Mirrors/velopack
1
0
Fork 0
mirror of https://github.com/velopack/velopack.git synced 2025-10-25 15:19:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Sign tool update

Browse Source 
WIP writing tests for Azure Code Signing

Fix issue to make sure we sign at least one file at a time

"Working" test with manually providing dependencies

Work on download dependencies.

Revert signtool.exe change
This commit is contained in:
Kevin Bost
2024-11-02 15:13:37 -07:00
committed by Caelan
parent 4eb319efc6
commit 3c61874cef
16 changed files with 181 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/lib-csharp/NuGet/ZipPackage.cs
View File

@@ -9,7 +9,7 @@ namespace Velopack.NuGet
{
public class ZipPackage : PackageManifest
{
public IEnumerable<ZipPackageFile> Files { get; private set; } = Enumerable.Empty<ZipPackageFile>();
public IEnumerable<ZipPackageFile> Files { get; }
public byte[]? UpdateExeBytes { get; private set; }

2
src/vpk/Velopack.Build/PackTask.cs
View File

@@ -80,7 +80,7 @@ public class PackTask : MSBuildAsyncTask
public bool SkipVelopackAppCheck { get; set; }
public string? SignParameters { get; set; }
public string? AzTrustedSign { get; set; }
public string? AzureTrustedSignFile { get; set; }
public bool SignSkipDll { get; set; }

4
src/vpk/Velopack.Packaging.Windows/CodeSign.cs
View File

@@ -70,8 +70,8 @@ public class CodeSign
}
do {
List<string> filesToSign = new List<string>();
for (int i = Math.Min(pendingSign.Count, parallelism); i > 0; i--) {
List<string> filesToSign = [];
for (int i = Math.Max(1, Math.Min(pendingSign.Count, parallelism)); i > 0; i--) {
filesToSign.Add(pendingSign.Dequeue());
}

72
src/vpk/Velopack.Packaging.Windows/Commands/WindowsPackCommandRunner.cs
View File

@@ -1,8 +1,11 @@
using Microsoft.Extensions.Logging;
using System.IO.Compression;
using System.Runtime.Versioning;
using Microsoft.Extensions.Logging;
using Velopack.Compression;
using Velopack.NuGet;
using Velopack.Packaging.Abstractions;
using Velopack.Packaging.Exceptions;
using Velopack.Packaging.NuGet;
using Velopack.Util;
using Velopack.Windows;
@@ -15,15 +18,14 @@ public class WindowsPackCommandRunner : PackageBuilder<WindowsPackOptions>
{
}
protected override Task CodeSign(Action<int> progress, string packDir)
protected override async Task CodeSign(Action<int> progress, string packDir)
{
var filesToSign = new DirectoryInfo(packDir).GetAllFilesRecursively()
.Where(x => Options.SignSkipDll ? PathUtil.PathPartEndsWith(x.Name, ".exe") : PathUtil.FileIsLikelyPEImage(x.Name))
.Select(x => x.FullName)
.ToArray();
SignFilesImpl(Options, progress, filesToSign);
return Task.CompletedTask;
await SignFilesImpl(Options, progress, filesToSign);
}
protected override Task<string> PreprocessPackDir(Action<int> progress, string packDir)
@@ -144,7 +146,7 @@ public class WindowsPackCommandRunner : PackageBuilder<WindowsPackOptions>
"net481",
};
List<string> validated = new();
List<string> validated = [];
foreach (var str in providedRuntimes) {
if (valid.Contains(str)) {
@@ -171,7 +173,7 @@ public class WindowsPackCommandRunner : PackageBuilder<WindowsPackOptions>
return String.Join(",", validated);
}
protected override Task CreateSetupPackage(Action<int> progress, string releasePkg, string packDir, string targetSetupExe)
protected override async Task CreateSetupPackage(Action<int> progress, string releasePkg, string packDir, string targetSetupExe)
{
var bundledZip = new ZipPackage(releasePkg);
IoUtil.Retry(() => File.Copy(HelperFile.SetupPath, targetSetupExe, true));
@@ -189,10 +191,9 @@ public class WindowsPackCommandRunner : PackageBuilder<WindowsPackOptions>
SetupBundle.CreatePackageBundle(targetSetupExe, releasePkg);
progress(50);
Log.Debug("Signing Setup bundle");
SignFilesImpl(Options, CoreUtil.CreateProgressDelegate(progress, 50, 100), targetSetupExe);
await SignFilesImpl(Options, CoreUtil.CreateProgressDelegate(progress, 50, 100), targetSetupExe);
Log.Debug($"Setup bundle created '{Path.GetFileName(targetSetupExe)}'.");
progress(100);
return Task.CompletedTask;
}
protected override async Task CreatePortablePackage(Action<int> progress, string packDir, string outputPath)
@@ -242,12 +243,12 @@ public class WindowsPackCommandRunner : PackageBuilder<WindowsPackOptions>
}
}
private void SignFilesImpl(WindowsSigningOptions options, Action<int> progress, params string[] filePaths)
private async Task SignFilesImpl(WindowsSigningOptions options, Action<int> progress, params string[] filePaths)
{
var signParams = options.SignParameters;
var signTemplate = options.SignTemplate;
var signParallel = options.SignParallel;
var trustedSignMetadataPath = options.AzTrustedSign;
var trustedSignMetadataPath = options.AzureTrustedSignFile;
var helper = new CodeSign(Log);
if (string.IsNullOrEmpty(signParams) && string.IsNullOrEmpty(signTemplate) && string.IsNullOrEmpty(trustedSignMetadataPath)) {
@@ -262,21 +263,60 @@ public class WindowsPackCommandRunner : PackageBuilder<WindowsPackOptions>
// signtool.exe does not work if we're not on windows.
if (!VelopackRuntimeInfo.IsWindows) return;
if(!string.IsNullOrEmpty(trustedSignMetadataPath)) {
if (!string.IsNullOrEmpty(trustedSignMetadataPath)) {
Log.Info($"Use Azure Trusted Signing service for code signing. Metadata file path: {trustedSignMetadataPath}");
signParams = $"/fd SHA256 /tr \"http://timestamp.acs.microsoft.com\" /v /debug /td SHA256 /dlib \"{HelperFile.AzTrustedSigningDlibPath}\" /dmdf \"{trustedSignMetadataPath}\"";
string dlibPath = await GetDlibPath(CancellationToken.None);
signParams = $"/fd SHA256 /tr \"http://timestamp.acs.microsoft.com\" /v /debug /td SHA256 /dlib \"{dlibPath}\" /dmdf \"{trustedSignMetadataPath}\"";
helper.Sign(filePaths, signParams, signParallel, progress, false);
}
else if (!string.IsNullOrEmpty(signParams)) {
} else if (!string.IsNullOrEmpty(signParams)) {
helper.Sign(filePaths, signParams, signParallel, progress, false);
}
}
[SupportedOSPlatform("windows")]
private async Task<string> GetDlibPath(CancellationToken cancellationToken)
{
// DLib library is required for Azure Trusted Signing. It must be in the same directory as SignTool.exe.
// https://learn.microsoft.com/azure/trusted-signing/how-to-signing-integrations#download-and-install-the-trusted-signing-dlib-package
var signToolPath = HelperFile.SignToolPath;
var signToolDirectory = Path.GetDirectoryName(signToolPath);
var dlibPath = Path.Combine(signToolDirectory, HelperFile.AzureDlibFileName);
if (File.Exists(dlibPath)) {
return dlibPath;
}
Log.Info($"Downloading Azure Trusted Signing dlib to '{dlibPath}'");
var dl = new NuGetDownloader();
using MemoryStream nupkgStream = new();
await dl.DownloadPackageToStream("Microsoft.Trusted.Signing.Client", "1.*", nupkgStream, cancellationToken);
nupkgStream.Position = 0;
string parentDir = NugetUtil.BinDirectory + Path.AltDirectorySeparatorChar;
if (Environment.Is64BitOperatingSystem) {
parentDir += "x64";
} else {
parentDir += "x86";
}
parentDir += Path.AltDirectorySeparatorChar;
ZipArchive zipPackage = new(nupkgStream);
var entries = zipPackage.Entries.Where(x => x.FullName.StartsWith(parentDir, StringComparison.OrdinalIgnoreCase));
foreach (var entry in entries) {
var relativePath = entry.FullName.Substring(parentDir.Length);
entry.ExtractToFile(Path.Combine(signToolDirectory, relativePath), true);
}
return dlibPath;
}
protected override string[] GetMainExeSearchPaths(string packDirectory, string mainExeName)
{
return new[] {
return [
Path.Combine(packDirectory, mainExeName),
Path.Combine(packDirectory, mainExeName) + ".exe",
};
];
}
}

2
src/vpk/Velopack.Packaging.Windows/Commands/WindowsSigningOptions.cs
View File

@@ -10,5 +10,5 @@ public class WindowsSigningOptions
public string SignTemplate { get; set; }
public string AzTrustedSign { get; set; }
public string AzureTrustedSignFile { get; set; }
}

11
src/vpk/Velopack.Packaging/HelperFile.cs
View File

@@ -71,7 +71,7 @@ public static class HelperFile
public static string SignToolPath => FindHelperFile("signtool.exe");
[SupportedOSPlatform("windows")]
public static string AzTrustedSigningDlibPath => FindHelperFile("Azure.CodeSigning.Dlib.dll");
public const string AzureDlibFileName = "Azure.CodeSigning.Dlib.dll";
public static string GetDefaultAppIcon(RuntimeOs os)
{
@@ -87,14 +87,15 @@ public static class HelperFile
}
}
private static readonly List<string> _searchPaths = new List<string>();
private static readonly List<string> _searchPaths = [];
static HelperFile()
{
#if DEBUG
AddSearchPath(AppContext.BaseDirectory, "..", "..", "..", "target", "debug");
AddSearchPath(AppContext.BaseDirectory, "..", "..", "..", "vendor");
AddSearchPath(AppContext.BaseDirectory, "..", "..", "..", "artwork");
AddSearchPath(AppContext.BaseDirectory, "..", "..", "..", "..", "..", "target", "debug");
AddSearchPath(AppContext.BaseDirectory, "..", "..", "..", "..", "..", "target", "release");
AddSearchPath(AppContext.BaseDirectory, "..", "..", "..", "..", "..", "vendor");
AddSearchPath(AppContext.BaseDirectory, "..", "..", "..", "..", "..", "artwork");
#else
AddSearchPath(AppContext.BaseDirectory, "..", "..", "..", "vendor");
#endif

23
src/vpk/Velopack.Vpk/Updates/NugetDownloader.cs → src/vpk/Velopack.Packaging/NuGet/NuGetDownloader.cs
View File

@@ -1,20 +1,24 @@
using System.Threading;
#nullable enable
using NuGet.Configuration;
using NuGet.Packaging.Core;
using NuGet.Protocol.Core.Types;
using NuGet.Versioning;
using NugetLogger = NuGet.Common.ILogger;
namespace Velopack.Vpk.Updates;
namespace Velopack.Packaging.NuGet;
public class NugetDownloader
public class NuGetDownloader
{
private readonly NugetLogger _logger;
private readonly PackageSource _packageSource;
private readonly SourceRepository _sourceRepository;
private readonly SourceCacheContext _sourceCacheContext;
public NugetDownloader(NugetLogger logger)
public NuGetDownloader()
: this(global::NuGet.Common.NullLogger.Instance)
{ }
public NuGetDownloader(NugetLogger logger)
{
_logger = logger;
_packageSource = new PackageSource("https://api.nuget.org/v3/index.json", "NuGet.org");
@@ -22,11 +26,11 @@ public class NugetDownloader
_sourceCacheContext = new SourceCacheContext();
}
public async Task<IPackageSearchMetadata> GetPackageMetadata(string packageName, string version, CancellationToken cancellationToken)
public async Task<IPackageSearchMetadata> GetPackageMetadata(string packageName, string? version, CancellationToken cancellationToken)
{
PackageMetadataResource packageMetadataResource = _sourceRepository.GetResource<PackageMetadataResource>();
FindPackageByIdResource packageByIdResource = _sourceRepository.GetResource<FindPackageByIdResource>();
IPackageSearchMetadata package = null;
IPackageSearchMetadata? package = null;
var prerelease = version?.Equals("pre", StringComparison.InvariantCultureIgnoreCase) == true;
if (version is null || version.Equals("latest", StringComparison.InvariantCultureIgnoreCase) || prerelease) {
@@ -66,4 +70,11 @@ public class NugetDownloader
.CopyNupkgToStreamAsync(package.Identity.Id, package.Identity.Version, targetStream, _sourceCacheContext, _logger, cancellationToken)
.ConfigureAwait(false);
}
public async Task DownloadPackageToStream(string packageName, string? version, Stream targetStream, CancellationToken cancellationToken)
{
IPackageSearchMetadata packageMetadata = await GetPackageMetadata(packageName, version, cancellationToken);
await DownloadPackageToStream(packageMetadata, targetStream, cancellationToken);
}
}

7
src/vpk/Velopack.Packaging/Velopack.Packaging.csproj
View File

@@ -19,6 +19,13 @@
<PackageReference Include="Microsoft.Identity.Client" Version="4.66.2" />
<PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.66.2" />
<PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.66.2" />
<PackageReference Include="Microsoft.Identity.Client" Version="4.66.1" />
<PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.66.1" />
<PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.66.1" />
<PackageReference Include="Microsoft.Identity.Client" Version="4.65.0" />
<PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.65.0" />
<PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.65.0" />
<PackageReference Include="NuGet.Protocol" Version="6.11.1" />
</ItemGroup>
</Project>

4
src/vpk/Velopack.Vpk/Commands/WindowsPackCommand.cs
View File

@@ -15,7 +15,7 @@ public class WindowsPackCommand : PackCommand
public int SignParallel { get; private set; }
public string SignTemplate { get; private set; }
public string AzTrustedSign { get; private set; }
public string AzureTrustedSignFile { get; private set; }
public string Shortcuts { get; private set; }
@@ -63,7 +63,7 @@ public class WindowsPackCommand : PackCommand
.SetDescription("Sign files via signtool.exe using these parameters.")
.SetArgumentHelpName("PARAMS");
var azTrustedSign = AddOption<FileInfo>((v) => AzTrustedSign = v.ToFullNameOrNull(), "--azTrustedSign")
var azTrustedSign = AddOption<FileInfo>((v) => AzureTrustedSignFile = v.ToFullNameOrNull(), "--azureTrustedSignFile")
.SetDescription("Path to Azure Trusted Signing metadata.json.")
.SetArgumentHelpName("PATH");

54
src/vpk/Velopack.Vpk/Updates/NullNugetLogger.cs
View File

@@ -1,54 +0,0 @@
using NugetLevel = NuGet.Common.LogLevel;
using NugetLogger = NuGet.Common.ILogger;
using NugetMessage = NuGet.Common.ILogMessage;
namespace Velopack.Vpk.Updates;
class NullNugetLogger : NugetLogger
{
void NugetLogger.LogDebug(string data)
{
}
void NugetLogger.LogVerbose(string data)
{
}
void NugetLogger.LogInformation(string data)
{
}
void NugetLogger.LogMinimal(string data)
{
}
void NugetLogger.LogWarning(string data)
{
}
void NugetLogger.LogError(string data)
{
}
void NugetLogger.LogInformationSummary(string data)
{
}
void NugetLogger.Log(NugetLevel level, string data)
{
}
Task NugetLogger.LogAsync(NugetLevel level, string data)
{
return Task.CompletedTask;
}
void NugetLogger.Log(NugetMessage message)
{
}
Task NugetLogger.LogAsync(NugetMessage message)
{
return Task.CompletedTask;
}
}

3
src/vpk/Velopack.Vpk/Updates/UpdateChecker.cs
View File

@@ -1,5 +1,6 @@
using System.Threading;
using NuGet.Protocol.Core.Types;
using Velopack.Packaging.NuGet;
using Velopack.Util;
namespace Velopack.Vpk.Updates;
@@ -26,7 +27,7 @@ public class UpdateChecker
if (_cache == null) {
var cancel = new CancellationTokenSource(3000);
var dl = new NugetDownloader(new NullNugetLogger());
var dl = new NuGetDownloader();
_cache = await dl.GetPackageMetadata("vpk", isPre ? "pre" : "latest", cancel.Token).ConfigureAwait(false);
}

1
src/vpk/Velopack.Vpk/Velopack.Vpk.csproj
View File

@@ -28,6 +28,7 @@
<PackageReference Include="Riok.Mapperly" Version="4.1.0" />
<PackageReference Include="Humanizer.Core" Version="2.14.1" />
<PackageReference Include="System.Formats.Asn1" Version="8.0.1" />
<PackageReference Include="System.Text.Json" Version="8.0.5" />
</ItemGroup>
<ItemGroup>

8
test/PathHelper.cs
View File

@@ -22,10 +22,10 @@ public static class PathHelper
=> Path.Combine(GetProjectDir(), "artwork");
public static string GetFixture(params string[] names)
=> Path.Combine(new string[] { GetTestRoot(), "fixtures" }.Concat(names).ToArray());
=> Path.Combine([GetTestRoot(), "fixtures", .. names]);
public static string GetTestRootPath(params string[] names)
=> Path.Combine(new string[] { GetTestRoot() }.Concat(names).ToArray());
=> Path.Combine([GetTestRoot(), .. names]);
#if DEBUG
public static string GetRustBuildOutputDir()
@@ -36,7 +36,7 @@ public static class PathHelper
#endif
public static string GetRustAsset(params string[] names)
=> Path.Combine(new string[] { GetRustBuildOutputDir() }.Concat(names).ToArray());
=> Path.Combine([GetRustBuildOutputDir(), .. names]);
public static string CopyRustAssetTo(string assetName, string dir)
{
@@ -60,7 +60,7 @@ public static class PathHelper
public static string CopyUpdateTo(string dir)
{
string GetUpdatePath()
static string GetUpdatePath()
{
if (VelopackRuntimeInfo.IsWindows && File.Exists(GetRustAsset("update.exe"))) {
return GetRustAsset("update.exe");

10
test/Velopack.Packaging.Tests/TestApp.cs
View File

@@ -1,4 +1,5 @@
using System.Diagnostics;
#nullable enable
using System.Diagnostics;
using Velopack.Packaging.Unix.Commands;
using Velopack.Packaging.Windows.Commands;
using Velopack.Util;
@@ -10,7 +11,7 @@ namespace Velopack.Packaging.Tests;
public static class TestApp
{
public static void PackTestApp(string id, string version, string testString, string releaseDir, ILogger logger,
string releaseNotes = null, string channel = null, RID targetRid = null, string packTitle = null)
string? releaseNotes = null, string? channel = null, RID? targetRid = null, string? packTitle = null, string? azureTrustedSignFile = null)
{
targetRid ??= RID.Parse(VelopackRuntimeInfo.SystemRid);
@@ -30,7 +31,7 @@ public static class TestApp
logger.Info($"TEST: Running {psi.FileName} {debug}");
using var p = Process.Start(psi);
p.WaitForExit();
p!.WaitForExit();
if (p.ExitCode != 0)
throw new Exception($"dotnet publish failed with exit code {p.ExitCode}");
@@ -48,6 +49,7 @@ public static class TestApp
PackDirectory = Path.Combine(projDir, "publish"),
ReleaseNotes = releaseNotes,
Channel = channel,
AzureTrustedSignFile = azureTrustedSignFile
};
var runner = new WindowsPackCommandRunner(logger, console);
runner.Run(options).GetAwaiterResult();
@@ -79,7 +81,7 @@ public static class TestApp
PackVersion = version,
PackDirectory = Path.Combine(projDir, "publish"),
ReleaseNotes = releaseNotes,
Channel = channel,
Channel = channel
};
var runner = new LinuxPackCommandRunner(logger, console);
runner.Run(options).GetAwaiterResult();

74
test/Velopack.Packaging.Tests/TrustedSigningTests.cs Normal file
View File

@@ -0,0 +1,74 @@
using System.Security.Cryptography.X509Certificates;
using Azure.Core;
using Azure.Identity;
using Velopack.Packaging.Windows;
using Velopack.Util;
namespace Velopack.Packaging.Tests;
public class TrustedSigningTests
{
private const string CodeSigningEndpoint = "https://eus.codesigning.azure.net";
private readonly ITestOutputHelper _output;
public TrustedSigningTests(ITestOutputHelper output)
{
_output = output;
}
private static async Task<bool> IsAuthenticatedForCodeSigningAsync()
{
//SingTool.exe will use DefaultAzureCredentials to authenticate.
//We preemptively check if there are valid creds to use and skip the test if not.
//This allows the test to be skipped for everyone who does not have the "Trusted Signing Certificate Profile Signer" role.
// We are more restrictive than the DefaultAzureCredentials, and only check for the AzureCliCredential and EnvironmentCredential.
// To appropriately run this test, you will need to first run `az login` and authenticate with an account that has the "Trusted Signing Certificate Profile Signer" role within the Velopack Azure subscription.
var creds = new ChainedTokenCredential(
new AzureCliCredential(),
new EnvironmentCredential());
try {
var token = await creds.GetTokenAsync(new TokenRequestContext([$"{CodeSigningEndpoint}/.default"]));
return token.Token != null;
} catch (Exception) {
return false;
}
}
[SkippableFact]
public async void CanSignWithTrustedSigning()
{
Skip.If(!VelopackRuntimeInfo.IsWindows);
Skip.If(await IsAuthenticatedForCodeSigningAsync());
using var logger = _output.BuildLoggerFor<TrustedSigningTests>();
using var _ = TempUtil.GetTempDirectory(out var releaseDir);
string channel = string.IsNullOrWhiteSpace(Environment.GetEnvironmentVariable("CI"))
? VelopackRuntimeInfo.SystemOs.GetOsShortName()
: "ci-" + VelopackRuntimeInfo.SystemOs.GetOsShortName();
string metadataFile = Path.Combine(releaseDir, "metadata.json");
File.WriteAllText(metadataFile, $$"""
{
"Endpoint": "{{CodeSigningEndpoint}}",
"CodeSigningAccountName": "velopack-signing-account",
"CertificateProfileName": "VelopackPublic"
}
""");
var id = "AZTrustedSigningApp";
TestApp.PackTestApp(id, "1.0.0", $"aztrusted-{DateTime.UtcNow.ToLongDateString()}", releaseDir, logger, channel: channel, azureTrustedSignFile: metadataFile);
var files = Directory.EnumerateFiles(releaseDir)
.Where(x => PathUtil.FileIsLikelyPEImage(x))
.ToList();
Assert.NotEmpty(files);
#pragma warning disable CA1416 // Validate platform compatibility, this test only executes on Windows
Assert.All(files, x => Assert.True(AuthenticodeTools.IsTrusted(x)));
#pragma warning restore CA1416 // Validate platform compatibility
}
}

1
test/Velopack.Packaging.Tests/Velopack.Packaging.Tests.csproj
View File

@@ -9,6 +9,7 @@
</ItemGroup>
<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.12.1" />
<PackageReference Include="Octokit" Version="13.0.1" />
<PackageReference Include="NuGet.Packaging" Version="6.12.1" />
<PackageReference Include="System.Formats.Asn1" Version="8.0.1" />