eng: Remove PFXs from codebase (#2219)

* Squashed commit of the following: commit a7d403386e3df430edf67d89ca23f81313022d2d Author: Tian Liao <tilia@microsoft.com> Date: Mon Aug 12 16:58:30 2024 +0800 remove pfx from ignore list commit 26ffa46d9a92dcbadc9d9d471715fdec10c6f013 Author: Tian Liao <tilia@microsoft.com> Date: Mon Aug 12 16:58:07 2024 +0800 Remove PFXs * fix yaml * fix gh action * fix gh action
2024-08-13 09:52:35 +08:00 · 2024-08-13 09:52:35 +08:00 · b30ece5c03
--- a/.config/CredScanSuppressions.json
+++ b/.config/CredScanSuppressions.json
@ -1,13 +0,0 @@
-{
-    "tool": "Credential Scanner",
-    "suppressions": [
-        {
-            "file": "\\src\\Calculator\\WindowsDev_TemporaryKey.pfx",
-            "_justification": "This is an untrusted, self-signed certificate which is used only during development. Its private key is not intended to be secret."
-        },
-        {
-            "file": "\\src\\CalculatorUnitTests\\WindowsDev_TemporaryKey.pfx",
-            "_justification": "This is an untrusted, self-signed certificate which is used only during development. Its private key is not intended to be secret."
-        }
-    ]
-}
--- a/.github/workflows/action-ci.yml
+++ b/.github/workflows/action-ci.yml
@ -91,6 +91,10 @@ jobs:
      with:
        name: Build-${{ matrix.platform }}
        path: ${{ github.workspace }}/output
+    - uses: actions/upload-artifact@v4
+      with:
+        name: Tools-${{ matrix.platform }}
+        path: ${{ github.workspace }}/build/scripts/SignTestApp.ps1

  unitTests:
    needs: [defineBuilds, build]
@ -107,10 +111,13 @@ jobs:
      with:
        name: Build-${{ matrix.platform }}
        path: ${{ github.workspace }}/download
+    - uses: actions/download-artifact@v4
+      name: Download tools
+      with:
+        name: Tools-${{ matrix.platform }}
+        path: ${{ github.workspace }}/download/tools
    - run: |
-        ${{ env.testDir }}/Add-AppDevPackage.ps1 `
-          -CertificatePath ${{ env.testDir }}/CalculatorUnitTests.cer `
-          -Force
+        ${{ github.workspace }}/download/tools/SignTestApp.ps1 -AppToSign ${{ env.testDir }}/CalculatorUnitTests.msix
      shell: pwsh
      name: Install test certificate
    - uses: ilammy/msvc-dev-cmd@v1  # this is a workaround because microsoft/vstest-action is broken.
@ -131,16 +138,18 @@ jobs:
      with:
        name: Build-x64
        path: ${{ github.workspace }}/download
+    - uses: actions/download-artifact@v4
+      name: Download tools
+      with:
+        name: Tools-x64
+        path: ${{ github.workspace }}/download/tools
    - run: |
        Set-DisplayResolution -Width 1920 -Height 1080 -Force
      shell: pwsh
      name: Set screen resolution
    - run: |
-        ${{ env.appDir }}/Add-AppDevPackage.ps1 `
-          -CertificatePath ${{ env.appDir }}/Calculator*.cer `
-          -Force
-        ${{ env.appDir }}/Add-AppDevPackage.ps1 `
-          -Force
+        ${{ github.workspace }}/download/tools/SignTestApp.ps1 -AppToSign '${{ env.appDir }}/Calculator_*.msixbundle'
+        ${{ env.appDir }}/Add-AppDevPackage.ps1 -Force
      shell: powershell
      name: Install app
    - run: |
--- a/.gitignore
+++ b/.gitignore
@ -200,7 +200,6 @@ ClientBin/
 *.dbmdl
 *.dbproj.schemaview
 *.jfm
-*.pfx
 *.publishsettings
 orleans.codegen.cs

@ -294,8 +293,6 @@ __pycache__/
 Generated Files/
 src/GraphControl/GraphingImplOverrides.props
 src/CalcViewModel/DataLoaders/DataLoaderConstants.h
-!src/Calculator/WindowsDev_TemporaryKey.pfx
-!src/CalculatorUnitTests/WindowsDev_TemporaryKey.pfx
 !src/x64
 !src/x86
 !src/out
--- a/build/pipelines/templates/run-ui-tests.yaml
+++ b/build/pipelines/templates/run-ui-tests.yaml
@ -42,17 +42,10 @@ jobs:
      Calculator/AppPackages/**
      publish/**

-  - task: PowerShell@2
-    displayName: Install certificate
-    inputs:
-      filePath: $(Pipeline.Workspace)/$(DropName)/Calculator/AppPackages/Calculator_$(Build.BuildNumber)_Test/Add-AppDevPackage.ps1
-      arguments: -CertificatePath $(Pipeline.Workspace)/$(DropName)/Calculator/AppPackages/Calculator_$(Build.BuildNumber)_Test/Calculator_$(Build.BuildNumber)_${{ parameters.platform }}.cer -Force
-
-  - task: PowerShell@2
+  - powershell: |
+      $(Build.SourcesDirectory)/build/scripts/SignTestApp.ps1 -AppToSign '$(Pipeline.Workspace)/$(DropName)/Calculator/AppPackages/Calculator_*_Test/Calculator_*.msixbundle'
+      $(Pipeline.Workspace)/$(DropName)/Calculator/AppPackages/Calculator_*_Test/Add-AppDevPackage.ps1 -Force
    displayName: Install app
-    inputs:
-      filePath: $(Pipeline.Workspace)/$(DropName)/Calculator/AppPackages/Calculator_$(Build.BuildNumber)_Test/Add-AppDevPackage.ps1
-      arguments: -Force

  - task: VSTest@2
    displayName: Run CalculatorUITests
--- a/build/pipelines/templates/run-unit-tests.yaml
+++ b/build/pipelines/templates/run-unit-tests.yaml
@ -13,18 +13,17 @@ jobs:
    skipComponentGovernanceDetection: true
    UnitTestsDir: $(Pipeline.Workspace)\drop-${{ parameters.platform }}\CalculatorUnitTests\AppPackages\CalculatorUnitTests_Test
  steps:
-  - checkout: none
+  - checkout: self
+    fetchDepth: 1
  
  - download: current
    displayName: Download CalculatorUnitTests
    artifact: drop-${{ parameters.platform }}
    patterns: '**/CalculatorUnitTests_Test/**'

-  - task: PowerShell@2
-    displayName: Install Certificate
-    inputs:
-      filePath: $(UnitTestsDir)\Add-AppDevPackage.ps1
-      arguments: -CertificatePath $(UnitTestsDir)\CalculatorUnitTests.cer -Force
+  - powershell: |
+      $(Build.SourcesDirectory)/build/scripts/SignTestApp.ps1 -AppToSign '$(UnitTestsDir)\CalculatorUnitTests.msix'
+    displayName: Sign unit tests

  - task: VSTest@2
    displayName: Run CalculatorUnitTests
--- a/build/scripts/SignTestApp.ps1
+++ b/build/scripts/SignTestApp.ps1
@ -0,0 +1,33 @@
+#requires -RunAsAdministrator
+param(
+    [Parameter(Position = 0, Mandatory = $true)][string]$AppToSign,
+    [string]$SignTool = "C:\Program Files (x86)\Windows Kits\10\bin\10.*\x64\signtool.exe"
+)
+
+$AppToSign = (Resolve-Path -Path $AppToSign)[-1]
+Write-Host "AppToSign: $AppToSign"
+$SignTool = (Resolve-Path -Path $SignTool)[-1]
+Write-Host "SignTool: $SignTool"
+if ((Test-Path -Path $SignTool -PathType Leaf) -ne $true) {
+    Write-Error "signtool is not found with the given argument: $SignTool" -ErrorAction Stop
+}
+
+$codeSignOid = New-Object -TypeName "System.Security.Cryptography.Oid" -ArgumentList @("1.3.6.1.5.5.7.3.3")
+$oidColl = New-Object -TypeName "System.Security.Cryptography.OidCollection"
+$oidColl.Add($codeSignOid) > $null
+$publisher = "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+$certReq = New-Object -TypeName "System.Security.Cryptography.X509Certificates.CertificateRequest" `
+    -ArgumentList @($publisher, ([System.Security.Cryptography.ECDsa]::Create()), "SHA256") 
+$certReq.CertificateExtensions.Add((New-Object -TypeName "System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension" `
+            -ArgumentList @($oidColl, $false)))
+$now = Get-Date
+$cert = $certReq.CreateSelfSigned($now, $now.AddHours(1))
+
+$pfxFile = "$($env:TEMP)\$(New-Guid).pfx"
+[System.IO.File]::WriteAllBytes($pfxFile, $cert.Export("Pfx"))
+Write-Host "Exported PFX: $pfxFile"
+
+& $SignTool sign /fd SHA256 /a /f $pfxFile $AppToSign
+Write-Host "Certificate Thumbprint: $($cert.Thumbprint.ToLower())"
+
+Import-PfxCertificate -CertStoreLocation 'Cert:\LocalMachine\TrustedPeople' -FilePath $pfxFile > $null
--- a/src/Calculator/Calculator.csproj
+++ b/src/Calculator/Calculator.csproj
@ -24,8 +24,7 @@
    <FileAlignment>512</FileAlignment>
    <ProjectTypeGuids>{A5A43C5B-DE2A-4C0C-9213-0A381AF9435A};{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}</ProjectTypeGuids>
    <WindowsXamlEnableOverview>true</WindowsXamlEnableOverview>
-    <AppxPackageSigningEnabled>True</AppxPackageSigningEnabled>
-    <PackageCertificateKeyFile>WindowsDev_TemporaryKey.pfx</PackageCertificateKeyFile>
+    <AppxPackageSigningEnabled>False</AppxPackageSigningEnabled>
    <AppxSymbolPackageEnabled>False</AppxSymbolPackageEnabled>
    <AppxBundle>Always</AppxBundle>
    <GenerateProjectSpecificOutputFolder>true</GenerateProjectSpecificOutputFolder>
@ -817,7 +816,6 @@
  </ItemGroup>
  <ItemGroup>
    <Content Include="Assets\CalculatorIcons.ttf" />
-    <None Include="WindowsDev_TemporaryKey.pfx" />
  </ItemGroup>
  <PropertyGroup Condition=" '$(VisualStudioVersion)' == '' or '$(VisualStudioVersion)' &lt; '14.0' ">
    <VisualStudioVersion>14.0</VisualStudioVersion>
--- a/src/Calculator/WindowsDev_TemporaryKey.pfx
+++ b/src/Calculator/WindowsDev_TemporaryKey.pfx
--- a/src/CalculatorUnitTests/CalculatorUnitTests.vcxproj
+++ b/src/CalculatorUnitTests/CalculatorUnitTests.vcxproj
@ -16,7 +16,6 @@
    <!-- We want to automatic replace of MinVersion/MaxVersionTested for unit tests. -->
    <AppxOSMinVersionReplaceManifestVersion>true</AppxOSMinVersionReplaceManifestVersion>
    <AppxOSMaxVersionTestedReplaceManifestVersion>true</AppxOSMaxVersionTestedReplaceManifestVersion>
-    <PackageCertificateKeyFile>WindowsDev_TemporaryKey.pfx</PackageCertificateKeyFile>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
  <ItemGroup Label="ProjectConfigurations">
@ -289,9 +288,6 @@
      <Project>{cc9b4fa7-d746-4f52-9401-0ad1b4d6b16d}</Project>
    </ProjectReference>
  </ItemGroup>
-  <ItemGroup>
-    <None Include="WindowsDev_TemporaryKey.pfx" />
-  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
  </ImportGroup>
--- a/src/CalculatorUnitTests/CalculatorUnitTests.vcxproj.filters
+++ b/src/CalculatorUnitTests/CalculatorUnitTests.vcxproj.filters
@ -79,7 +79,4 @@
      <UniqueIdentifier>{d3ec8922-022d-4531-8744-f65a872f3841}</UniqueIdentifier>
    </Filter>
  </ItemGroup>
-  <ItemGroup>
-    <None Include="WindowsDev_TemporaryKey.pfx" />
-  </ItemGroup>
 </Project>
--- a/src/CalculatorUnitTests/WindowsDev_TemporaryKey.pfx
+++ b/src/CalculatorUnitTests/WindowsDev_TemporaryKey.pfx