build/windows: Renew pseudo-gimp*.pfx certificate and document it

build/windows/store/3_dist-gimp-winsdk.ps1

@@ -353,8 +353,13 @@ if (-not $GITLAB_CI -and $wack -eq 'WACK')
 if ($CI_COMMIT_TAG -notmatch 'GIMP_[0-9]*_[0-9]*_[0-9]*' -and $GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*' -and $MSIX_ARTIFACT -notlike "*msixupload")
   {
     Write-Output "$([char]27)[0Ksection_start:$(Get-Date -UFormat %s -Millisecond 0):msix_sign${msix_arch}[collapsed=true]$([char]13)$([char]27)[0KSelf-signing $MSIX_ARTIFACT (for testing purposes)"
-    signtool sign /debug /fd sha256 /a /f build\windows\store\pseudo-gimp.pfx /p eek $MSIX_ARTIFACT
+    signtool sign /debug /fd sha256 /a /f $(Resolve-Path build\windows\store\pseudo-gimp*.pfx) /p eek $MSIX_ARTIFACT
-    Copy-Item build\windows\store\pseudo-gimp.pfx .\ -Recurse
+    if ("$LASTEXITCODE" -gt '0' -or "$?" -eq 'False')
+      {
+        ## We need to manually check failures in pre-7.4 PS
+        exit 1
+      }
+    Copy-Item build\windows\store\pseudo-gimp*.pfx pseudo-gimp.pfx -Recurse
     Write-Output "$([char]27)[0Ksection_end:$(Get-Date -UFormat %s -Millisecond 0):msix_sign${msix_arch}$([char]13)$([char]27)[0K"
   }
 
@@ -367,7 +372,7 @@ if ($GITLAB_CI)
     Move-Item $MSIX_ARTIFACT $output_dir
     if ($CI_COMMIT_TAG -notmatch 'GIMP_[0-9]*_[0-9]*_[0-9]*' -and $GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*' -and $MSIX_ARTIFACT -notlike "*msixupload")
       {
-        Get-ChildItem pseudo-gimp.pfx | Move-Item -Destination $output_dir
+        Copy-Item pseudo-gimp.pfx $output_dir
       }
 
     # Generate checksums in common "sha*sum" format

build/windows/store/README.md

@@ -20,10 +20,25 @@ Base rule to update the "GIMP (Preview)" entry:
    Only 'Packages' and 'Store listings' sections are needed. On 'Packages' you will
    add the generated .msixupload and on 'Store listings' the brief changelog.
 
-If the .msix* starts to be refused to certification or to signing,
+If the .msix* starts to be refused to certification or to self-signing,
 run `build\windows\store\3_dist-gimp-winsdk.ps1 WACK` locally to see if it
 still complies with the latest Windows policies. Make sure to update WinSDK.
 
+If the .msix* starts to be refused to self-signing due to the .pfx file, then
+generate a new one with the commands below and commit it to this dir.
+
+```pwsh
+$pseudo_gimp = "pseudo-gimp_$(Get-Date -Format yyyy)"
+```
+
+```pwsh
+New-SelfSignedCertificate -Type Custom -Subject "$(([xml](Get-Content build\windows\store\AppxManifest.xml)).Package.Identity.Publisher)" -KeyUsage DigitalSignature -FriendlyName "$pseudo_gimp" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
+```
+
+```pwsh
+Export-PfxCertificate -Cert "Cert:\CurrentUser\My\$(Get-ChildItem Cert:\CurrentUser\My | Where-Object FriendlyName -EQ "$pseudo_gimp" | Select-Object -ExpandProperty Thumbprint)" -FilePath "${pseudo_gimp}.pfx" -Password (ConvertTo-SecureString -String eek -Force -AsPlainText)
+```
+
 ## Versioning the MSIX
 
 * Every new .msixupload submission (with different content) needs a bumped version.