Code sign the contents of the Terminal package #14710
Conversation
DHowett
changed the title
ghost
added
the
Issue-Bug
|
@zadjii-msft gave a ✅ over Teams |
| // Namespaced DLLs | ||
| "Microsoft.Terminal.*.dll", | ||
| "Microsoft.Terminal.*.winmd", | ||
|
|
||
| // ConPTY and DefTerm | ||
| "OpenConsole.exe", | ||
| "OpenConsoleProxy.dll", | ||
|
|
||
| // VCRT Forwarders | ||
| "*_app.dll", | ||
|
|
||
| // Legacy DLLs with old names | ||
| "TerminalApp.dll", | ||
| "TerminalApp.winmd", | ||
| "TerminalConnection.dll", | ||
| "TerminalThemeHelpers.dll", | ||
| "WindowsTerminalShellExt.dll", | ||
|
|
||
| // The rest | ||
| "TerminalAzBridge.exe", | ||
| "wt.exe", | ||
| "WindowsTerminal.exe", | ||
| "elevate-shim.exe" |
There was a problem hiding this comment.
Couldn't we make this something like a catch-all clause with *.exe, *.dll, and *.winmd as the MatchedPaths by putting it after the 3rd party object/section below? That way we won't have to keep track of all these binaries in the future.
There was a problem hiding this comment.
That's a fair question. I don't know if it excludes files that were included in a previous batch. I'd rather not add a rule that signs all EXEs and DLLs for now, but if this becomes burdensome we can revisit it. Thanks :)
ghost
requested review from
DHowett
changed the title
DHowett
deleted the
dev/duhowett/what-if-we-signed-under-the-bleachers
branch
Up until now, we have been relying on the catalog signature produced for our MSIX package. There are some things (Packaged COM, Process Explorer as of 2022) that cannot handle catalog-signed files. It's easier and safer for us to simply sign all the executables we produce before packaging them. Unfortunately, we can't do it before we package them. We have to unpack and re-pack our package. In the future, this will allow us to provide a codesigned distribution that is not in an MSIX package. TEST=Ran a build and checked out the contents of the package. They were all signed! Closes #13294 Closes #12695 Closes #9670 (cherry picked from commit 72be9a9) Service-Card-Id: 87690424 Service-Version: 1.16
|
🎉 Handy links: |
|
🎉 Handy links: |
Up until now, we have been relying on the catalog signature produced for our MSIX package.
There are some things (Packaged COM, Process Explorer as of 2022) that cannot handle catalog-signed
files. It's easier and safer for us to simply sign all the executables we produce before packaging them.
Unfortunately, we can't do it before we package them. We have to unpack and re-pack our package.
In the future, this will allow us to provide a codesigned distribution that is not in an MSIX package.
Validation Steps Performed
Ran a build and checked out the contents of the package. They were all signed!
Closes #13294
Closes #12695
Closes #9670