sign engine

Author: deansheather

scripts/Publish.ps1

@@ -50,6 +50,8 @@ function Find-EnvironmentVariables([string[]] $variables) {
     }
 }
 
+Find-Dependencies @("dotnet.exe", "wix.exe")
+
 if ($sign) {
     Write-Host "Signing is enabled"
     Find-Dependencies java
@@ -97,7 +99,8 @@ if (Test-Path $outputPath.Replace(".exe", ".wixpdb")) {
 }
 
 # Create a publish directory
-$buildPath = Join-Path $repoRoot "publish\buildtemp-$($version)-$($arch)"
+$publishDir = Join-Path $repoRoot "publish"
+$buildPath = Join-Path $publishDir "buildtemp-$($version)-$($arch)"
 if (Test-Path $buildPath) {
     Remove-Item -Recurse -Force $buildPath
 }
@@ -164,7 +167,39 @@ Add-CoderSignature $msiOutputPath
     --msi-path $msiOutputPath `
     --logo-png "scripts\files\logo.png"
 if ($LASTEXITCODE -ne 0) { throw "Failed to build bootstrapper" }
-Add-CoderSignature $outputPath
+
+# Sign the bootstrapper, which is not as simple as just signing the exe.
+if ($sign) {
+    $burnIntermediate = Join-Path $publishDir "burn-intermediate-$($version)-$($arch)"
+    New-Item -ItemType Directory -Path $burnIntermediate -Force
+    $burnEngine = Join-Path $publishDir "burn-engine-$($version)-$($arch).exe"
+
+    # Move the current output path
+    $unsignedOutputPath = Join-Path (Split-Path $outputPath -Parent) ("UNSIGNED-" + (Split-Path $outputPath -Leaf))
+    Move-Item $outputPath $unsignedOutputPath
+
+    # Extract the engine from the bootstrapper
+    & wix.exe burn detach $unsignedOutputPath -intermediateFolder $burnIntermediate -engine $burnEngine
+    if ($LASTEXITCODE -ne 0) { throw "Failed to extract engine from bootstrapper" }
+
+    # Sign the engine
+    Add-CoderSignature $burnEngine
+
+    # Re-attach the signed engine to the bootstrapper
+    & wix.exe burn reattach $unsignedOutputPath -intermediateFolder $burnIntermediate -engine $burnEngine -out $outputPath
+    if ($LASTEXITCODE -ne 0) { throw "Failed to re-attach signed engine to bootstrapper" }
+    if (!(Test-Path $outputPath)) { throw "Failed to create reattached bootstrapper at $outputPath" }
+
+    # Now sign the output path
+    Add-CoderSignature $outputPath
+
+    # Clean up the intermediate files
+    if (!$keepBuildTemp) {
+        Remove-Item -Force $unsignedOutputPath
+        Remove-Item -Recurse -Force $burnIntermediate
+        Remove-Item -Force $burnEngine
+    }
+}
 
 if (!$keepBuildTemp) {
     Remove-Item -Recurse -Force $buildPath

scripts/Release.ps1

@@ -29,17 +29,18 @@ foreach ($arch in @("x64", "arm64")) {
       -version $assemblyVersion `
       -arch $arch `
       -msiOutputPath $msiOutputPath `
-      -outputPath $outputPath
+      -outputPath $outputPath `
+      -sign
     if ($LASTEXITCODE -ne 0) { throw "Failed to publish" }
 
     # Verify that the output exe is authenticode signed
-    #$sig = Get-AuthenticodeSignature $outputPath
-    #if ($sig.Status -ne "Valid") {
-    #  throw "Output file is not authenticode signed"
-    #}
-    #else {
-    #  Write-Host "Output file is authenticode signed"
-    #}
+    $sig = Get-AuthenticodeSignature $outputPath
+    if ($sig.Status -ne "Valid") {
+      throw "Output file is not authenticode signed"
+    }
+    else {
+      Write-Host "Output file is authenticode signed"
+    }
   }
   finally {
     Write-Host "::endgroup::"