From dd4b687d36e87e4e88e23add45bf7cd413e1c229 Mon Sep 17 00:00:00 2001 From: Bruno Date: Fri, 20 Dec 2024 11:04:47 -0300 Subject: [PATCH] build/windows: Renew pseudo-gimp*.pfx certificate and document it --- build/windows/store/3_dist-gimp-winsdk.ps1 | 11 ++++++++--- build/windows/store/README.md | 17 ++++++++++++++++- build/windows/store/pseudo-gimp.pfx | Bin 2710 -> 0 bytes build/windows/store/pseudo-gimp_2024.pfx | Bin 0 -> 2718 bytes 4 files changed, 24 insertions(+), 4 deletions(-) delete mode 100644 build/windows/store/pseudo-gimp.pfx create mode 100644 build/windows/store/pseudo-gimp_2024.pfx diff --git a/build/windows/store/3_dist-gimp-winsdk.ps1 b/build/windows/store/3_dist-gimp-winsdk.ps1 index 93e9a3162e..df547117ec 100644 --- a/build/windows/store/3_dist-gimp-winsdk.ps1 +++ b/build/windows/store/3_dist-gimp-winsdk.ps1 @@ -353,8 +353,13 @@ if (-not $GITLAB_CI -and $wack -eq 'WACK') if ($CI_COMMIT_TAG -notmatch 'GIMP_[0-9]*_[0-9]*_[0-9]*' -and $GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*' -and $MSIX_ARTIFACT -notlike "*msixupload") { Write-Output "$([char]27)[0Ksection_start:$(Get-Date -UFormat %s -Millisecond 0):msix_sign${msix_arch}[collapsed=true]$([char]13)$([char]27)[0KSelf-signing $MSIX_ARTIFACT (for testing purposes)" - signtool sign /debug /fd sha256 /a /f build\windows\store\pseudo-gimp.pfx /p eek $MSIX_ARTIFACT - Copy-Item build\windows\store\pseudo-gimp.pfx .\ -Recurse + signtool sign /debug /fd sha256 /a /f $(Resolve-Path build\windows\store\pseudo-gimp*.pfx) /p eek $MSIX_ARTIFACT + if ("$LASTEXITCODE" -gt '0' -or "$?" -eq 'False') + { + ## We need to manually check failures in pre-7.4 PS + exit 1 + } + Copy-Item build\windows\store\pseudo-gimp*.pfx pseudo-gimp.pfx -Recurse Write-Output "$([char]27)[0Ksection_end:$(Get-Date -UFormat %s -Millisecond 0):msix_sign${msix_arch}$([char]13)$([char]27)[0K" } @@ -367,7 +372,7 @@ if ($GITLAB_CI) Move-Item $MSIX_ARTIFACT $output_dir if ($CI_COMMIT_TAG -notmatch 'GIMP_[0-9]*_[0-9]*_[0-9]*' -and $GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*' -and $MSIX_ARTIFACT -notlike "*msixupload") { - Get-ChildItem pseudo-gimp.pfx | Move-Item -Destination $output_dir + Copy-Item pseudo-gimp.pfx $output_dir } # Generate checksums in common "sha*sum" format diff --git a/build/windows/store/README.md b/build/windows/store/README.md index 02817c3da1..503bcc7d4b 100644 --- a/build/windows/store/README.md +++ b/build/windows/store/README.md @@ -20,10 +20,25 @@ Base rule to update the "GIMP (Preview)" entry: Only 'Packages' and 'Store listings' sections are needed. On 'Packages' you will add the generated .msixupload and on 'Store listings' the brief changelog. -If the .msix* starts to be refused to certification or to signing, +If the .msix* starts to be refused to certification or to self-signing, run `build\windows\store\3_dist-gimp-winsdk.ps1 WACK` locally to see if it still complies with the latest Windows policies. Make sure to update WinSDK. +If the .msix* starts to be refused to self-signing due to the .pfx file, then +generate a new one with the commands below and commit it to this dir. + +```pwsh +$pseudo_gimp = "pseudo-gimp_$(Get-Date -Format yyyy)" +``` + +```pwsh +New-SelfSignedCertificate -Type Custom -Subject "$(([xml](Get-Content build\windows\store\AppxManifest.xml)).Package.Identity.Publisher)" -KeyUsage DigitalSignature -FriendlyName "$pseudo_gimp" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") +``` + +```pwsh +Export-PfxCertificate -Cert "Cert:\CurrentUser\My\$(Get-ChildItem Cert:\CurrentUser\My | Where-Object FriendlyName -EQ "$pseudo_gimp" | Select-Object -ExpandProperty Thumbprint)" -FilePath "${pseudo_gimp}.pfx" -Password (ConvertTo-SecureString -String eek -Force -AsPlainText) +``` + ## Versioning the MSIX * Every new .msixupload submission (with different content) needs a bumped version. diff --git a/build/windows/store/pseudo-gimp.pfx b/build/windows/store/pseudo-gimp.pfx deleted file mode 100644 index e9b749b614a6b844c45df78fc65dd6d8b94087a8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2710 zcmZXUc{tSV9>#yem|?~;Wf}XDHNx1&8nTokk}O%XjU~puHnw?f*%{kQwyY;15?Mmy zgp@F{q%4trYY>XbnY!NdzSp_V^<4L}eD3G_eV)H=6dsmE1ENLYVa5;!$#{eKLnaUu zREmdbf$=bPDpp3}A;AAwbYw7|ZVQE{Tcc_T0{^Ru5eA|u#e;vM@ZcXPUI^^JnA)5f zOi%JzZyX7;W}u;gj)3vtsh49mW~0%HCZ&rd>D)Rd(B8cTeO})vBITS~$Kl9Ej#!>d zX6MH4m+d&M&%+kv-FZUF7=;hcT%^{gURW-Ixb{WR6C2nW&o-VeFJKaqV}*9mmkhbw zx+u~lvDodQPoWQ&^Q>~W;9M|{Une!&*LKGUAcK_Z-(whM5$kVz=PWwR$I*Q)#hphL zuf+C>UfjLRO)uXT3EgQqZ3wd=8F|uncFwwsDHgP((zCnAU6?gqS}99?VlOnC@PH3=QI%CCqan}_{D+|6hS@6dwD)aBa8xq8#Y_LCdIW~j zL4?X}$=T%b6CMvhl?xpcZfZxsTJzp~aG}^m{(I1ytCTw}x9#e=w2RY&so7{Xf^E$h zx1U0kIbY7c&?oKK;9@^`d;gz?bWMq#G9QD#Wl9Jv1jk=`TKf?BU}PoY4$-W;ImqVv zoAmVMLo7NC(dU7l>tg+xF-}L6~cT(4$04GeCMtA zTb>LMV(00%Ve_Kp8@UlYmkXO^Pri=y>@??YxcO+vr25u`mFJIa{!C0e>x$gx)Bv<` z1~!)^+64!1FqkEqx*gP*B6v5CkWFI3W%v9hjqo)YL)%QCYfkL%ExxU=vDc$G6A_$8(yC6 zZtpd_y6*OdJe&UU13}O@{bV=qFllptj@98b8+T2nvb_P4k*OGf!x?9s!1V~v?qLgw zcI`u9Tex!UNs~Hh;Gsm*OnuICk^1l!MxHcW6k&AY$fcy9wko@?Q3qdma}lxP%Eh;O ztn|!>mN_Mw-uST7pjwjg0^;CJg}4@Wv#MKiMI}~qOmKVOTCcz6A&ZdvG}8Xc(6EMZ zU2JIkWChVM^F8aR$rKE%tZTJ~l`pRxI}rC36pw$$BnJM2?Vg|Wa?c&nCXB*%A_qxO z6r8fwd7dn#FI?wo=`ur4Vkk=J8oW$eRXMLD!}!f}iUrKY{JC#$d^mQ|rZUg{UZ7B{ z#j3#b0s*~|kMiqb&Z&mrD0ZJV{A zI0((8eki;2tZkI*y+%ok2KA6OmF00Wp5u&jMy8!7YJ#EMAz6b1`?dbI82nOedU>mJ zm2`qc4vC`3sJL!e(Bt(wv@rF;-WX9E(Q*YA^z^PB^GKbvBc_^va#2*#yb#=yA?LS~ zz4!eYwEanuT+A4X_3yZ3V3&h{!5{ztP5x2Rx`3 z`~e>zfGQ02IYGeeuU!b>NOfGP#E?3N{dNMWoa)w;^! zNGyvN5O{5xl4zt7RWk3+JVZ2l5IT}tpfS|vnwu3UmYCle<7jp;r^4^-?)cRz?la1Y zEM1q-+ENIiSc?QOWitn0ZXb%q?xX~2x)62Rb7iz*BzCNi1KE`wQ5>EQf9`D^ZFsld zK7nGiAF>{3W%q|T-E5;oPNZ3u~6mfveh&=WRsnDI~wx~>Ehk*w6+?|~MW>U+3bF~w85J1r8FUAvUuJOP%nq$ z@vZm3*TY?wC?cy@o94Eb;ZHwwdk4f>-aSX8Sc(!g%*a&G-UxRHBJmoYj)2K;t4NRz$ zK#IG&y0Rd3?kTCQDOrADI7iBW-+WyX7^IX_F9m)l8$majXT*9fxv25;i!6PRx}h5< zxL!d`u-Yj(g_q{BCEU!k+|juhDlbD2NmtaF@Ky_n)7;g=(r%BZiM+W@5hbIOI#O&d zU3h^0;AWO%x=EWaZHai9NV{B8UG{dNC=BWq!G6g(f9UXHkinZq))(I?!#BO}vpL+> zr~jtG*A{(CFx{wv`Iug$HJ>;GX%^*e?^wXmzzYl0^*_Fo+BIEKB;*L5^y&H8#`G;P zi}}HqlxcN8!BhgwmR(9sj;sGQa0`2UkaJ)Z=T;8Mr&)~KMXx-*X)Z`q7kilcXW3Q8R%fPzBk zq?l=GxWR0fE_~6CyhuATn?N4uBtv*a8Dq7oDGYpaJW19}LH5q#{mMn?E$f3=?FVhU>Fi4W2v4q5AOP1r1Oio2a z*|M9Ek~LeFELjFACZ_jyy3Tvf^N+KBGiVvOp4g zn3GlS=cyCp`l06^HJk|4R^%3+6UI~-Sbn}UsprF3Ml29MkGSL8IP;;s*XWfc;&?kV z*DGg3Sf@G`SrG+gINxt(rpZnLnu-Jm*&x25TO1c1ExWAdRJd79Qxf)>hYKvOPb`Qg zNY$#pcg5|H>r6gDraLaDf6ZfFkl}HkE<+R)oz6Et4$ghGoADNv+d|ANo*vi5BS03S zGp#F*TCERu7XTi8b_S~osa9uN-WB^IdJiO-#K582$Nd54>i2pVRgeEV zGGFU%8gM+~Kp-U?G%L9ElN2#xAia#~}fX*$P7G*Op5i8rar5bT7u){4- zHHhSTd*l;;d7&47^D1XmsV8}F=hE}&fzSPcIq^J?F%PeBSo>D<>63h~tn zrmR=uc?zjxxa#>mL&Lg-me*2+H#dqxK-Q1shf~F5=UR{KdqFM;c<*Yl2M97EUR2{l znl}YW)Uug49*=O2M_zHqvV5RM$eHYu4wK){V>M`w2CVOF!5YUppHOQn6#lGQrpMIQ zQyi1&>Uoz2S-l9`I57TY|w#S9e{&7t-p^o=3X z;%Pw&jyM1Hp!_B7?PN}OahgBXN!J{!uqMM#0_sSq@Lt9 zq?td8g~Y?ZdOntRKET%5a^BF%)Dm*lo;j)}eMSNDO8*7A}v= z8fPxW(+@=bF1NR)r^u31uSKUQgzfb}to?#}Zo{4-AmBBqg~N*-yK}i@9!cDyd(kyw zu!3NzsYwMP`E0kQ=9snN!JVqYPkV!hK67pTV#^(m+vOYFsU71eyxsRTyVg50D9B){35Z34F+RSLl`_~Kcdv+fB zlX)kspU1@?TuA<`FjsJ2-d24j$Ek5ltx-;Ay$kpsag;qRXElahCheIi9VS-LWFc$h z=Cb?**%E!`=u2lt!jK)Ut(9oRaF@bfb|zQwhi42B+{VkomwcgRlU@R0A9YhQLW0yQ4>QD#-3<81BF8@MdbvqebP$^yAL@XKMV@kyb^%qIlv%bk^Z*={(s~DDxmShcRbnjFXO*K;bcC?x3wkksg9;^A6GwO zd-_9$uYI{_c5h^c-Fn`PjI@F!!)Pf@NK#PBx~Mj* zF?J$6ZYa*-(stv_d|GfXrP#TN_;!Z`zpQ?9@?|88Wb<-NHt62P;d-p5R5gA8_9p^! z_0wgfx;A5{0Vvp0dqr&}u zOsdIg`NxQro!#VSI9)pyZ0YnUY<$$qR{ZXqeXS__XOk_kezJdMB~R%qLnSb3f`ZqH0*q5!w$LQecp-anLa!k%(hei1exc9%~n zL~XleA*Gs6!pcLVKEy!jk5Ly9%tAUN#Px<_<;UjqH^=5~)+pL^cpdo3ng-W>cY*5o z=G?c}w|N}=BvX@x5yBYMy599WXqzi{stcdcsR zoRZ9!m6eC(8#acNoU$+G6EsXLzEL3qdRBs)kF$GVsp~ss=?2~z{^)*I@dO`O3q`>7 zFFij{G&h3298i32Yt1ZmgaHo=QcI4ZO1-jg0JcRz-J<5!M`*inXFD@t>c}jO50ZBM zdv)S97CpBok7}|vUc0)8y3P-u-?7WMlm{;nkI44XHmNUjggDo}TVd^w=&gjE{QNS2 zwgpxe8tp-g9QOQT(+q7TvM9^0U)k>}bhlFL#xm?OmFn+-NNj^Ii~g^=1mE@)OCuRP z>egK3RZ$c)5FarAl#`}r;GaNz*zzU|Bgx%98uofE+v#BbdhmLhXVY+(0~=G~Gj&N) z0`;(5X$q~6mPNy$T&nz>90-Uowy;q{gIh|-%|Jm(06a@7V@`n~!eTinn#cMmB8WW_ Q8