Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installer: internal MSI file is not signed #17410

Closed
1 task done
klylesatepic opened this issue Mar 31, 2022 · 4 comments
Closed
1 task done

Installer: internal MSI file is not signed #17410

klylesatepic opened this issue Mar 31, 2022 · 4 comments
Assignees
@DHowett
Labels
Area-Build Issues pertaining to the build system, CI, infrastructure, meta Area-Setup/Install Refers to installation mechanism Hot Fix Items we will product an out-of-band release for Issue-Bug Something isn't working Resolution-Fix Committed Fix is checked in, but it might be 3-4 weeks until a release.
Milestone
Priority work bucket

Comments

@klylesatepic
Copy link

Microsoft PowerToys version

0.57.0

Running as admin

  • Yes

Area(s) with issue?

Installer

Steps to reproduce

It helps to have security software that only runs allowed software (including software signed with certain certificates), such as CarbonBlack. You can see the lack of signing without that, though it won't cause any functional issues.

  1. Install an old version of PowerToys
  2. Update it from within PowerToys
  3. If you have said security software, see that it blocks execution of C:\ProgramData\Package Cache{45E073FD-1ED7-4787-B445-2980175F449A}v0.57.0\PowerToysSetup-0.57.0-x64.msi and the update fails to install
  4. If you don't have said security software, inspect that .msi file and see that it is unsigned (no Digital Signatures tab in the Properties window)

✔️ Expected Behavior

The .msi file would be signed by Microsoft

❌ Actual Behavior

The .msi file is not signed (by Microsoft or anyone else)

Other Software

No response
@klylesatepic klylesatepic added Issue-Bug Something isn't working Needs-Triage For issues raised to be triaged and prioritized by internal Microsoft teams labels Mar 31, 2022
@Jay-o-Way Jay-o-Way added the Area-Build Issues pertaining to the build system, CI, infrastructure, meta label Mar 31, 2022
@franky920920
Copy link
Contributor

cc: @crutkas

@franky920920 franky920920 added the Area-Setup/Install Refers to installation mechanism label Apr 1, 2022
@jaimecbernardo jaimecbernardo added this to the Priority work bucket milestone Apr 1, 2022
@jaimecbernardo jaimecbernardo added Hot Fix Items we will product an out-of-band release for and removed Needs-Triage For issues raised to be triaged and prioritized by internal Microsoft teams labels Apr 1, 2022
@jaimecbernardo jaimecbernardo self-assigned this Apr 1, 2022
DHowett added a commit that referenced this issue Apr 1, 2022
@DHowett
Make sure the *signed* MSI makes it into the bundle
94f273c 
Fixes #17410
@DHowett
Copy link
Member

DHowett commented Apr 1, 2022
edited
Loading

Ugh. Thanks for reporting this.

My initial thought was, "this was a case we explicitly covered."

(1) Content is signed:

PowerToys/.pipelines/release.yml

Line 204 in 04588bc

- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1

(2) MSI is signed:

PowerToys/.pipelines/release.yml

Line 250 in 04588bc

- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1

(3) Bootstrapper bundle is unpacked-
Engine is signed:

PowerToys/.pipelines/release.yml

Line 278 in 04588bc

- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1

(4) Bootstrapper bundle is re-packed-
Bundle is signed:

PowerToys/.pipelines/release.yml

Line 314 in 04588bc

- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1

However, it turns out that the build phase for the bootstrapper (which happens in between 2 and 3) was set to clean: true and was deleting the newly-signed MSI.

The correct fix is to stage our outputs somewhere else where MSBuild can't get to them, and direct the bootstrapper build to use those copies. However, I'm trying the lazy fix first: https://github.com/microsoft/PowerToys/compare/dev/duhowett/ffs-msbuild

@klylesatepic
Copy link
Author

Ugh. Thanks for reporting this.

My initial thought was, "this was a case we explicitly covered."

Yeah, I saw lots of older issues about code signing of various things, but they were all slightly different and already fixed. I'm glad I didn't miss one that still applied!

@DHowett DHowett mentioned this issue Apr 1, 2022
Merged
10 tasks
@Jay-o-Way Jay-o-Way added the Status-In progress This issue or work-item is under development label Apr 2, 2022
@jaimecbernardo jaimecbernardo added Resolution-Fix Committed Fix is checked in, but it might be 3-4 weeks until a release. and removed Status-In progress This issue or work-item is under development labels Apr 5, 2022
@Aaron-Junker
Copy link
Collaborator

This got implemented in the 0.58 update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DHowett DHowett

Labels
Area-Build Issues pertaining to the build system, CI, infrastructure, meta Area-Setup/Install Refers to installation mechanism Hot Fix Items we will product an out-of-band release for Issue-Bug Something isn't working Resolution-Fix Committed Fix is checked in, but it might be 3-4 weeks until a release.
Projects
None yet
Milestone
Priority work bucket
Development

No branches or pull requests
6 participants
@DHowett @franky920920 @jaimecbernardo @klylesatepic @Aaron-Junker @Jay-o-Way