#279 Fix Windows signing

Ensure MicroBuild signing runs correctly by using classic MSBuild, and split the Windows installer/sign build step into phases to facilitate the jumping between .NET Core MSBuild and Framework MSBuild. Also correct a few issues with Mac signing.
microsoft · Jan 8, 2020 · 03e757d · 03e757d
2 parents b8a5df0 + 464671b
commit 03e757d
Show file tree

Hide file tree

Showing 10 changed files with 93 additions and 20 deletions.
diff --git a/.azure-pipelines/pull-request.yml b/.azure-pipelines/pull-request.yml
@@ -24,7 +24,7 @@ jobs:
       - powershell: Scripts/CI/Set-Version.ps1 -SourceBranchCounter $(branchCounter)
         displayName: "Compute product version"
       - template: templates/win/build-and-unit-test.yml
-      - template: templates/win/pack.yml
+      - template: templates/win/pack.unsigned.yml
 
   - job: osx_build
     displayName: macOS Build and Unit Test

diff --git a/.azure-pipelines/release.yml b/.azure-pipelines/release.yml
@@ -24,7 +24,7 @@ jobs:
       - powershell: Scripts/CI/Set-Version.ps1 -SourceBranchCounter $(branchCounter)
         displayName: "Compute product version"
       - template: templates/win/build-and-unit-test.yml
-      - template: templates/win/pack.yml
+      - template: templates/win/pack.signed.yml
 
   - job: osx_build_step1
     displayName: macOS Build and Unit Test

diff --git a/.azure-pipelines/templates/osx/pack.signed/step5-dist.yml b/.azure-pipelines/templates/osx/pack.signed/step5-dist.yml
@@ -5,7 +5,7 @@ steps:
       artifact: _osx_installer_signed
       path: $(Build.ArtifactStagingDirectory)/package
 
-  - script: Scalar.Signing/notarize-pkg.sh -id "$(Apple.Account.Id)" -p "$(Apple.Account.Password)" -pkg "$(Build.ArtifactStagingDirectory)"/package/*.pkg -b "com.microsoft.scalar.pkg"
+  - script: Scalar.Signing/notarize-pkg.sh -id "$(Apple.Notarization.AppleId)" -p "$(Apple.Notarization.Password)" -pkg "$(Build.ArtifactStagingDirectory)"/package/*.pkg -b "com.microsoft.scalar.pkg"
     displayName: Notarize installer (and containing bundles & binaries)
     condition: and(succeeded(), eq(variables['SignType'], 'real'))
 

diff --git a/.azure-pipelines/templates/win/pack.signed.yml b/.azure-pipelines/templates/win/pack.signed.yml
@@ -0,0 +1,67 @@
+steps:
+  # Must use the NuGet & MSBuild toolchain here rather than `dotnet`
+  # because the signing tasks target the netfx MSBuild runtime only.
+  - task: NuGetCommand@2
+    displayName: Restore MicroBuild packages
+    inputs:
+      command: restore
+      restoreSolution: 'Scalar.Signing\Scalar.SignFiles.Windows.csproj'
+
+  - task: NuGetCommand@2
+    displayName: Restore MicroBuild packages
+    inputs:
+      command: restore
+      restoreSolution: 'Scalar.Signing\Scalar.SignInstaller.Windows.csproj'
+
+  - task: MSBuild@1
+    displayName: Collect payload files
+    inputs:
+      solution: 'Scalar.Installer.Windows\Scalar.Installer.Windows.csproj'
+      msbuildArguments: '/t:BuildInstallerPhase1 /p:LayoutPath="$(Build.ArtifactStagingDirectory)\signpayload"'
+
+  - task: MSBuild@1
+    displayName: Sign payload
+    inputs:
+      solution: 'Scalar.Signing\Scalar.SignFiles.Windows.csproj'
+      msbuildArguments: '/p:RootDir="$(Build.ArtifactStagingDirectory)\signpayload"'
+
+  - task: MSBuild@1
+    displayName: Build installer
+    inputs:
+      solution: 'Scalar.Installer.Windows\Scalar.Installer.Windows.csproj'
+      msbuildArguments: '/t:BuildInstallerPhase2 /p:LayoutPath="$(Build.ArtifactStagingDirectory)\signpayload" /p:InstallerOutputPath="$(Build.ArtifactStagingDirectory)\signinstaller" /p:ScalarVersion=$(majorAndMinorVersion).$(revision)'
+
+  - task: MSBuild@1
+    displayName: Sign installer
+    inputs:
+      solution: 'Scalar.Signing\Scalar.SignInstaller.Windows.csproj'
+      msbuildArguments: '/p:RootDir="$(Build.ArtifactStagingDirectory)\signinstaller"'
+
+  - script: rmdir /s /q ..\out\Scalar.Installer.Windows\dist
+    displayName: Clean distribution output directory
+
+  - task: MSBuild@1
+    displayName: Create distribution
+    inputs:
+      solution: 'Scalar.Installer.Windows\Scalar.Installer.Windows.csproj'
+      msbuildArguments: '/t:BuildInstallerPhase3 /p:InstallerOutputPath="$(Build.ArtifactStagingDirectory)\signinstaller"'
+
+  - script: Scripts\CI\CreateFTDrop.bat $(configuration) $(Build.ArtifactStagingDirectory)\Tests
+    displayName: Create functional tests drop
+
+  - task: PublishPipelineArtifact@1
+    displayName: Publish functional tests drop
+    inputs:
+      targetPath: $(Build.ArtifactStagingDirectory)\Tests\
+      artifactName: "FunctionalTests_Windows_$(configuration)"
+    condition: succeeded()
+
+  - script: Scripts\CI\CreateInstallerDrop.bat $(configuration) $(Build.ArtifactStagingDirectory)\Installers
+    displayName: Create distribution drop
+
+  - task: PublishPipelineArtifact@1
+    displayName: Publish distribution drop
+    inputs:
+      targetPath: $(Build.ArtifactStagingDirectory)\Installers\
+      artifactName: "Installers_Windows_$(configuration)"
+    condition: succeeded()
diff --git a/.azure-pipelines/templates/win/pack.yml → ...pipelines/templates/win/pack.unsigned.yml b/.azure-pipelines/templates/win/pack.yml → ...pipelines/templates/win/pack.unsigned.yml
diff --git a/Scalar.Installer.Windows/Scalar.Installer.Windows.csproj b/Scalar.Installer.Windows/Scalar.Installer.Windows.csproj
@@ -3,9 +3,9 @@
   <PropertyGroup>
     <TargetFramework>netcoreapp3.0</TargetFramework>
     <RuntimeIdentifier>win-x64</RuntimeIdentifier>
-    <LayoutPath>$(ProjectOutPath)layout\$(Configuration)\</LayoutPath>
-    <InstallerOutputPath>$(ProjectOutPath)installer\$(Configuration)\</InstallerOutputPath>
-    <DistributionOutputPath>$(ProjectOutPath)dist\$(Configuration)\</DistributionOutputPath>
+    <LayoutPath Condition="'$(LayoutPath)' == ''">$(ProjectOutPath)layout\$(Configuration)\</LayoutPath>
+    <InstallerOutputPath Condition="'$(InstallerOutputPath)' == ''">$(ProjectOutPath)installer\$(Configuration)\</InstallerOutputPath>
+    <DistributionOutputPath Condition="'$(DistributionOutputPath)' == ''">$(ProjectOutPath)dist\$(Configuration)\</DistributionOutputPath>
   </PropertyGroup>
 
   <ItemDefinitionGroup>
@@ -24,8 +24,19 @@
     <PackageReference Include="Tools.InnoSetup" />
   </ItemGroup>
 
+  <PropertyGroup>
+    <BuildInstallerDependsOn>
+      BuildInstallerPhase1;
+      BuildInstallerPhase2;
+      BuildInstallerPhase3;
+    </BuildInstallerDependsOn>
+  </PropertyGroup>
+
   <!-- Only create the installer when running on Windows -->
-  <Target Name="BuildInstaller" AfterTargets="Publish" Condition="'$(OSPlatform)' == 'windows'" >
+  <Target Name="BuildInstaller" AfterTargets="Publish" DependsOnTargets="$(BuildInstallerDependsOn)" Condition="'$(OSPlatform)' == 'windows'" >
+  </Target>
+
+  <Target Name="BuildInstallerPhase1" Condition="'$(OSPlatform)' == 'windows'" >
     <!-- Ensure all projects have been published with the correct runtime identifier and configuration -->
     <MSBuild Projects="@(ProjectReference)"
              Targets="Publish"
@@ -45,23 +56,17 @@
           DestinationFolder="$(LayoutPath)\%(RecursiveDir)"
           SkipUnchangedFiles="true"
           OverwriteReadOnlyFiles="true"/>
+  </Target>
 
-    <!-- Sign the layout files -->
-    <MSBuild Projects="$(MSBuildThisProjectDirectory)..\Scalar.Signing\Scalar.SignFiles.Windows.csproj"
-             Targets="Restore;Build"
-             Properties="RootDir=$(LayoutPath);" />
-
+  <Target Name="BuildInstallerPhase2" Condition="'$(OSPlatform)' == 'windows'" >
     <!-- Run the Inno setup tool to build the installer -->
     <Exec Command="$(PkgTools_InnoSetup)\tools\ISCC.exe /DLayoutPath=$(LayoutPath) /DScalarVersion=$(ScalarVersion) Setup.iss /O$(InstallerOutputPath)"/>
+  </Target>
 
-    <!-- Sign the installer file -->
-    <MSBuild Projects="$(MSBuildThisProjectDirectory)..\Scalar.Signing\Scalar.SignInstaller.Windows.csproj"
-             Targets="Restore;Build"
-             Properties="RootDir=$(InstallerOutputPath);" />
-
+  <Target Name="BuildInstallerPhase3" Condition="'$(OSPlatform)' == 'windows'" >
     <!-- Build the distribution script -->
     <ItemGroup>
-      <ScalarPackage Include="$(InstallerOutputPath)*.exe" LinkBase="Scalar" />
+      <ScalarPackage Include="$(InstallerOutputPath)\*.exe" LinkBase="Scalar" />
       <GitPackage    Include="$(PkgGitForWindows_GVFS_Installer)\tools\*.exe" LinkBase="Git" />
     </ItemGroup>
     <Copy SourceFiles="@(ScalarPackage);@(GitPackage)"

diff --git a/Scalar.Signing/Scalar.SignFiles.Mac.csproj b/Scalar.Signing/Scalar.SignFiles.Mac.csproj
@@ -5,6 +5,7 @@
     <IsSigningProject>true</IsSigningProject>
     <!-- MicroBuild hack: override OutDir to make all files we want to sign under it. -->
     <OutDir>$(RootDir)</OutDir>
+    <MacFilesTarget>$(OutDir)\macho\</MacFilesTarget>
   </PropertyGroup>
 
   <ItemGroup>

diff --git a/Scalar.Signing/Scalar.SignInstaller.Windows.csproj b/Scalar.Signing/Scalar.SignInstaller.Windows.csproj
@@ -8,7 +8,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <FilesToSign Include="$(OutDir)\Scalar*.exe;" />
+    <FilesToSign Include="$(OutDir)\*.exe;" />
   </ItemGroup>
 
 </Project>
diff --git a/Scalar.Signing/Scalar.SignPackage.Mac.csproj b/Scalar.Signing/Scalar.SignPackage.Mac.csproj
@@ -5,6 +5,7 @@
     <IsSigningProject>true</IsSigningProject>
     <!-- MicroBuild hack: override OutDir to make all files we want to sign under it. -->
     <OutDir>$(RootDir)</OutDir>
+    <MacFilesTarget>$(OutDir)\</MacFilesTarget>
   </PropertyGroup>
 
   <ItemGroup>

diff --git a/Signing.targets b/Signing.targets
@@ -1,6 +1,5 @@
 <Project>
   <PropertyGroup>
-    <MacFilesTarget>$(ProjectOutPath)\osxsign\$(Configuration)</MacFilesTarget>
     <IsSigningProject Condition="'$(IsSigningProject)' == ''">false</IsSigningProject>
   </PropertyGroup>