diff --git a/build/windows/store/3_dist-gimp-winsdk.ps1 b/build/windows/store/3_dist-gimp-winsdk.ps1 index 93e9a3162e..df547117ec 100644 --- a/build/windows/store/3_dist-gimp-winsdk.ps1 +++ b/build/windows/store/3_dist-gimp-winsdk.ps1 @@ -353,8 +353,13 @@ if (-not $GITLAB_CI -and $wack -eq 'WACK') if ($CI_COMMIT_TAG -notmatch 'GIMP_[0-9]*_[0-9]*_[0-9]*' -and $GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*' -and $MSIX_ARTIFACT -notlike "*msixupload") { Write-Output "$([char]27)[0Ksection_start:$(Get-Date -UFormat %s -Millisecond 0):msix_sign${msix_arch}[collapsed=true]$([char]13)$([char]27)[0KSelf-signing $MSIX_ARTIFACT (for testing purposes)" - signtool sign /debug /fd sha256 /a /f build\windows\store\pseudo-gimp.pfx /p eek $MSIX_ARTIFACT - Copy-Item build\windows\store\pseudo-gimp.pfx .\ -Recurse + signtool sign /debug /fd sha256 /a /f $(Resolve-Path build\windows\store\pseudo-gimp*.pfx) /p eek $MSIX_ARTIFACT + if ("$LASTEXITCODE" -gt '0' -or "$?" -eq 'False') + { + ## We need to manually check failures in pre-7.4 PS + exit 1 + } + Copy-Item build\windows\store\pseudo-gimp*.pfx pseudo-gimp.pfx -Recurse Write-Output "$([char]27)[0Ksection_end:$(Get-Date -UFormat %s -Millisecond 0):msix_sign${msix_arch}$([char]13)$([char]27)[0K" } @@ -367,7 +372,7 @@ if ($GITLAB_CI) Move-Item $MSIX_ARTIFACT $output_dir if ($CI_COMMIT_TAG -notmatch 'GIMP_[0-9]*_[0-9]*_[0-9]*' -and $GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*' -and $MSIX_ARTIFACT -notlike "*msixupload") { - Get-ChildItem pseudo-gimp.pfx | Move-Item -Destination $output_dir + Copy-Item pseudo-gimp.pfx $output_dir } # Generate checksums in common "sha*sum" format diff --git a/build/windows/store/README.md b/build/windows/store/README.md index 02817c3da1..503bcc7d4b 100644 --- a/build/windows/store/README.md +++ b/build/windows/store/README.md @@ -20,10 +20,25 @@ Base rule to update the "GIMP (Preview)" entry: Only 'Packages' and 'Store listings' sections are needed. On 'Packages' you will add the generated .msixupload and on 'Store listings' the brief changelog. -If the .msix* starts to be refused to certification or to signing, +If the .msix* starts to be refused to certification or to self-signing, run `build\windows\store\3_dist-gimp-winsdk.ps1 WACK` locally to see if it still complies with the latest Windows policies. Make sure to update WinSDK. +If the .msix* starts to be refused to self-signing due to the .pfx file, then +generate a new one with the commands below and commit it to this dir. + +```pwsh +$pseudo_gimp = "pseudo-gimp_$(Get-Date -Format yyyy)" +``` + +```pwsh +New-SelfSignedCertificate -Type Custom -Subject "$(([xml](Get-Content build\windows\store\AppxManifest.xml)).Package.Identity.Publisher)" -KeyUsage DigitalSignature -FriendlyName "$pseudo_gimp" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") +``` + +```pwsh +Export-PfxCertificate -Cert "Cert:\CurrentUser\My\$(Get-ChildItem Cert:\CurrentUser\My | Where-Object FriendlyName -EQ "$pseudo_gimp" | Select-Object -ExpandProperty Thumbprint)" -FilePath "${pseudo_gimp}.pfx" -Password (ConvertTo-SecureString -String eek -Force -AsPlainText) +``` + ## Versioning the MSIX * Every new .msixupload submission (with different content) needs a bumped version. diff --git a/build/windows/store/pseudo-gimp.pfx b/build/windows/store/pseudo-gimp.pfx deleted file mode 100644 index e9b749b614..0000000000 Binary files a/build/windows/store/pseudo-gimp.pfx and /dev/null differ diff --git a/build/windows/store/pseudo-gimp_2024.pfx b/build/windows/store/pseudo-gimp_2024.pfx new file mode 100644 index 0000000000..b0dcf62f5e Binary files /dev/null and b/build/windows/store/pseudo-gimp_2024.pfx differ