Merge pull request #1968 from blockstack/feature/msi-signkey-update

Update Windows installer (msi) file signing key
stacks-archive · Nov 13, 2019 · 758d81e · 758d81e
2 parents 29b98d3 + 6195ce7
commit 758d81e
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 21 deletions.
diff --git a/appveyor.yml b/appveyor.yml
@@ -4,24 +4,22 @@ environment:
   nodejs_version: 10
   pfx_secret:
     secure: S/Mj90+79mE3WTzcInLLI9L5Dpq25dagZUJ4FuVUZH1phPYvveBdDYKBVoL2nCqtlpVMhm22iv/meRCVptVtSg==
+  pfx_salt:
+    secure: /GB+cNivX4FGPXVrCV1pPuXD9urtqh/p2QEirW31/bIjeCJ+JHnxk/VrDvqnFUOc1pD407pqP6ozH2ut2UhQeA==
 install:
 - ps: iex ((New-Object Net.WebClient).DownloadString('https://github.com/appveyor/secure-file/master/install.ps1'))
 - cmd: >-
-    appveyor-tools\secure-file -decrypt native\windows\signcertfile.pfx.enc -out signcertfile.pfx -secret %pfx_secret%
+    appveyor-tools\secure-file -decrypt native\windows\signcertfile.pfx.enc -out native\windows\signcertfile.pfx -secret %pfx_secret% -salt %pfx_salt%
 
     IF NOT exist "wix311.exe" ( powershell -Command "(new-object System.Net.WebClient).DownloadFile('https://github.com/wixtoolset/wix3/releases/download/wix3111rtm/wix311.exe', 'wix311.exe')" )
 
     wix311.exe /install /quiet /norestart
 
     npm i
 build_script:
-- cmd: >-
-    npm run win32
-
-    copy native\windows\BlockstackSetup\bin\Release\en-us\BlockstackSetup.msi .\
-
+- cmd: npm run win32
 artifacts:
-- path: BlockstackSetup.msi
+- path: native\windows\BlockstackSetup\bin\Release\en-us\BlockstackSetup.msi
 cache:
   - node_modules -> package.json
   - wix311.exe
@@ -38,8 +36,7 @@ for:
 
   after_build:
   - ps: Write-Host 'signing MSI file'
-  - ps: (& @((Resolve-Path -Path "${Env:ProgramFiles(x86)}\Windows Kits\10\bin\10*\x86\signtool.exe").Path)[0] sign /t http://timestamp.verisign.com/scripts/timstamp.dll /n Blockstack /f signcertfile.pfx BlockstackSetup.msi)
-
+  - cmd: npm run win32:signMsi
 -
   branches:
     except:

diff --git a/native/windows/msbuild.cmd b/native/windows/msbuild.cmd
@@ -1,23 +1,29 @@
 @if not defined _echo echo off
 
 REM Finds and invokes msbuild.exe with the arguments passed to this script.
-REM Requires Visual Studio 2017 to be installed.
+REM Requires Visual Studio to be installed.
 REM See https://github.com/Microsoft/vswhere for details.
 
-set msbuild_dir="MSBuild\15.0\Bin\MSBuild.exe"
 set vswhere="%ProgramFiles(x86)%\Microsoft Visual Studio\Installer\vswhere.exe"
 
 if not exist %vswhere% (
-  echo "vswhere.exe not found. Is Visual Studio 2017 installed?"
+  echo "vswhere.exe not found. Is Visual Studio 2017/2019 installed?"
   exit /b 2
 )
 
-for /f "usebackq delims=" %%i in (`%vswhere% -latest -property installationPath`) do (
-  if exist "%%i\%msbuild_dir%" (
-    "%%i\%msbuild_dir%" %*
-    exit /b
-  ) else if not exist "%%i\%msbuild_dir%" (
-    echo "MSBuild.exe not found"
-    exit /b 2
-  )
-)
+for /f "usebackq delims=" %%F in (`%vswhere% -latest -property installationPath`) do (
+  set install_path=%%F
+)
+echo Using VS installation: %install_path%
+
+for /f "usebackq delims=" %%F in (`dir "%install_path%\*MSBuild.exe" /s /b`) do (
+  set msbuild_path=%%F
+  goto found_msbuild
+)
+echo MSBuild.exe not found
+exit /b 2
+
+:found_msbuild
+echo using msbuild: %msbuild_path%
+"%msbuild_path%" %*
+exit /b !errorlevel!
diff --git a/native/windows/signcertfile.pfx.enc b/native/windows/signcertfile.pfx.enc
diff --git a/native/windows/signtool.cmd b/native/windows/signtool.cmd
@@ -0,0 +1,17 @@
+@if not defined _echo echo off
+
+REM Finds and invokes signtool.exe with the arguments passed to this script.
+
+set signtool_search="%ProgramFiles(x86)%\Windows Kits\10\bin\10*\x86\signtool.exe"
+
+for /f "usebackq delims=" %%i in (`powershell -command "& { @((Resolve-Path -Path \"%signtool_search%\").Path)[0] }"`) do (
+  echo Using signtool: %%i
+  set signtool_path=%%i
+  goto found_signtool
+)
+echo signtool.exe not found
+exit /b 2
+
+:found_signtool
+"%signtool_path%" %*
+exit /b !errorlevel!
diff --git a/package.json b/package.json
@@ -193,6 +193,7 @@
     "win32:copyCorsProxy": "xcopy corsproxy\\corsproxy.js native\\windows\\BlockstackBrowser\\Resources\\cors-proxy\\* /Y",
     "win32:setWixVersion": "shx sed -i s/Version=\\\"0.0.0.0\\\"/Version=\\\"%npm_package_version%\\\"/ native\\windows\\BlockstackSetup\\Product.wxs",
     "win32:msbuildSolution": "native\\windows\\msbuild native\\windows\\BlockstackBrowser.sln /p:RunWixToolsOutOfProc=true /p:Configuration=Release /p:Platform=x86",
+    "win32:signMsi": "native\\windows\\signtool sign /t http://timestamp.verisign.com/scripts/timstamp.dll /n Blockstack /f native\\windows\\signcertfile.pfx native\\windows\\BlockstackSetup\\bin\\Release\\en-us\\BlockstackSetup.msi",
     "win32:clean": "shx rm -rf build native\\windows\\BlockstackBrowser\\bin native\\windows\\BlockstackSetup\\bin native\\windows\\ProtocolHandler\\bin native\\windows\\BlockstackBrowser\\Resources\\build native\\windows\\BlockstackBrowser\\Resources\\cors-proxy native\\windows\\BlockstackBrowser\\Resources\\node_modules native\\windows\\BlockstackBrowser\\Resources\\node.exe",
     "mac": "cross-env NODE_ENV=production npm run build && npm run mac:downloadNode && npm run mac:downloadPackages && npm run mac:copyCorsProxy && npm run mac:copyBlockstackProxy && npm run mac:buildDebug",
     "mac:release": "npm run test && npm install --no-save appdmg && npm run build && npm run mac:copyBrowser && npm run mac:downloadNode && npm run mac:downloadPackages && npm run mac:copyCorsProxy && npm run mac:copyBlockstackProxy && npm run mac:release:build",