productName).Replace('$DISPLAYNAME$', $displayName)
+    $appxManifest = $appxManifest.Replace('$VERSION$', $ProductVersion).Replace('$ARCH$', $Architecture).Replace('$PRODUCTNAME$', $productName).Replace('$DISPLAYNAME$', $displayName).Replace('$PUBLISHER$', $releasePublisher)
     Set-Content -Path "$ProductSourcePath\AppxManifest.xml" -Value $appxManifest -Force
     # Necessary image assets need to be in source assets folder
     $assets = @(
@@ -3200,11 +3209,6 @@ function New-MSIXPackage
         $null = New-Item -ItemType Directory -Path "$ProductSourcePath\assets"
     }
 
-    $isPreview = Test-IsPreview -Version $ProductSemanticVersion
-    if ($isPreview) {
-        Write-Verbose "Using Preview assets" -Verbose
-    }
-
     $assets | ForEach-Object {
         if ($isPreview) {
             Copy-Item -Path "$RepoRoot\assets\$_-Preview.png" -Destination "$ProductSourcePath\assets\$_.png"

tools/releaseBuild/azureDevOps/templates/upload.yml

@@ -61,5 +61,5 @@ steps:
     azureSubscription: '$(AzureFileCopySubscription)'
     Destination: AzureBlob
     storage: '$(StorageAccount)'
-    ContainerName: '$(AzureVersion)'
+    ContainerName: '$(AzureVersion)-private'
   condition: and(succeeded(), eq('${{ parameters.msix }}', 'yes'), eq(variables['SHOULD_SIGN'], 'true'))

tools/releaseBuild/azureDevOps/templates/windows-package-signing.yml

@@ -38,12 +38,16 @@ jobs:
       $authenticodefiles = @(
         "$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x64.msi"
         "$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x86.msi"
+      )
+
+      $msixFiles = @(
         "$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x86.msix"
         "$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x64.msix"
         "$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-arm32.msix"
         "$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-arm64.msix"
       )
-      tools/releaseBuild/generatePackgeSigning.ps1 -AuthenticodeFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml"
+
+      tools/releaseBuild/generatePackgeSigning.ps1 -AuthenticodeFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml" -MsixCertType $env:MSIX_TYPE -MsixFiles $msixFiles
     displayName: 'Generate Package Signing Xml'
 
   - powershell: |

tools/releaseBuild/generatePackgeSigning.ps1

@@ -8,14 +8,18 @@ param(
     [string[]] $NuPkgFiles,
     [string[]] $MacDeveloperFiles,
     [string[]] $LinuxFiles,
-    [string[]] $ThirdPartyFiles
+    [string[]] $ThirdPartyFiles,
+    [string[]] $MsixFiles,
+    [ValidateSet('release','preview')]
+    [string]  $MsixCertType = 'preview'
 )
 
 if ((!$AuthenticodeDualFiles -or $AuthenticodeDualFiles.Count -eq 0) -and
     (!$AuthenticodeFiles -or $AuthenticodeFiles.Count -eq 0) -and
     (!$NuPkgFiles -or $NuPkgFiles.Count -eq 0) -and
     (!$MacDeveloperFiles -or $MacDeveloperFiles.Count -eq 0) -and
     (!$LinuxFiles -or $LinuxFiles.Count -eq 0) -and
+    (!$MsixFiles -or $MsixFiles.Count -eq 0) -and
     (!$ThirdPartyFiles -or $ThirdPartyFiles.Count -eq 0))
 {
     throw "At least one file must be specified"
@@ -95,6 +99,14 @@ foreach ($file in $ThirdPartyFiles) {
     New-FileElement -File $file -SignType 'ThirdParty' -XmlDoc $signingXml -Job $job
 }
 
+foreach ($file in $MsixFiles) {
+    # 'CP-459155' signs for the store only
+    # AuthenticodeFormer works only for sideloading
+    # ----------------------------------------------
+    # update releasePublisher in packaging.psm1 when this is changed
+    New-FileElement -File $file -SignType 'CP-459155' -XmlDoc $signingXml -Job $job
+}
+
 $signingXml.Save($path)
 $updateScriptPath = Join-Path -Path $PSScriptRoot -ChildPath 'updateSigning.ps1'
 & $updateScriptPath -SigningXmlPath $path

tools/releaseBuild/setReleaseTag.ps1

@@ -58,13 +58,16 @@ function New-BuildInfoJson {
 $branchOnly = $Branch -replace '^refs/heads/';
 $branchOnly = $branchOnly -replace '[_\-]'
 
+$msixType = 'preview'
+
 $isDaily = $false
 
 if($ReleaseTag -eq 'fromBranch' -or !$ReleaseTag)
 {
     # Branch is named release-<semver>
     if($Branch -match '^.*(release[-/])')
     {
+        $msixType = 'release'
         Write-Verbose "release branch:" -Verbose
         $releaseTag = $Branch -replace '^.*(release[-/])'
         $vstsCommandString = "vso[task.setvariable variable=$Variable]$releaseTag"
@@ -127,4 +130,8 @@ $vstsCommandString = "vso[task.setvariable variable=IS_DAILY]$($isDaily.ToString
 Write-Verbose -Message "$vstsCommandString" -Verbose
 Write-Host -Object "##$vstsCommandString"
 
+$vstsCommandString = "vso[task.setvariable variable=MSIX_TYPE]$msixType"
+Write-Verbose -Message "$vstsCommandString" -Verbose
+Write-Host -Object "##$vstsCommandString"
+
 Write-Output $releaseTag