sign icon indicating copy to clipboard operation
sign copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Support for MSI/EXE Burn Bootstrapper

Open DoCode opened this issue 5 years ago • 4 comments

Stripping of the burn engine, signs, and re-attach the engine. Is this possible?

DoCode avatar Feb 03 '20 14:02 DoCode

I'm not sure what you're trying to do?

clairernovotny avatar Feb 03 '20 14:02 clairernovotny

Signing the WiX Burn Engine: https://github.com/dotnet/core-sdk/blob/master/src/redist/targets/Signing.targets#L205-L256

<Target Name="SignSdkBundle"
    Condition="'$(SignCoreSdk)' == 'true'"
    DependsOnTargets="SetSignProps">

  <!-- Extract engine from bundle -->
  <Exec Command="$(WixRoot)/insignia.exe -ib $(CombinedFrameworkSdkHostMSIInstallerFile) -o $(CombinedFrameworkSdkHostBundleEngineName)" />

  <!-- Sign engine-->
  <ItemGroup>
    <EngineFileToSign Include="$(CombinedFrameworkSdkHostBundleEngineName)" />
    <EngineFileSignInfo Include="$([System.IO.Path]::GetFileName('$(CombinedFrameworkSdkHostBundleEngineName)'))"
                        CertificateName="$(InternalCertificateId)"/>
  </ItemGroup>
  <Microsoft.DotNet.SignTool.SignToolTask
      DryRun="$(_DryRun)"
      TestSign="$(_TestSign)"
      CertificatesSignInfo="$(CertificatesSignInfo)"
      ItemsToSign="@(EngineFileToSign)"
      StrongNameSignInfo="@(StrongNameSignInfo)"
      FileSignInfo="@(EngineFileSignInfo)"
      FileExtensionSignInfo="@(FileExtensionSignInfo)"
      TempDir="$(ArtifactsTmpDir)"
      LogDir="$(ArtifactsLogDir)"
      MSBuildPath="$(_DesktopMSBuildPath)"
      SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
      MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>

  <!-- Reattach engine to bundle -->
  <Exec Command="$(WixRoot)/insignia.exe -ab $(CombinedFrameworkSdkHostBundleEngineName) $(CombinedFrameworkSdkHostMSIInstallerFile) -o $(CombinedFrameworkSdkHostMSIInstallerFile)" />

  <!-- Sign bundle -->
  <ItemGroup>
    <BundleFileToSign Include="$(CombinedFrameworkSdkHostMSIInstallerFile)" />
    <BundleFileSignInfo Include="$([System.IO.Path]::GetFileName('$(CombinedFrameworkSdkHostMSIInstallerFile)'))"
                        CertificateName="$(InternalCertificateId)"/>
  </ItemGroup>

  <Microsoft.DotNet.SignTool.SignToolTask
      DryRun="$(_DryRun)"
      TestSign="$(_TestSign)"
      CertificatesSignInfo="$(CertificatesSignInfo)"
      ItemsToSign="@(BundleFileToSign)"
      StrongNameSignInfo="@(StrongNameSignInfo)"
      FileSignInfo="@(BundleFileSignInfo)"
      FileExtensionSignInfo="@(FileExtensionSignInfo)"
      TempDir="$(ArtifactsTmpDir)"
      LogDir="$(ArtifactsLogDir)"
      MSBuildPath="$(_DesktopMSBuildPath)"
      SNBinaryPath="$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe"
      MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"/>

</Target>

DoCode avatar Feb 03 '20 14:02 DoCode

If you're using Microsoft.DotNet.SignTool.SignToolTask, then this isn't the right repo for that. Those are for Microsoft's internal signing service and I believe those tasks are part of Arcade (http://github.com/dotnet/arcade)

clairernovotny avatar Feb 03 '20 14:02 clairernovotny

Yes, that's part of Arcade. But when DLL's, EXE's, etc. inside MSI's,nupkg's or EXE's can be signed with SignService, then burn engine signing is also possible with one tool.

DoCode avatar Feb 03 '20 15:02 DoCode