Do not use hash verification to install the latest version of WinDbg

[Ana06]

Details

At the moment we use hash verification to install WinDbg. Because of the unusual version format (1-2402-24001) our automation is not able to update the URL/hash. Consequently the version/hash have to be updated manually, causing that we now don't install the latest WinDbg version.

We can use an URL without a version for tools that are signed using VM-Assert-Signature. It uses signtool.exe to verify the tool instead of the hash. We use it for example to install sysinternals.

But it seems not to be possible to verifying https://aka.ms/windbg/download with signtool.exe:

> &"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify /pa  .\windbg.appinstaller
File: .\windbg.appinstaller
Index  Algorithm  Timestamp
========================================
SignTool Error: This file format cannot be verified because it is not
        recognized.

Number of errors: 1

We are using Add-AppxPackage to install the package and I see -AllowUnsigned as a flag. So maybe this means we could skip the verification at all, but I am not sure. 😕

Does anyone have more information or ideas about how we can install WinDbg without using hash verification (using other type of versification) to ensure we have the latest version installed? @vm-packages @TimMisiak @naacbin @binjo @stevemk14ebr

[Ana06]

Interesting idea (from @binjo):

The content of https://aka.ms/windbg/download includes the latest version (and also the .msixbundle URL):

<?xml version="1.0" encoding="utf-8"?>
<AppInstaller Uri="https://windbg.download.prss.microsoft.com/dbazure/prod/1-0-0/windbg.appinstaller" Version="1.2502.25002.0" xmlns="http://schemas.microsoft.com/appx/appinstaller/2018">
  <MainBundle Name="Microsoft.WinDbg" Version="1.2502.25002.0" Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" Uri="https://windbg.download.prss.microsoft.com/dbazure/prod/1-2502-25002-0/windbg.msixbundle" />
  <UpdateSettings>
    <OnLaunch HoursBetweenUpdateChecks="0"/>
    <AutomaticBackgroundTask/>
    <ForceUpdateFromAnyVersion>true</ForceUpdateFromAnyVersion>
  </UpdateSettings>
</AppInstaller>

So we could add an update_msixbundle_url function and a new UpdateType.MSIXBUNDLE_URL to update_package.py. update_msixbundle_url checks if the download URL contains .msixbundle (using a regexp) and if so, parse the content of https://aka.ms/<tool_name>/download to get the latest version and update the URL and the hash in the package. This would update WinDbg and TTD automatically.