Skip to content

Commit

Permalink
build/windows: Add (optional) WACK phase to MSIX script
Browse files Browse the repository at this point in the history 
Local certification with WACK is optional and useful to anticipate if
the MSIX will be refused by Partner Center's online certification.
(Just to note: On Windows SDK, certification is not equal to signing.
It's more a checklist process to see if the package is suitable to run.)

To avoid needing the full script to be run with admin rights (which
would be scary) this feature only works with a bunch of requirements:
1. sudo for Windows (so Windows 11 24H2)...
2. enabled in normal (aka inline) mode...
3. in a Windows account in admin group

The 2nd and, specially, the last one are harsh but this is sudo's design:
microsoft/sudo#108
microsoft/sudo#68
  • Loading branch information
@brunvonlope
brunvonlope committed Oct 13, 2024
1 parent d28525e commit 299f983
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 6 deletions.
74 changes: 68 additions & 6 deletions build/windows/store/3_dist-gimp-winsdk.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

# Parameters
param ($revision = '0',
$wack = 'Non-WACK',
$build_dir = '_build',
$a64_bundle = 'gimp-a64',
$x64_bundle = 'gimp-x64')
Expand Down Expand Up @@ -84,6 +85,13 @@ if ($CI_PIPELINE_SOURCE -ne 'schedule' -and $GIMP_CI_MS_STORE -like 'MSIXUPLOAD_
$revision = $GIMP_CI_MS_STORE -replace 'MSIXUPLOAD_',''
}

## (Special case when using WACK locally)
if ($revision -eq 'WACK')
{
$revision = "0"
$wack = "WACK"
}

if ($revision -ne '0')
{
$revision_text = ", revision: $revision"
Expand Down Expand Up @@ -225,7 +233,7 @@ foreach ($bundle in $supported_archs)
Get-ChildItem "$vfs" -Recurse -Include ("*.debug", "*.tar") | Remove-Item -Recurse


# 4. MAKE .MSIX AND CORRESPONDING .APPXSYM
# 4.A. MAKE .MSIX AND CORRESPONDING .APPXSYM

## Make .appxsym for each msix_arch (ONLY FOR RELEASES)
$APPXSYM = "${IDENTITY_NAME}_${CUSTOM_GIMP_VERSION}_$msix_arch.appxsym"
Expand Down Expand Up @@ -253,7 +261,7 @@ foreach ($bundle in $supported_archs)
} #END of 'foreach ($msix_arch...'


# 5. MAKE .MSIXBUNDLE AND SUBSEQUENT .MSIXUPLOAD
# 4.B. MAKE .MSIXBUNDLE AND SUBSEQUENT .MSIXUPLOAD
if (((Test-Path $a64_bundle) -and (Test-Path $x64_bundle)) -and (Get-ChildItem *.msix -Recurse).Count -gt 1)
{
## Make .msixbundle with all archs
Expand Down Expand Up @@ -287,15 +295,70 @@ if (((Test-Path $a64_bundle) -and (Test-Path $x64_bundle)) -and (Get-ChildItem *
#https://gitlab.gnome.org/GNOME/gimp/-/issues/11397
}

Remove-Item .gitignore
Rename-Item .gitignore.bak .gitignore


# 5. CERTIFY .MSIX OR .MSIXBUNDLE WITH WACK (OPTIONAL)
# (Partner Center does the same thing before publishing)
if (-not $GITLAB_CI -and $wack -eq 'WACK')
{
## Prepare file naming
## (appcert CLI does NOT allow relative paths)
$fullpath = $PWD
## (appcert CLI does NOT allow more than one dot on xml name)
$xml_artifact = "$MSIX_ARTIFACT" -replace '.msix', '-report.xml' -replace 'bundle', ''

## Generate detailed report
## (appcert only works with admin rights so let's use sudo, which needs:
## - Windows 24H2 build
## - be configured in normal mode: https://github.com/microsoft/sudo/issues/108
## - run in an admin account: https://github.com/microsoft/sudo/discussions/68)
$nt_build = [System.Environment]::OSVersion.Version | Select-Object -ExpandProperty Build
if ($nt_build -lt '26052')
{
Write-Host "(ERROR): Certification from CLI requires 'sudo' (available only for build 10.0.26052.0 and above)" -ForegroundColor Red
exit 1
}
Write-Output "(INFO): certifying $MSIX_ARTIFACT with WACK"
if ("$env:Path" -notlike '*App Certification Kit*')
{
$env:Path = 'C:\Program Files (x86)\Windows Kits\10\App Certification Kit;' + $env:Path
}
sudo appcert test -appxpackagepath $fullpath\$MSIX_ARTIFACT -reportoutputpath $fullpath\$xml_artifact

# 5. SIGN .MSIX OR .MSIXBUNDLE (FOR TESTING ONLY) AND DO OTHER STUFF
## Output overall result
if (Test-Path $xml_artifact -Type Leaf)
{
$xmlObject = New-Object XML
$xmlObject.Load("$xml_artifact")
$result = $xmlObject.REPORT.OVERALL_RESULT
if ($result -eq 'FAIL')
{
Write-Host "(ERROR): $MSIX_ARTIFACT not passed. See: $xml_artifact" -ForegroundColor Red
exit 1
}
elseif ($result -eq 'WARNING')
{
Write-Host "(WARNING): $MSIX_ARTIFACT passed partially. See: $xml_artifact" -ForegroundColor Yellow
}
#elseif ($result -eq 'PASS')
#{
# Output nothing
#}
}
}


# 6. SIGN .MSIX OR .MSIXBUNDLE (FOR TESTING ONLY)
if (-not $CI_COMMIT_TAG -and ($GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*') -and ($MSIX_ARTIFACT -notlike "*msixupload"))
{
Write-Output "(INFO): signing $MSIX_ARTIFACT (for testing purposes)"
signtool sign /fd sha256 /a /f build\windows\store\pseudo-gimp.pfx /p eek $MSIX_ARTIFACT | Out-File winsdk.log -Append
Copy-Item build\windows\store\pseudo-gimp.pfx .\ -Recurse
}


if ($GITLAB_CI)
{
# GitLab doesn't support wildcards when using "expose_as" so let's move to a dir
Expand All @@ -305,13 +368,12 @@ if ($GITLAB_CI)
{
Get-ChildItem pseudo-gimp.pfx | Move-Item -Destination build\windows\store\_Output
}

# Generate checksums
if ($CI_COMMIT_TAG)
{
Write-Output "(INFO): generating checksums for $MSIX_ARTIFACT"
Get-FileHash build\windows\store\_Output\$MSIX_ARTIFACT -Algorithm SHA256 | Out-File build\windows\store\_Output\$MSIX_ARTIFACT.SHA256SUMS
Get-FileHash build\windows\store\_Output\$MSIX_ARTIFACT -Algorithm SHA512 | Out-File build\windows\store\_Output\$MSIX_ARTIFACT.SHA512SUMS
}
}

Remove-Item .gitignore
Rename-Item .gitignore.bak .gitignore
4 changes: 4 additions & 0 deletions build/windows/store/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ Base rule to update the "GIMP (Preview)" entry:
Only 'Packages' and 'Store listings' sections are needed. On 'Packages' you will
add the generated .msixupload and on 'Store listings' the brief changelog.

If the .msix* starts to be refused to certification or to signing,
run `build\windows\store\3_dist-gimp-winsdk.ps1 WACK` locally to see if it
still complies with the latest Windows policies. Make sure to update WinSDK.

## Versioning the MSIX

* Every new .msixupload submission (with different content) needs a bumped version.
Expand Down

0 comments on commit 299f983

Please sign in to comment.