From 76f740a04097d8ae417f74b6ea163a79b9a37819 Mon Sep 17 00:00:00 2001 From: Bruno Date: Thu, 19 Sep 2024 11:53:32 -0300 Subject: [PATCH] build/windows: Add (optional) WACK phase to MSIX script Local certification with WACK is optional and useful to anticipate if the MSIX will be refused by Partner Center's online certification. (Just to note: On Windows SDK, certification is not equal to signing. It's more a checklist process to see if the package is suitable to run.) To avoid needing the full script to be run with admin rights (which would be scary) this feature only works with a bunch of requirements: 1. sudo for Windows (so Windows 11 24H2)... 2. enabled in normal (aka inline) mode... 3. in a Windows account in admin group The 2nd and, specially, the last one are harsh but this is sudo's design: https://github.com/microsoft/sudo/issues/108 https://github.com/microsoft/sudo/discussions/68 --- build/windows/store/3_dist-gimp-winsdk.ps1 | 74 ++++++++++++++++++++-- build/windows/store/README.md | 4 ++ 2 files changed, 72 insertions(+), 6 deletions(-) diff --git a/build/windows/store/3_dist-gimp-winsdk.ps1 b/build/windows/store/3_dist-gimp-winsdk.ps1 index ff01ea812c3..0d1786449e6 100644 --- a/build/windows/store/3_dist-gimp-winsdk.ps1 +++ b/build/windows/store/3_dist-gimp-winsdk.ps1 @@ -2,6 +2,7 @@ # Parameters param ($revision = '0', + $wack = 'Non-WACK', $build_dir = '_build', $a64_bundle = 'gimp-a64', $x64_bundle = 'gimp-x64') @@ -84,6 +85,13 @@ if ($CI_PIPELINE_SOURCE -ne 'schedule' -and $GIMP_CI_MS_STORE -like 'MSIXUPLOAD_ $revision = $GIMP_CI_MS_STORE -replace 'MSIXUPLOAD_','' } +## (Special case when using WACK locally) +if ($revision -eq 'WACK') + { + $revision = "0" + $wack = "WACK" + } + if ($revision -ne '0') { $revision_text = ", revision: $revision" @@ -225,7 +233,7 @@ foreach ($bundle in $supported_archs) Get-ChildItem "$vfs" -Recurse -Include ("*.debug", "*.tar") | Remove-Item -Recurse - # 4. MAKE .MSIX AND CORRESPONDING .APPXSYM + # 4.A. MAKE .MSIX AND CORRESPONDING .APPXSYM ## Make .appxsym for each msix_arch (ONLY FOR RELEASES) $APPXSYM = "${IDENTITY_NAME}_${CUSTOM_GIMP_VERSION}_$msix_arch.appxsym" @@ -253,7 +261,7 @@ foreach ($bundle in $supported_archs) } #END of 'foreach ($msix_arch...' -# 5. MAKE .MSIXBUNDLE AND SUBSEQUENT .MSIXUPLOAD +# 4.B. MAKE .MSIXBUNDLE AND SUBSEQUENT .MSIXUPLOAD if (((Test-Path $a64_bundle) -and (Test-Path $x64_bundle)) -and (Get-ChildItem *.msix -Recurse).Count -gt 1) { ## Make .msixbundle with all archs @@ -287,8 +295,62 @@ if (((Test-Path $a64_bundle) -and (Test-Path $x64_bundle)) -and (Get-ChildItem * #https://gitlab.gnome.org/GNOME/gimp/-/issues/11397 } +Remove-Item .gitignore +Rename-Item .gitignore.bak .gitignore + + +# 5. CERTIFY .MSIX OR .MSIXBUNDLE WITH WACK (OPTIONAL) +# (Partner Center does the same thing before publishing) +if (-not $GITLAB_CI -and $wack -eq 'WACK') + { + ## Prepare file naming + ## (appcert CLI does NOT allow relative paths) + $fullpath = $PWD + ## (appcert CLI does NOT allow more than one dot on xml name) + $xml_artifact = "$MSIX_ARTIFACT" -replace '.msix', '-report.xml' -replace 'bundle', '' + + ## Generate detailed report + ## (appcert only works with admin rights so let's use sudo, which needs: + ## - Windows 24H2 build + ## - be configured in normal mode: https://github.com/microsoft/sudo/issues/108 + ## - run in an admin account: https://github.com/microsoft/sudo/discussions/68) + $nt_build = [System.Environment]::OSVersion.Version | Select-Object -ExpandProperty Build + if ($nt_build -lt '26052') + { + Write-Host "(ERROR): Certification from CLI requires 'sudo' (available only for build 10.0.26052.0 and above)" -ForegroundColor Red + exit 1 + } + Write-Output "(INFO): certifying $MSIX_ARTIFACT with WACK" + if ("$env:Path" -notlike '*App Certification Kit*') + { + $env:Path = 'C:\Program Files (x86)\Windows Kits\10\App Certification Kit;' + $env:Path + } + sudo appcert test -appxpackagepath $fullpath\$MSIX_ARTIFACT -reportoutputpath $fullpath\$xml_artifact -# 5. SIGN .MSIX OR .MSIXBUNDLE (FOR TESTING ONLY) AND DO OTHER STUFF + ## Output overall result + if (Test-Path $xml_artifact -Type Leaf) + { + $xmlObject = New-Object XML + $xmlObject.Load("$xml_artifact") + $result = $xmlObject.REPORT.OVERALL_RESULT + if ($result -eq 'FAIL') + { + Write-Host "(ERROR): $MSIX_ARTIFACT not passed. See: $xml_artifact" -ForegroundColor Red + exit 1 + } + elseif ($result -eq 'WARNING') + { + Write-Host "(WARNING): $MSIX_ARTIFACT passed partially. See: $xml_artifact" -ForegroundColor Yellow + } + #elseif ($result -eq 'PASS') + #{ + # Output nothing + #} + } + } + + +# 6. SIGN .MSIX OR .MSIXBUNDLE (FOR TESTING ONLY) if (-not $CI_COMMIT_TAG -and ($GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*') -and ($MSIX_ARTIFACT -notlike "*msixupload")) { Write-Output "(INFO): signing $MSIX_ARTIFACT (for testing purposes)" @@ -296,6 +358,7 @@ if (-not $CI_COMMIT_TAG -and ($GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*') -and ($M Copy-Item build\windows\store\pseudo-gimp.pfx .\ -Recurse } + if ($GITLAB_CI) { # GitLab doesn't support wildcards when using "expose_as" so let's move to a dir @@ -305,6 +368,8 @@ if ($GITLAB_CI) { Get-ChildItem pseudo-gimp.pfx | Move-Item -Destination build\windows\store\_Output } + + # Generate checksums if ($CI_COMMIT_TAG) { Write-Output "(INFO): generating checksums for $MSIX_ARTIFACT" @@ -312,6 +377,3 @@ if ($GITLAB_CI) Get-FileHash build\windows\store\_Output\$MSIX_ARTIFACT -Algorithm SHA512 | Out-File build\windows\store\_Output\$MSIX_ARTIFACT.SHA512SUMS } } - -Remove-Item .gitignore -Rename-Item .gitignore.bak .gitignore diff --git a/build/windows/store/README.md b/build/windows/store/README.md index 949ea5fe0f8..02817c3da1e 100644 --- a/build/windows/store/README.md +++ b/build/windows/store/README.md @@ -20,6 +20,10 @@ Base rule to update the "GIMP (Preview)" entry: Only 'Packages' and 'Store listings' sections are needed. On 'Packages' you will add the generated .msixupload and on 'Store listings' the brief changelog. +If the .msix* starts to be refused to certification or to signing, +run `build\windows\store\3_dist-gimp-winsdk.ps1 WACK` locally to see if it +still complies with the latest Windows policies. Make sure to update WinSDK. + ## Versioning the MSIX * Every new .msixupload submission (with different content) needs a bumped version.