From 6d9452ffa7d002367be1735c474fd3b837fa3064 Mon Sep 17 00:00:00 2001 From: Bruno Date: Thu, 19 Sep 2024 11:53:32 -0300 Subject: [PATCH] build/windows: Add (optional) WACK phase to MSIX script Local certification with WACK is optional and useful to anticipate if the MSIX will be refused by Partner Center's online certification. To avoid needing the full script to be run with admin rights (which would be scary) this feature only works with a bunch of requirements: 1. sudo for Windows (so Windows 11 24H2)... 2. enabled in normal (aka built-in) mode... 3. in a Windows account in admin group The 2nd and, specially, the last one are harsh but this is sudo's design: https://github.com/microsoft/sudo/issues/108 https://github.com/microsoft/sudo/discussions/68 --- build/windows/store/3_dist-gimp-winsdk.ps1 | 81 ++++++++++++++++++++-- 1 file changed, 75 insertions(+), 6 deletions(-) diff --git a/build/windows/store/3_dist-gimp-winsdk.ps1 b/build/windows/store/3_dist-gimp-winsdk.ps1 index ff01ea812c3..83dec44ad0b 100644 --- a/build/windows/store/3_dist-gimp-winsdk.ps1 +++ b/build/windows/store/3_dist-gimp-winsdk.ps1 @@ -2,6 +2,7 @@ # Parameters param ($revision = '0', + $wack = 'Non-WACK', $build_dir = '_build', $a64_bundle = 'gimp-a64', $x64_bundle = 'gimp-x64') @@ -84,6 +85,13 @@ if ($CI_PIPELINE_SOURCE -ne 'schedule' -and $GIMP_CI_MS_STORE -like 'MSIXUPLOAD_ $revision = $GIMP_CI_MS_STORE -replace 'MSIXUPLOAD_','' } +## (Special case when using WACK locally) +if ($revision -eq 'WACK') + { + $revision = "0" + $wack = "WACK" + } + if ($revision -ne '0') { $revision_text = ", revision: $revision" @@ -225,7 +233,7 @@ foreach ($bundle in $supported_archs) Get-ChildItem "$vfs" -Recurse -Include ("*.debug", "*.tar") | Remove-Item -Recurse - # 4. MAKE .MSIX AND CORRESPONDING .APPXSYM + # 4.A. MAKE .MSIX AND CORRESPONDING .APPXSYM ## Make .appxsym for each msix_arch (ONLY FOR RELEASES) $APPXSYM = "${IDENTITY_NAME}_${CUSTOM_GIMP_VERSION}_$msix_arch.appxsym" @@ -253,7 +261,7 @@ foreach ($bundle in $supported_archs) } #END of 'foreach ($msix_arch...' -# 5. MAKE .MSIXBUNDLE AND SUBSEQUENT .MSIXUPLOAD +# 4.B. MAKE .MSIXBUNDLE AND SUBSEQUENT .MSIXUPLOAD if (((Test-Path $a64_bundle) -and (Test-Path $x64_bundle)) -and (Get-ChildItem *.msix -Recurse).Count -gt 1) { ## Make .msixbundle with all archs @@ -287,8 +295,11 @@ if (((Test-Path $a64_bundle) -and (Test-Path $x64_bundle)) -and (Get-ChildItem * #https://gitlab.gnome.org/GNOME/gimp/-/issues/11397 } +Remove-Item .gitignore +Rename-Item .gitignore.bak .gitignore -# 5. SIGN .MSIX OR .MSIXBUNDLE (FOR TESTING ONLY) AND DO OTHER STUFF + +# 5. SIGN .MSIX OR .MSIXBUNDLE (FOR TESTING ONLY) if (-not $CI_COMMIT_TAG -and ($GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*') -and ($MSIX_ARTIFACT -notlike "*msixupload")) { Write-Output "(INFO): signing $MSIX_ARTIFACT (for testing purposes)" @@ -296,6 +307,65 @@ if (-not $CI_COMMIT_TAG -and ($GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*') -and ($M Copy-Item build\windows\store\pseudo-gimp.pfx .\ -Recurse } + +# 6. CERTIFY .MSIX OR .MSIXBUNDLE WITH WACK (OPTIONAL) +if (-not $GITLAB_CI -and $wack -eq 'WACK') + { + ## Prepare file naming + ## (appcert CLI does NOT allow relative paths) + $fullpath = $PWD + ## (appcert CLI does NOT allow more than one dot on xml name) + if ($MSIX_ARTIFACT -like '*a64*' -and $MSIX_ARTIFACT -notlike '*x64*') + { + $xml_artifact = $MSIX_ARTIFACT -replace '_arm64.msix', '-report.xml' + } + if ($MSIX_ARTIFACT -notlike '*a64*' -and $MSIX_ARTIFACT -like '*x64*') + { + $xml_artifact = $MSIX_ARTIFACT -replace '_x64.msix', '-report.xml' + } + if ($MSIX_ARTIFACT -like '*a64*' -and $MSIX_ARTIFACT -like '*x64*') + { + $xml_artifact = $MSIX_ARTIFACT -replace '_neutral.msixbundle', '-report.xml' + } + + ## Generate detailed report + ## (appcert only works with admin rights) + $nt_build = [System.Environment]::OSVersion.Version | Select-Object -ExpandProperty Build + if ($nt_build -lt '26052') + { + Write-Host "(ERROR): Quick certification requires 'sudo' (available only for build 10.0.26052.0 and above)" -ForegroundColor Red + exit 1 + } + Write-Output "(INFO): certifying $MSIX_ARTIFACT with WACK" + if ("$env:Path" -notlike '*App Certification Kit*') + { + $env:Path = 'C:\Program Files (x86)\Windows Kits\10\App Certification Kit;' + $env:Path + } + sudo appcert test -appxpackagepath $fullpath\$MSIX_ARTIFACT -reportoutputpath $fullpath\$xml_artifact + + ## Output overall result + if (Test-Path $xml_artifact -Type Leaf) + { + $xmlObject = New-Object XML + $xmlObject.Load("$xml_artifact") + $result = $xmlObject.REPORT.OVERALL_RESULT + if ($result -eq 'FAIL') + { + Write-Host "(ERROR): $MSIX_ARTIFACT not passed. See: $xml_artifact" -ForegroundColor Red + exit 1 + } + elseif ($result -eq 'WARNING') + { + Write-Host "(WARNING): $MSIX_ARTIFACT passed partially. See: $xml_artifact" -ForegroundColor Yellow + } + #elseif ($result -eq 'PASS') + #{ + # Output nothing + #} + } + } + + if ($GITLAB_CI) { # GitLab doesn't support wildcards when using "expose_as" so let's move to a dir @@ -305,6 +375,8 @@ if ($GITLAB_CI) { Get-ChildItem pseudo-gimp.pfx | Move-Item -Destination build\windows\store\_Output } + + # Generate checksums if ($CI_COMMIT_TAG) { Write-Output "(INFO): generating checksums for $MSIX_ARTIFACT" @@ -312,6 +384,3 @@ if ($GITLAB_CI) Get-FileHash build\windows\store\_Output\$MSIX_ARTIFACT -Algorithm SHA512 | Out-File build\windows\store\_Output\$MSIX_ARTIFACT.SHA512SUMS } } - -Remove-Item .gitignore -Rename-Item .gitignore.bak .gitignore