windows release: build, sign, and publish

Add the Windows release process to:

1. Build and sign the payload
2. Use the signed payload to build and sign the user and system installers
3. Publish the signed installers, payload, and symbols

This change also removes the no-longer-needed Payload.Windows project and
removes the 'core' suffix from the Windows installers.

Author: ldennington

.github/workflows/continuous-integration.yml

@@ -42,4 +42,4 @@ jobs:
       run: dotnet build --configuration MacRelease
 
     - name: Test
-      run: dotnet test --no-restore --verbosity normal
+      run: dotnet test --verbosity normal

.github/workflows/release.yml

@@ -237,4 +237,121 @@ jobs:
       uses: actions/upload-artifact@v3
       with:
         name: osx-sign
-        path: signed/*.pkg
+        path: signed/*.pkg
+
+# ================================
+#              Windows
+# ================================
+  win-sign:
+    name: Build and Sign Windows
+    runs-on: windows-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0 # Indicate full history so Nerdbank.GitVersioning works.
+
+    - name: Set up dotnet
+      uses: actions/setup-dotnet@v2
+      with:
+        dotnet-version: 6.0.201
+
+    # Install Nerdbank.GitVersioning
+    - uses: dotnet/nbgv@master
+      with:
+        setCommonVars: true
+    
+    - name: Install dependencies
+      run: dotnet restore
+
+    - name: Build
+      run: |
+        dotnet build --configuration=WindowsRelease
+
+    - name: Run Windows unit tests
+      run: |
+        dotnet test --configuration=WindowsRelease
+
+    - name: Lay out Windows payload and symbols
+      shell: pwsh
+      run: |
+        cd src/windows/Installer.Windows/
+        ./layout.ps1 -Configuration WindowsRelease -Output payload -SymbolOutput symbols
+        mkdir unsigned-payload
+        Get-ChildItem -Path payload/* -Include *.exe, *.dll | Move-Item -Destination unsigned-payload
+
+    - uses: azure/login@v1
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+    
+    - name: Set up ESRP client
+      shell: pwsh
+      env:
+        AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
+        AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
+        AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
+        REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
+      run: |
+        .github\set_up_esrp.ps1
+    
+    - name: Run ESRP client for unsigned payload
+      shell: pwsh
+      env:
+        AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
+        # We temporarily need two AAD IDs, as we're using an SSL certificate associated
+        # with an older App Registration until we have the required hardware to approve
+        # the new certificate in SSL Admin.
+        AZURE_AAD_ID_SSL: ${{ secrets.AZURE_AAD_ID_SSL }}
+        WINDOWS_KEY_CODE: ${{ secrets.WINDOWS_KEY_CODE }}
+        WINDOWS_OP_CODE: ${{ secrets.WINDOWS_OPERATION_CODE }}
+      run: |
+        python .github\run_esrp_signing.py `
+          src/windows/Installer.Windows/unsigned-payload `
+          $env:WINDOWS_KEY_CODE $env:WINDOWS_OP_CODE `
+          --params 'OpusName' 'Microsoft' `
+          'OpusInfo' 'http://www.microsoft.com' `
+          'FileDigest' '/fd "SHA256"' 'PageHash' '/NPH' `
+          'TimeStamp' '/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256'
+    
+    - name: Lay out signed payload
+      shell: pwsh
+      run: |
+        mkdir signed-payload
+        Move-Item -Path signed/* -Destination signed-payload
+        # ESRP will not sign the *.exe.config or NOTICE files, but they are needed to build the installers.
+        # Due to this, we copy them after signing.
+        Get-ChildItem -Path src/windows/Installer.Windows/payload/* -Include *.exe.config, NOTICE | Move-Item -Destination signed-payload
+        Remove-Item signed -Recurse -Force
+
+    - name: Build with signed payload
+      shell: pwsh
+      run: |
+        dotnet build src/windows/Installer.Windows /p:PayloadPath=$env:GITHUB_WORKSPACE/signed-payload /p:NoLayout=true --configuration=WindowsRelease
+  
+    - name: Run ESRP client for installers
+      shell: pwsh
+      env:
+        AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
+        # We temporarily need two AAD IDs, as we're using an SSL certificate associated
+        # with an older App Registration until we have the required hardware to approve
+        # the new certificate in SSL Admin.
+        AZURE_AAD_ID_SSL: ${{ secrets.AZURE_AAD_ID_SSL }}
+        WINDOWS_KEY_CODE: ${{ secrets.WINDOWS_KEY_CODE }}
+        WINDOWS_OP_CODE: ${{ secrets.WINDOWS_OPERATION_CODE }}
+      run: |
+        python .github\run_esrp_signing.py `
+          .\out\windows\Installer.Windows\bin\WindowsRelease\net472 `
+          $env:WINDOWS_KEY_CODE `
+          $env:WINDOWS_OP_CODE `
+          --params 'OpusName' 'Microsoft' `
+          'OpusInfo' 'http://www.microsoft.com' `
+          'FileDigest' '/fd "SHA256"' 'PageHash' '/NPH' `
+          'TimeStamp' '/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256'
+    
+    - name: Publish final artifacts
+      uses: actions/upload-artifact@v3
+      with:
+        name: win-sign
+        path: |
+          signed
+          signed-payload
+          src/windows/Installer.Windows/symbols

Git-Credential-Manager.sln

@@ -31,8 +31,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Installer.Mac", "src\osx\In
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Installer.Windows", "src\windows\Installer.Windows\Installer.Windows.csproj", "{85903170-9E52-4B53-A6E4-3F416F684FAE}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Payload.Windows", "src\windows\Payload.Windows\Payload.Windows.csproj", "{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}"
-EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Atlassian.Bitbucket", "src\shared\Atlassian.Bitbucket\Atlassian.Bitbucket.csproj", "{B49881A6-E734-490E-8EA7-FB0D9E296CFB}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Atlassian.Bitbucket.Tests", "src\shared\Atlassian.Bitbucket.Tests\Atlassian.Bitbucket.Tests.csproj", "{025E5329-A0B1-4BA9-9203-B70B44A5F9E0}"
@@ -229,16 +227,6 @@ Global
 		{85903170-9E52-4B53-A6E4-3F416F684FAE}.WindowsRelease|Any CPU.Build.0 = Release|Any CPU
 		{85903170-9E52-4B53-A6E4-3F416F684FAE}.LinuxDebug|Any CPU.ActiveCfg = Debug|Any CPU
 		{85903170-9E52-4B53-A6E4-3F416F684FAE}.LinuxRelease|Any CPU.ActiveCfg = Release|Any CPU
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}.MacDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}.MacRelease|Any CPU.ActiveCfg = Release|Any CPU
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}.WindowsDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}.WindowsDebug|Any CPU.Build.0 = Debug|Any CPU
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}.WindowsRelease|Any CPU.ActiveCfg = Release|Any CPU
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}.WindowsRelease|Any CPU.Build.0 = Release|Any CPU
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}.LinuxDebug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549}.LinuxRelease|Any CPU.ActiveCfg = Release|Any CPU
 		{B49881A6-E734-490E-8EA7-FB0D9E296CFB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{B49881A6-E734-490E-8EA7-FB0D9E296CFB}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{B49881A6-E734-490E-8EA7-FB0D9E296CFB}.Release|Any CPU.ActiveCfg = Release|Any CPU
@@ -499,7 +487,6 @@ Global
 		{3D279E2D-E011-45CF-8EA8-3D71D1300443} = {A7FC1234-95E3-4496-B5F7-4306F41E6A0E}
 		{74FA0AA4-B5C1-4F3B-B182-277FC2D50715} = {3D279E2D-E011-45CF-8EA8-3D71D1300443}
 		{85903170-9E52-4B53-A6E4-3F416F684FAE} = {66722747-1B61-40E4-A89B-1AC8E6D62EA9}
-		{8DBBAB0A-970D-4BE3-958C-8CDC92F76549} = {66722747-1B61-40E4-A89B-1AC8E6D62EA9}
 		{B49881A6-E734-490E-8EA7-FB0D9E296CFB} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{025E5329-A0B1-4BA9-9203-B70B44A5F9E0} = {D5277A0E-997E-453A-8CB9-4EFCC8B16A29}
 		{2B3CD8FF-84A6-4B53-A28B-D7A75B0AB4D7} = {66722747-1B61-40E4-A89B-1AC8E6D62EA9}

README.md

@@ -176,11 +176,11 @@ Installing GCM as a standalone package on Windows will forcibly override the ver
 
 There are two flavors of standalone installation on Windows:
 
-- User (preferred) (`gcmcoreuser-win*`):
+- User (preferred) (`gcmuser-win*`):
 
   Does not require administrator rights. Will install only for the current user and updates only the current user's Git configuration.
 
-- System (`gcmcore-win*`):
+- System (`gcm-win*`):
 
   Requires administrator rights. Will install for all users on the system and update the system-wide Git configuration.
 

src/windows/Installer.Windows/Installer.Windows.csproj

@@ -5,51 +5,29 @@
   <PropertyGroup>
     <TargetFramework>net472</TargetFramework>
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
-    <PayloadPath>$(PlatformOutPath)Payload.Windows\bin\$(Configuration)\net472\win-x86</PayloadPath>
     <EnableDefaultItems>false</EnableDefaultItems>
+    <PayloadPath>$(PlatformOutPath)Installer.Windows\bin\$(Configuration)\net472\win-x86</PayloadPath>
   </PropertyGroup>
 
   <ItemGroup>
     <None Include="Setup.iss" />
   </ItemGroup>
 
-  <ItemGroup>
-    <ProjectReference Include="../Payload.Windows/Payload.Windows.csproj" ReferenceOutputAssembly="false" />
-  </ItemGroup>
-
   <ItemGroup>
     <PackageReference Include="Tools.InnoSetup" Version="6.0.5" />
-    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0">
-      <PrivateAssets>all</PrivateAssets>
-    </PackageReference>
   </ItemGroup>
 
-  <!-- Since the installer file name includes the generated build number from Nerdbank.GitVersioning
-       we must create the FilesToSign item inside of a target that depends on GetBuildVersion and runs
-       before we attempt to sign any files or validate they exist. -->
-  <Target Name="CreateFilesToSignItems" DependsOnTargets="GetBuildVersion" BeforeTargets="PrepareForRun">
-    <ItemGroup>
-      <FilesToSign Include="$(OutDir)gcmcore*-win-x86-$(BuildVersionSimple).exe">
-        <Authenticode>Microsoft400</Authenticode>
-        <InProject>false</InProject>
-      </FilesToSign>
-    </ItemGroup>
-  </Target>
-
   <!-- Implicit SDK targets import (so we can override the default targets below) -->
   <Import Project="Sdk.targets" Sdk="Microsoft.NET.Sdk" />
 
-  <!-- Check all the files to sign exist -->
-  <Target Name="ValidateSigningDependencies" AfterTargets="PrepareForRun" Inputs="@(FilesToSign)" Outputs="$(OutDir)validatesign.timestamp">
-    <Error Text="File to sign not found: %(FilesToSign.Identity)" Condition="!Exists('%(FilesToSign.Identity)')" />
-    <WriteLinesToFile File="$(OutDir)validatesign.timestamp" Lines="@(FilesToSign)" Overwrite="true" />
-  </Target>
-
   <Target Name="CoreCompile" Condition="'$(OSPlatform)'=='windows'">
     <PropertyGroup>
       <InnoSetupCommandSystem>"$(NuGetPackageRoot)Tools.InnoSetup\6.0.5\tools\ISCC.exe" /DPayloadDir="$(PayloadPath)" /DInstallTarget=system "$(RepoSrcPath)\windows\Installer.Windows\Setup.iss" /O"$(OutputPath)"</InnoSetupCommandSystem>
       <InnoSetupCommandUser>"$(NuGetPackageRoot)Tools.InnoSetup\6.0.5\tools\ISCC.exe" /DPayloadDir="$(PayloadPath)" /DInstallTarget=user "$(RepoSrcPath)\windows\Installer.Windows\Setup.iss" /O"$(OutputPath)"</InnoSetupCommandUser>
     </PropertyGroup>
+
+    <Message Text="Lay Out" Importance="High" />
+    <Exec Condition="'$(NoLayout)'!='true'" Command="powershell.exe –NonInteractive –ExecutionPolicy Unrestricted -Command &quot;&amp; {&amp;'$(MSBuildProjectDirectory)\layout.ps1' -Configuration '$(Configuration)' -Output '$(PayloadPath)'}&quot;" />
     <Message Text="$(InnoSetupCommandSystem)" Importance="High" />
     <Exec Command="$(InnoSetupCommandSystem)" />
     <Message Text="$(InnoSetupCommandUser)" Importance="High" />

src/windows/Installer.Windows/Setup.iss

@@ -18,12 +18,12 @@
 #if InstallTarget == "user"
   #define GcmAppId "{{aa76d31d-432c-42ee-844c-bc0bc801cef3}}"
   #define GcmLongName "Git Credential Manager (User)"
-  #define GcmSetupExe "gcmcoreuser"
+  #define GcmSetupExe "gcmuser"
   #define GcmConfigureCmdArgs ""
 #elif InstallTarget == "system"
   #define GcmAppId "{{fdfae50a-1bc1-4ead-9228-1e1c275e8d12}}"
   #define GcmLongName "Git Credential Manager"
-  #define GcmSetupExe "gcmcore"
+  #define GcmSetupExe "gcm"
   #define GcmConfigureCmdArgs "--system"
 #else
   #error Installer target property 'InstallTarget' must be 'user' or 'system'

src/windows/Installer.Windows/layout.ps1

@@ -0,0 +1,67 @@
+# Inputs
+param ([Parameter(Mandatory)] $CONFIGURATION, [Parameter(Mandatory)] $OUTPUT, $SYMBOLOUTPUT)
+
+Write-Output "Output: $OUTPUT"
+
+# Directories
+$THISDIR = $pwd.path
+$ROOT = (Get-Item $THISDIR).parent.parent.parent.FullName
+$SRC = "$ROOT/src"
+$GCM_SRC = "$SRC/shared/Git-Credential-Manager"
+$BITBUCKET_UI_SRC = "$SRC/windows/Atlassian.Bitbucket.UI.Windows"
+$GITHUB_UI_SRC = "$SRC/windows/GitHub.UI.Windows"
+$GITLAB_UI_SRC = "$SRC/windows/GitLab.UI.Windows"
+
+# Perform pre-execution checks
+$PAYLOAD = "$OUTPUT"
+if ($SYMBOLOUTPUT)
+{
+    $SYMBOLS = "$SYMBOLOUTPUT"
+} else {
+    $SYMBOLS = "$PAYLOAD.sym"
+}
+
+# Clean up any old payload and symbols directories
+if (Test-Path -Path $PAYLOAD)
+{
+    Write-Output "Cleaning old payload directory '$PAYLOAD'..."
+    Remove-Item -Recurse "$PAYLOAD" -Force
+}
+
+if (Test-Path -Path $SYMBOLS)
+{
+    Write-Output "Cleaning old symbols directory '$SYMBOLS'..."
+    Remove-Item -Recurse "$SYMBOLS" -Force
+}
+
+# Ensure payload and symbol directories exist
+mkdir -p "$PAYLOAD","$SYMBOLS"
+
+# Publish core application executables
+Write-Output "Publishing core application..."
+dotnet publish "$GCM_SRC" `
+    --framework net472 `
+	--configuration "$CONFIGURATION" `
+	--runtime win-x86 `
+	--output "$PAYLOAD"
+
+Write-Output "Publishing Bitbucket UI helper..."
+dotnet publish "$BITBUCKET_UI_SRC" `
+	--configuration "$CONFIGURATION" `
+	--output "$PAYLOAD" 
+
+Write-Output "Publishing GitHub UI helper..."
+dotnet publish "$GITHUB_UI_SRC" `
+	--configuration "$CONFIGURATION" `
+	--output "$PAYLOAD" 
+
+Write-Output "Publishing GitLab UI helper..."
+dotnet publish "$GITLAB_UI_SRC" `
+	--configuration "$CONFIGURATION" `
+	--output "$PAYLOAD" 
+
+# Collect symbols
+Write-Output "Collecting managed symbols..."
+Move-Item -Path "$PAYLOAD/*.pdb" -Destination "$SYMBOLS"
+
+Write-Output "Layout complete."