build: build the Machine and User installers at the same time #42888
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| - ${{ if eq(parameters.codeSign, true) }}: | ||
| - template: steps-esrp-signing.yml | ||
| - template: steps-esrp-sign-files-authenticode.yml |
Check failure
Code scanning / check-spelling
Unrecognized Spelling
| wix msi decompile $(InstallerUserRoot)\$(InstallerUserBasename).msi -x $(build.sourcesdirectory)\extractedUserMsi | ||
| dir $(build.sourcesdirectory)\extractedMachineMsi | ||
| dir $(build.sourcesdirectory)\extractedUserMsi | ||
| displayName: "WiX5: Extract and verify MSIs" |
Check failure
Code scanning / check-spelling
Unrecognized Spelling
| git clean -xfd ./extractedMachineMsi ./extractedUserMsi | ||
| displayName: Verify all binaries are signed and versioned | ||
| - template: steps-esrp-sign-files-authenticode.yml |
Check failure
Code scanning / check-spelling
Unrecognized Spelling
| - template: steps-esrp-sign-files-authenticode.yml | ||
| parameters: | ||
| displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Sign VNext MSI | ||
| displayName: Sign VNext MSIs |
Check failure
Code scanning / check-spelling
Unrecognized Spelling
| displayName: "WiX5: Extract Engines from Bundles" | ||
| - template: steps-esrp-signing.yml | ||
| - template: steps-esrp-sign-files-authenticode.yml |
Check failure
Code scanning / check-spelling
Unrecognized Spelling
| & git clean -fdx installer\ba | ||
| displayName: "WiX5: Verify Bootstrapper content is signed" | ||
| - template: steps-esrp-sign-files-authenticode.yml |
Check failure
Code scanning / check-spelling
Unrecognized Spelling
| - template: steps-esrp-sign-files-authenticode.yml | ||
| parameters: | ||
| displayName: ${{replace(replace(parameters.buildUserInstaller,'True','👤'),'False','💻')}} Sign Final Bootstrapper | ||
| displayName: Sign Final Bootstrappers |
Check failure
Code scanning / check-spelling
Unrecognized Spelling
| @@ -0,0 +1,45 @@ | |||
| parameters: | |||
Check failure
Code scanning / check-spelling
Check File Path
| @@ -0,0 +1,45 @@ | |||
| parameters: | |||
There was a problem hiding this comment.
This is a simple wrapper around ESRP signing for the kind of signing we do most often. It just makes the code shorter to not have the inline sign params 300 times
This pull request removes the separate build step for producing the user installer and merges the generation of both installers.
Considering that the installers share almost all of the same components and that it takes ~45 minutes to build just one installer (most of the time is spent doing code signing), it seemed ripe for optimization.
The installer build now runs in three chunks:
After each step, all newly-generated content is batch signed. This cuts the number of slow code signing calls by half.
In doing this, I took the opportunity to add another code signing validation step to ensure that the bootstrapper contents are signed. We missed that, and now we will not miss it. That will hopefully prevent us from shipping another bootstrapper with an unsigned BA handler and catch if the build regresses and starts to overwrite already-signed DLLs.
I had to change the component generator to remove its special handling of the user/machine switch. Did you know that all it did was replace HKLM with HKCU in every component? We already had a WiX variable for that. The script was doing tons of unnecessary work and making it look like the components differed between the two, when they in truth do not.
I have not yet tried tackling the wxs code generator, which is frankly terrible. It generates new wxs files in a random build (the support DLLs) and then occasionally deletes them and restores them (after the MSI build). This is untenable, but we will survive.