eng: Remove PFXs from codebase (#2219)

tian-lt · web-flow · commit b30ece5c03ba · 2024-08-13T09:52:35.000+08:00
* Squashed commit of the following: commit a7d4033 Author: Tian Liao <tilia@microsoft.com> Date: Mon Aug 12 16:58:30 2024 +0800 remove pfx from ignore list commit 26ffa46 Author: Tian Liao <tilia@microsoft.com> Date: Mon Aug 12 16:58:07 2024 +0800 Remove PFXs * fix yaml * fix gh action * fix gh action
diff --git a/.config/CredScanSuppressions.json b/.config/CredScanSuppressions.json
diff --git a/.github/workflows/action-ci.yml b/.github/workflows/action-ci.yml
@@ -91,6 +91,10 @@ jobs:
       with:
         name: Build-${{ matrix.platform }}
         path: ${{ github.workspace }}/output
+    - uses: actions/upload-artifact@v4
+      with:
+        name: Tools-${{ matrix.platform }}
+        path: ${{ github.workspace }}/build/scripts/SignTestApp.ps1
 
   unitTests:
     needs: [defineBuilds, build]
@@ -107,10 +111,13 @@ jobs:
       with:
         name: Build-${{ matrix.platform }}
         path: ${{ github.workspace }}/download
+    - uses: actions/download-artifact@v4
+      name: Download tools
+      with:
+        name: Tools-${{ matrix.platform }}
+        path: ${{ github.workspace }}/download/tools
     - run: |
-        ${{ env.testDir }}/Add-AppDevPackage.ps1 `
-          -CertificatePath ${{ env.testDir }}/CalculatorUnitTests.cer `
-          -Force
+        ${{ github.workspace }}/download/tools/SignTestApp.ps1 -AppToSign ${{ env.testDir }}/CalculatorUnitTests.msix
       shell: pwsh
       name: Install test certificate
     - uses: ilammy/msvc-dev-cmd@v1  # this is a workaround because microsoft/vstest-action is broken.
@@ -131,16 +138,18 @@ jobs:
       with:
         name: Build-x64
         path: ${{ github.workspace }}/download
+    - uses: actions/download-artifact@v4
+      name: Download tools
+      with:
+        name: Tools-x64
+        path: ${{ github.workspace }}/download/tools
     - run: |
         Set-DisplayResolution -Width 1920 -Height 1080 -Force
       shell: pwsh
       name: Set screen resolution
     - run: |
-        ${{ env.appDir }}/Add-AppDevPackage.ps1 `
-          -CertificatePath ${{ env.appDir }}/Calculator*.cer `
-          -Force
-        ${{ env.appDir }}/Add-AppDevPackage.ps1 `
-          -Force
+        ${{ github.workspace }}/download/tools/SignTestApp.ps1 -AppToSign '${{ env.appDir }}/Calculator_*.msixbundle'
+        ${{ env.appDir }}/Add-AppDevPackage.ps1 -Force
       shell: powershell
       name: Install app
     - run: |
diff --git a/.gitignore b/.gitignore
@@ -200,7 +200,6 @@ ClientBin/
 *.dbmdl
 *.dbproj.schemaview
 *.jfm
-*.pfx
 *.publishsettings
 orleans.codegen.cs
 
@@ -294,8 +293,6 @@ __pycache__/
 Generated Files/
 src/GraphControl/GraphingImplOverrides.props
 src/CalcViewModel/DataLoaders/DataLoaderConstants.h
-!src/Calculator/WindowsDev_TemporaryKey.pfx
-!src/CalculatorUnitTests/WindowsDev_TemporaryKey.pfx
 !src/x64
 !src/x86
 !src/out
diff --git a/build/pipelines/templates/run-ui-tests.yaml b/build/pipelines/templates/run-ui-tests.yaml
@@ -42,17 +42,10 @@ jobs:
       Calculator/AppPackages/**
       publish/**
 
-  - task: PowerShell@2
-    displayName: Install certificate
-    inputs:
-      filePath: $(Pipeline.Workspace)/$(DropName)/Calculator/AppPackages/Calculator_$(Build.BuildNumber)_Test/Add-AppDevPackage.ps1
-      arguments: -CertificatePath $(Pipeline.Workspace)/$(DropName)/Calculator/AppPackages/Calculator_$(Build.BuildNumber)_Test/Calculator_$(Build.BuildNumber)_${{ parameters.platform }}.cer -Force
-
-  - task: PowerShell@2
+  - powershell: |
+      $(Build.SourcesDirectory)/build/scripts/SignTestApp.ps1 -AppToSign '$(Pipeline.Workspace)/$(DropName)/Calculator/AppPackages/Calculator_*_Test/Calculator_*.msixbundle'
+      $(Pipeline.Workspace)/$(DropName)/Calculator/AppPackages/Calculator_*_Test/Add-AppDevPackage.ps1 -Force
     displayName: Install app
-    inputs:
-      filePath: $(Pipeline.Workspace)/$(DropName)/Calculator/AppPackages/Calculator_$(Build.BuildNumber)_Test/Add-AppDevPackage.ps1
-      arguments: -Force
 
   - task: VSTest@2
     displayName: Run CalculatorUITests
diff --git a/build/pipelines/templates/run-unit-tests.yaml b/build/pipelines/templates/run-unit-tests.yaml
@@ -13,18 +13,17 @@ jobs:
     skipComponentGovernanceDetection: true
     UnitTestsDir: $(Pipeline.Workspace)\drop-${{ parameters.platform }}\CalculatorUnitTests\AppPackages\CalculatorUnitTests_Test
   steps:
-  - checkout: none
+  - checkout: self
+    fetchDepth: 1
   
   - download: current
     displayName: Download CalculatorUnitTests
     artifact: drop-${{ parameters.platform }}
     patterns: '**/CalculatorUnitTests_Test/**'
 
-  - task: PowerShell@2
-    displayName: Install Certificate
-    inputs:
-      filePath: $(UnitTestsDir)\Add-AppDevPackage.ps1
-      arguments: -CertificatePath $(UnitTestsDir)\CalculatorUnitTests.cer -Force
+  - powershell: |
+      $(Build.SourcesDirectory)/build/scripts/SignTestApp.ps1 -AppToSign '$(UnitTestsDir)\CalculatorUnitTests.msix'
+    displayName: Sign unit tests
 
   - task: VSTest@2
     displayName: Run CalculatorUnitTests
diff --git a/build/scripts/SignTestApp.ps1 b/build/scripts/SignTestApp.ps1
@@ -0,0 +1,33 @@
+#requires -RunAsAdministrator
+param(
+    [Parameter(Position = 0, Mandatory = $true)][string]$AppToSign,
+    [string]$SignTool = "C:\Program Files (x86)\Windows Kits\10\bin\10.*\x64\signtool.exe"
+)
+
+$AppToSign = (Resolve-Path -Path $AppToSign)[-1]
+Write-Host "AppToSign: $AppToSign"
+$SignTool = (Resolve-Path -Path $SignTool)[-1]
+Write-Host "SignTool: $SignTool"
+if ((Test-Path -Path $SignTool -PathType Leaf) -ne $true) {
+    Write-Error "signtool is not found with the given argument: $SignTool" -ErrorAction Stop
+}
+
+$codeSignOid = New-Object -TypeName "System.Security.Cryptography.Oid" -ArgumentList @("1.3.6.1.5.5.7.3.3")
+$oidColl = New-Object -TypeName "System.Security.Cryptography.OidCollection"
+$oidColl.Add($codeSignOid) > $null
+$publisher = "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+$certReq = New-Object -TypeName "System.Security.Cryptography.X509Certificates.CertificateRequest" `
+    -ArgumentList @($publisher, ([System.Security.Cryptography.ECDsa]::Create()), "SHA256") 
+$certReq.CertificateExtensions.Add((New-Object -TypeName "System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension" `
+            -ArgumentList @($oidColl, $false)))
+$now = Get-Date
+$cert = $certReq.CreateSelfSigned($now, $now.AddHours(1))
+
+$pfxFile = "$($env:TEMP)\$(New-Guid).pfx"
+[System.IO.File]::WriteAllBytes($pfxFile, $cert.Export("Pfx"))
+Write-Host "Exported PFX: $pfxFile"
+
+& $SignTool sign /fd SHA256 /a /f $pfxFile $AppToSign
+Write-Host "Certificate Thumbprint: $($cert.Thumbprint.ToLower())"
+
+Import-PfxCertificate -CertStoreLocation 'Cert:\LocalMachine\TrustedPeople' -FilePath $pfxFile > $null
diff --git a/src/Calculator/Calculator.csproj b/src/Calculator/Calculator.csproj
@@ -24,8 +24,7 @@
     <FileAlignment>512</FileAlignment>
     <ProjectTypeGuids>{A5A43C5B-DE2A-4C0C-9213-0A381AF9435A};{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}</ProjectTypeGuids>
     <WindowsXamlEnableOverview>true</WindowsXamlEnableOverview>
-    <AppxPackageSigningEnabled>True</AppxPackageSigningEnabled>
-    <PackageCertificateKeyFile>WindowsDev_TemporaryKey.pfx</PackageCertificateKeyFile>
+    <AppxPackageSigningEnabled>False</AppxPackageSigningEnabled>
     <AppxSymbolPackageEnabled>False</AppxSymbolPackageEnabled>
     <AppxBundle>Always</AppxBundle>
     <GenerateProjectSpecificOutputFolder>true</GenerateProjectSpecificOutputFolder>
@@ -817,7 +816,6 @@
   </ItemGroup>
   <ItemGroup>
     <Content Include="Assets\CalculatorIcons.ttf" />
-    <None Include="WindowsDev_TemporaryKey.pfx" />
   </ItemGroup>
   <PropertyGroup Condition=" '$(VisualStudioVersion)' == '' or '$(VisualStudioVersion)' &lt; '14.0' ">
     <VisualStudioVersion>14.0</VisualStudioVersion>
diff --git a/src/Calculator/WindowsDev_TemporaryKey.pfx b/src/Calculator/WindowsDev_TemporaryKey.pfx
diff --git a/src/CalculatorUnitTests/CalculatorUnitTests.vcxproj b/src/CalculatorUnitTests/CalculatorUnitTests.vcxproj
@@ -16,7 +16,6 @@
     <!-- We want to automatic replace of MinVersion/MaxVersionTested for unit tests. -->
     <AppxOSMinVersionReplaceManifestVersion>true</AppxOSMinVersionReplaceManifestVersion>
     <AppxOSMaxVersionTestedReplaceManifestVersion>true</AppxOSMaxVersionTestedReplaceManifestVersion>
-    <PackageCertificateKeyFile>WindowsDev_TemporaryKey.pfx</PackageCertificateKeyFile>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <ItemGroup Label="ProjectConfigurations">
@@ -289,9 +288,6 @@
       <Project>{cc9b4fa7-d746-4f52-9401-0ad1b4d6b16d}</Project>
     </ProjectReference>
   </ItemGroup>
-  <ItemGroup>
-    <None Include="WindowsDev_TemporaryKey.pfx" />
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
diff --git a/src/CalculatorUnitTests/CalculatorUnitTests.vcxproj.filters b/src/CalculatorUnitTests/CalculatorUnitTests.vcxproj.filters
@@ -79,7 +79,4 @@
       <UniqueIdentifier>{d3ec8922-022d-4531-8744-f65a872f3841}</UniqueIdentifier>
     </Filter>
   </ItemGroup>
-  <ItemGroup>
-    <None Include="WindowsDev_TemporaryKey.pfx" />
-  </ItemGroup>
 </Project>
diff --git a/src/CalculatorUnitTests/WindowsDev_TemporaryKey.pfx b/src/CalculatorUnitTests/WindowsDev_TemporaryKey.pfx
