Sign Powershell scripts for VS (#451)

* Sign Powershell scripts * Rename PublishLocation to PublishTo, as requested by Nicole. * Avoid running NuGet pack if we aren't going to publish * Explain 'signing type'. * Ensure the signed ps1s are in all standalone bundle forms. * Move scripts so that they don't need to be moved again, and publish as part of github releases. * typo * Also fix paths in arch-independent-signing.signproj. * Remove 'scripts' directory name before signing. * Create staging directory. * Reference parameters the right way. * Attempt to reference parameters the right way again. * Always make the nupkg even when test signing. Co-authored-by: Billy Robert O'Neal III <bion@microsoft.com>
2022-03-30 14:26:49 -07:00 · 2022-03-30 14:26:49 -07:00 · 692785ac94
--- a/azure-pipelines/arch-independent-signing.signproj
+++ b/azure-pipelines/arch-independent-signing.signproj
@ -24,6 +24,15 @@
    <FilesToSign Include="$(IntermediateOutputPath)\vcpkg-init.ps1">
      <Authenticode>Microsoft400</Authenticode>
    </FilesToSign>
+    <FilesToSign Include="$(IntermediateOutputPath)\applocal.ps1">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
+    <FilesToSign Include="$(IntermediateOutputPath)\addPoshVcpkgToPowershellProfile.ps1">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
+    <FilesToSign Include="$(IntermediateOutputPath)\posh-vcpkg.psm1">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
  </ItemGroup>

  <ImportGroup Label="ExtensionTargets">
--- a/azure-pipelines/signing.yml
+++ b/azure-pipelines/signing.yml
@ -6,7 +6,7 @@ trigger: none

 parameters:
 - name: SignTypeOverride
-  displayName: Signing Type Override
+  displayName: Signing Type (default is real for the main branch and test otherwise)
  type: string
  default: default
  values:
@ -17,7 +17,13 @@ parameters:
  displayName: vcpkg Base Version (default is today's date in ISO 8601)
  type: string
  default: default
-
+- name: PublishTo
+  displayName: 'Publish To'
+  type: string
+  default: 'GitHub and NuGet'
+  values:
+  - 'GitHub and NuGet'
+  - 'NuGet Only'
 variables:
  - name: TeamName
    value: vcpkg
@ -93,6 +99,9 @@ jobs:
    - script: mkdir "$(Build.BinariesDirectory)\ce" && rush deploy -t "$(Build.BinariesDirectory)\ce"
      displayName: Collect vcpkg-ce Dependencies
      workingDirectory: ce
+    - script: |
+        xcopy /F "$(Build.SourcesDirectory)/scripts" "$(Build.BinariesDirectory)"
+      displayName: Collect PowerShell scripts
    - task: ComponentGovernanceComponentDetection@0
      displayName: Detect Components
      inputs:
@ -123,7 +132,7 @@ jobs:
      inputs:
        solution: 'azure-pipelines\arch-independent-signing.signproj'
        msbuildArguments: '/p:OutDir=$(Build.BinariesDirectory)\ /p:IntermediateOutputPath=$(Build.BinariesDirectory)\'
-      # Note that signing must happen before packing step because the packs contain files that are themselves signed.
+      # Note that signing must happen before packing steps because the packs contain files that are themselves signed.
    - script: |
        copy "$(Build.BinariesDirectory)\vcpkg-init.ps1" "$(Build.BinariesDirectory)\vcpkg-init.cmd"
      displayName: 'Duplicate Install Scripts'
@ -132,7 +141,7 @@ jobs:
      inputs:
        pwsh: true
        filePath: vcpkg-init/mint-standalone-bundle.ps1
-        arguments: '-DestinationTarball "$(Build.BinariesDirectory)\vcpkg-standalone-bundle.tar.gz" -TempDir standalone-temp "$(Build.BinariesDirectory)\vcpkg-init.cmd" "$(Build.BinariesDirectory)\vcpkg-init.ps1" "$(Build.BinariesDirectory)\vcpkg-init"'
+        arguments: '-DestinationTarball "$(Build.BinariesDirectory)\vcpkg-standalone-bundle.tar.gz" -TempDir standalone-temp -SignedFilesRoot "$(Build.BinariesDirectory)"'
    - script: npm pack
      displayName: Create vcpkg-ce Pack
      workingDirectory: $(Build.BinariesDirectory)/ce
@ -143,6 +152,9 @@ jobs:
        move "$(Build.BinariesDirectory)\vcpkg-init" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init"
        move "$(Build.BinariesDirectory)\vcpkg-init.ps1" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.ps1"
        move "$(Build.BinariesDirectory)\vcpkg-init.cmd" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.cmd"
+        move "$(Build.BinariesDirectory)\applocal.ps1" "$(Build.ArtifactStagingDirectory)\staging\applocal.ps1"
+        move "$(Build.BinariesDirectory)\addPoshVcpkgToPowershellProfile.ps1" "$(Build.ArtifactStagingDirectory)\staging\addPoshVcpkgToPowershellProfile.ps1"
+        move "$(Build.BinariesDirectory)\posh-vcpkg.psm1" "$(Build.ArtifactStagingDirectory)\staging\posh-vcpkg.psm1"
      displayName: 'Arrange Architecture-independent Files for Staging'
    - task: Powershell@2
      displayName: Generate Arch-independent SHA512s
@ -325,7 +337,7 @@ jobs:
      inputs:
        pwsh: true
        filePath: vcpkg-init/mint-standalone-bundle.ps1
-        arguments: '-DestinationDir "$(Build.ArtifactStagingDirectory)/vs-insertion/staging" -readonly -TempDir standalone-temp'
+        arguments: '-DestinationDir "$(Build.ArtifactStagingDirectory)/vs-insertion/staging" -readonly -TempDir standalone-temp -SignedFilesRoot "$(Build.ArtifactStagingDirectory)\staging"'
    - task: CmdLine@2
      displayName: 'Arrange Drop'
      inputs:
@ -336,6 +348,9 @@ jobs:
          move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init"
          move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.cmd" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.cmd"
          move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.ps1" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.ps1"
+          move "$(Build.ArtifactStagingDirectory)\staging\applocal.ps1" "$(Build.ArtifactStagingDirectory)\drop\applocal.ps1"
+          move "$(Build.ArtifactStagingDirectory)\staging\addPoshVcpkgToPowershellProfile.ps1" "$(Build.ArtifactStagingDirectory)\drop\addPoshVcpkgToPowershellProfile.ps1"
+          move "$(Build.ArtifactStagingDirectory)\staging\posh-vcpkg.psm1" "$(Build.ArtifactStagingDirectory)\drop\posh-vcpkg.psm1"
          move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-ce.tgz" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-ce.tgz"
          move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-glibc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-glibc"
          move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-muslc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-muslc"
@ -372,6 +387,12 @@ jobs:
      inputs:
        command: custom
        arguments: 'pack $(Build.ArtifactStagingDirectory)/vs-insertion/staging/vcpkg.nuspec -NoDefaultExcludes -OutputDirectory "$(Build.ArtifactStagingDirectory)/vs-insertion/drop" -Properties version=$(VCPKG_BASE_VERSION)'
+    - task: PublishBuildArtifacts@1
+      displayName: 'Publish nupkg as Artifact'
+      inputs:
+        PathtoPublish: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop'
+        ArtifactName: 'vs-insertion'
+        publishLocation: 'Container'
    # Do compliance checks.
    - task: BinSkim@3
      inputs:
@ -433,40 +454,41 @@ jobs:
        packagesToPush: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop/VS.Redist.Vcpkg.x86.1.0.0-$(VCPKG_BASE_VERSION).nupkg'
        publishVstsFeed: '97a41293-2972-4f48-8c0e-05493ae82010'
    # Publish everything to a GitHub Release
-    - task: DownloadSecureFile@1
-      displayName: Download Deploy Key
-      name: githubDeployKey
-      condition: and(eq(variables.SignType, 'real'), succeeded())
-      inputs:
-        secureFile: id_vcpkg_tool
-    # GitHub has a large, regularly changing set of IP address, so ignore the
-    # hostname and allow anything with the right key.
-    # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/about-githubs-ip-addresses
-    # This public key should have the well-known fingerprint documented below.
-    # SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
-    # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
-    - script: mkdir %USERPROFILE%\.ssh && echo * ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==>>%USERPROFILE%\.ssh\known_hosts
-      displayName: Store GitHub Public Key
-      condition: and(eq(variables.SignType, 'real'), succeeded())
-    - script: git -c user.email=embeddedbot@microsoft.com -c user.name="Embedded Bot" push git@github.com:microsoft/vcpkg-tool HEAD:refs/tags/%VCPKG_BASE_VERSION%
-      condition: and(eq(variables.SignType, 'real'), succeeded())
-      env:
-        GIT_SSH_COMMAND: ssh -i "$(githubDeployKey.secureFilePath)"
-      displayName: Push Release Tag
-    - task: GitHubRelease@0
-      displayName: Publish GitHub Release
-      condition: and(eq(variables.SignType, 'real'), succeeded())
-      inputs:
-        gitHubConnection: embeddedbot
-        repositoryName: microsoft/vcpkg-tool
-        isPreRelease: true
-        isDraft: true
-        title: $(VCPKG_BASE_VERSION) Release
-        tagSource: manual
-        tag: $(VCPKG_BASE_VERSION)
-        assets: "$(Build.ArtifactStagingDirectory)\\drop\\*"
-        addChangeLog: true
-        compareWith: 'lastFullRelease'
+    - ${{ if eq(parameters.PublishTo, 'GitHub and NuGet') }}:
+      - task: DownloadSecureFile@1
+        displayName: Download Deploy Key
+        name: githubDeployKey
+        condition: and(eq(variables.SignType, 'real'), succeeded())
+        inputs:
+          secureFile: id_vcpkg_tool
+      # GitHub has a large, regularly changing set of IP address, so ignore the
+      # hostname and allow anything with the right key.
+      # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/about-githubs-ip-addresses
+      # This public key should have the well-known fingerprint documented below.
+      # SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
+      # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
+      - script: mkdir %USERPROFILE%\.ssh && echo * ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==>>%USERPROFILE%\.ssh\known_hosts
+        displayName: Store GitHub Public Key
+        condition: and(eq(variables.SignType, 'real'), succeeded())
+      - script: git -c user.email=embeddedbot@microsoft.com -c user.name="Embedded Bot" push git@github.com:microsoft/vcpkg-tool HEAD:refs/tags/%VCPKG_BASE_VERSION%
+        condition: and(eq(variables.SignType, 'real'), succeeded())
+        env:
+          GIT_SSH_COMMAND: ssh -i "$(githubDeployKey.secureFilePath)"
+        displayName: Push Release Tag
+      - task: GitHubRelease@0
+        displayName: Publish GitHub Release
+        condition: and(eq(variables.SignType, 'real'), succeeded())
+        inputs:
+          gitHubConnection: embeddedbot
+          repositoryName: microsoft/vcpkg-tool
+          isPreRelease: true
+          isDraft: true
+          title: $(VCPKG_BASE_VERSION) Release
+          tagSource: manual
+          tag: $(VCPKG_BASE_VERSION)
+          assets: "$(Build.ArtifactStagingDirectory)\\drop\\*"
+          addChangeLog: true
+          compareWith: 'lastFullRelease'
    - task: MicroBuildCleanup@1
      condition: succeededOrFailed()
      displayName: MicroBuild Cleanup
--- a/scripts/addPoshVcpkgToPowershellProfile.ps1
+++ b/scripts/addPoshVcpkgToPowershellProfile.ps1
@ -0,0 +1,56 @@
+[CmdletBinding()]
+param()
+
+function findExistingImportModuleDirectives([Parameter(Mandatory=$true)][string]$path)
+{
+    if (!(Test-Path $path))
+    {
+        return
+    }
+
+    $fileContents = Get-Content $path
+    $fileContents -match 'Import-Module.+?(?=posh-vcpkg)'
+    return
+}
+
+$scriptsDir = split-path -parent $script:MyInvocation.MyCommand.Definition
+
+$profileEntry = "Import-Module '$scriptsDir\posh-vcpkg'"
+$profilePath = $PROFILE # Implicit PowerShell variable
+$profileDir = Split-Path $profilePath -Parent
+if (!(Test-Path $profileDir))
+{
+    New-Item -ItemType Directory -Path $profileDir | Out-Null
+}
+
+Write-Host "`nAdding the following line to ${profilePath}:"
+Write-Host "    $profileEntry"
+
+# @() Needed to force Array in PowerShell 2.0
+[Array]$existingImports = @(findExistingImportModuleDirectives $profilePath)
+if ($existingImports.Count -gt 0)
+{
+    $existingImportsOut = $existingImports -join "`n    "
+    Write-Host "`nposh-vcpkg is already imported to your PowerShell profile. The following entries were found:"
+    Write-Host "    $existingImportsOut"
+    Write-Host "`nPlease make sure you have started a new PowerShell window for the changes to take effect."
+    return
+}
+
+# Modifying the profile will invalidate any signatures.
+# Posh-git does the following check, so we should too.
+# https://github.com/dahlbyk/posh-git/blob/master/src/Utils.ps1
+# If the profile script exists and is signed, then we should not modify it
+if (Test-Path $profilePath)
+{
+    $sig = Get-AuthenticodeSignature $profilePath
+    if ($null -ne $sig.SignerCertificate)
+    {
+        Write-Warning "Skipping add of posh-vcpkg import to profile; '$profilePath' appears to be signed."
+        Write-Warning "Please manually add the line '$profileEntry' to your profile and resign it."
+        return
+    }
+}
+
+Add-Content $profilePath -Value "`n$profileEntry" -Encoding UTF8
+Write-Host "`nSuccessfully added posh-vcpkg to your PowerShell profile. Please start a new PowerShell window for the changes to take effect."
--- a/scripts/applocal.ps1
+++ b/scripts/applocal.ps1
@ -0,0 +1,163 @@
+[cmdletbinding()]
+param([string]$targetBinary, [string]$installedDir, [string]$tlogFile, [string]$copiedFilesLog)
+
+$g_searched = @{}
+# Note: installedDir is actually the bin\ directory.
+$g_install_root = Split-Path $installedDir -parent
+$g_is_debug = (Split-Path $g_install_root -leaf) -eq 'debug'
+
+# Ensure we create the copied files log, even if we don't end up copying any files
+if ($copiedFilesLog)
+{
+    Set-Content -Path $copiedFilesLog -Value "" -Encoding UTF8
+}
+
+function computeHash([System.Security.Cryptography.HashAlgorithm]$alg, [string]$str) {
+    $bytes = [System.Text.Encoding]::UTF8.GetBytes($str)
+    $hash = $alg.ComputeHash($bytes)
+    return [Convert]::ToBase64String($hash)
+}
+
+function getMutex([string]$targetDir) {
+    try {
+        $sha512Hash = [System.Security.Cryptography.SHA512]::Create()
+        if ($sha512Hash) {
+            $hash = (computeHash $sha512Hash $targetDir) -replace ('/' ,'-')
+            $mtxName = "VcpkgAppLocalDeployBinary-" + $hash
+            return New-Object System.Threading.Mutex($false, $mtxName)
+        }
+
+        return New-Object System.Threading.Mutex($false, "VcpkgAppLocalDeployBinary")
+    }
+    catch {
+        Write-Error -Message $_ -ErrorAction Stop
+    }
+}
+
+# Note: this function signature is depended upon by the qtdeploy.ps1 script introduced in 5.7.1-7
+function deployBinary([string]$targetBinaryDir, [string]$SourceDir, [string]$targetBinaryName) {
+    try {
+        $mtx = getMutex($targetBinaryDir)
+        if ($mtx) {
+            $mtx.WaitOne() | Out-Null
+        }
+
+        $sourceBinaryFilePath = Join-Path $SourceDir $targetBinaryName
+        $targetBinaryFilePath = Join-Path $targetBinaryDir $targetBinaryName
+        if (Test-Path $targetBinaryFilePath) {
+            $sourceModTime = (Get-Item $sourceBinaryFilePath).LastWriteTime
+            $destModTime = (Get-Item $targetBinaryFilePath).LastWriteTime
+            if ($destModTime -lt $sourceModTime) {
+                Write-Verbose "  ${targetBinaryName}: Updating from $sourceBinaryFilePath"
+                Copy-Item $sourceBinaryFilePath $targetBinaryDir
+            } else {
+                Write-Verbose "  ${targetBinaryName}: already present"
+            }
+        }
+        else {
+            Write-Verbose "  ${targetBinaryName}: Copying $sourceBinaryFilePath"
+            Copy-Item $sourceBinaryFilePath $targetBinaryDir
+        }
+        if ($copiedFilesLog) { Add-Content $copiedFilesLog $targetBinaryFilePath -Encoding UTF8 }
+        if ($tlogFile) { Add-Content $tlogFile $targetBinaryFilePath -Encoding Unicode }
+    } finally {
+        if ($mtx) {
+            $mtx.ReleaseMutex() | Out-Null
+            $mtx.Dispose() | Out-Null
+        }
+    }
+}
+
+
+Write-Verbose "Resolving base path $targetBinary..."
+try
+{
+    $baseBinaryPath = Resolve-Path $targetBinary -erroraction stop
+    $baseTargetBinaryDir = Split-Path $baseBinaryPath -parent
+}
+catch [System.Management.Automation.ItemNotFoundException]
+{
+    return
+}
+
+# Note: this function signature is depended upon by the qtdeploy.ps1 script
+function resolve([string]$targetBinary) {
+    Write-Verbose "Resolving $targetBinary..."
+    try
+    {
+        $targetBinaryPath = Resolve-Path $targetBinary -erroraction stop
+    }
+    catch [System.Management.Automation.ItemNotFoundException]
+    {
+        return
+    }
+    $targetBinaryDir = Split-Path $targetBinaryPath -parent
+
+    if (Get-Command "dumpbin" -ErrorAction SilentlyContinue) {
+        $a = $(dumpbin /DEPENDENTS $targetBinary | ? { $_ -match "^    [^ ].*\.dll" } | % { $_ -replace "^    ","" })
+    } elseif (Get-Command "llvm-objdump" -ErrorAction SilentlyContinue) {
+        $a = $(llvm-objdump -p $targetBinary| ? { $_ -match "^ {4}DLL Name: .*\.dll" } | % { $_ -replace "^ {4}DLL Name: ","" })
+    } elseif (Get-Command "objdump" -ErrorAction SilentlyContinue) {
+        $a = $(objdump -p $targetBinary| ? { $_ -match "^\tDLL Name: .*\.dll" } | % { $_ -replace "^\tDLL Name: ","" })
+    } else {
+        Write-Error "Neither dumpbin, llvm-objdump nor objdump could be found. Can not take care of dll dependencies."
+    }
+    $a | % {
+        if ([string]::IsNullOrEmpty($_)) {
+            return
+        }
+        if ($g_searched.ContainsKey($_)) {
+            Write-Verbose "  ${_}: previously searched - Skip"
+            return
+        }
+        $g_searched.Set_Item($_, $true)
+        $installedItemFilePath = Join-Path $installedDir $_
+        $targetItemFilePath = Join-Path $targetBinaryDir $_
+        if (Test-Path $installedItemFilePath) {
+            deployBinary $baseTargetBinaryDir $installedDir "$_"
+            if (Test-Path function:\deployPluginsIfQt) { deployPluginsIfQt $baseTargetBinaryDir (Join-Path $g_install_root 'plugins') "$_" }
+            if (Test-Path function:\deployOpenNI2) { deployOpenNI2 $targetBinaryDir "$g_install_root" "$_" }
+            if (Test-Path function:\deployPluginsIfMagnum) {
+                if ($g_is_debug) {
+                    deployPluginsIfMagnum $targetBinaryDir (Join-Path (Join-Path "$g_install_root" 'bin') 'magnum-d') "$_"
+                } else {
+                    deployPluginsIfMagnum $targetBinaryDir (Join-Path (Join-Path "$g_install_root" 'bin') 'magnum') "$_"
+                }
+            }
+            if (Test-Path function:\deployAzureKinectSensorSDK) { deployAzureKinectSensorSDK $targetBinaryDir "$g_install_root" "$_" }
+            resolve (Join-Path $baseTargetBinaryDir "$_")
+        } elseif (Test-Path $targetItemFilePath) {
+            Write-Verbose "  ${_}: $_ not found in $g_install_root; locally deployed"
+            resolve "$targetItemFilePath"
+        } else {
+            Write-Verbose "  ${_}: $installedItemFilePath not found"
+        }
+    }
+    Write-Verbose "Done Resolving $targetBinary."
+}
+
+# Note: This is a hack to make Qt5 work.
+# Introduced with Qt package version 5.7.1-7
+if (Test-Path "$g_install_root\plugins\qtdeploy.ps1") {
+    . "$g_install_root\plugins\qtdeploy.ps1"
+}
+
+# Note: This is a hack to make OpenNI2 work.
+if (Test-Path "$g_install_root\bin\OpenNI2\openni2deploy.ps1") {
+    . "$g_install_root\bin\OpenNI2\openni2deploy.ps1"
+}
+
+# Note: This is a hack to make Magnum work.
+if (Test-Path "$g_install_root\bin\magnum\magnumdeploy.ps1") {
+    . "$g_install_root\bin\magnum\magnumdeploy.ps1"
+} elseif (Test-Path "$g_install_root\bin\magnum-d\magnumdeploy.ps1") {
+    . "$g_install_root\bin\magnum-d\magnumdeploy.ps1"
+}
+
+# Note: This is a hack to make Azure Kinect Sensor SDK work.
+if (Test-Path "$g_install_root\tools\azure-kinect-sensor-sdk\k4adeploy.ps1") {
+    . "$g_install_root\tools\azure-kinect-sensor-sdk\k4adeploy.ps1"
+}
+
+resolve($targetBinary)
+Write-Verbose $($g_searched | out-string)
--- a/scripts/posh-vcpkg.psm1
+++ b/scripts/posh-vcpkg.psm1
@ -0,0 +1,39 @@
+param()
+
+if (Get-Module posh-vcpkg) { return }
+
+if ($PSVersionTable.PSVersion.Major -lt 5) {
+    Write-Warning ("posh-vcpkg does not support PowerShell versions before 5.0.")
+    return
+}
+
+if (Test-Path Function:\TabExpansion) {
+    Rename-Item Function:\TabExpansion VcpkgTabExpansionBackup
+}
+
+function TabExpansion($line, $lastWord) {
+    $lastBlock = [regex]::Split($line, '[|;]')[-1].TrimStart()
+
+    switch -regex ($lastBlock) {
+        "^(?<vcpkgexe>(\./|\.\\|)vcpkg(\.exe|)) (?<remaining>.*)$"
+        {
+            & $matches['vcpkgexe'] autocomplete $matches['remaining']
+            return
+        }
+
+        # Fall back on existing tab expansion
+        default {
+            if (Test-Path Function:\VcpkgTabExpansionBackup) {
+                VcpkgTabExpansionBackup $line $lastWord
+            }
+        }
+    }
+}
+
+$exportModuleMemberParams = @{
+    Function = @(
+        'TabExpansion'
+    )
+}
+
+Export-ModuleMember @exportModuleMemberParams
--- a/vcpkg-init/mint-standalone-bundle.ps1
+++ b/vcpkg-init/mint-standalone-bundle.ps1
@ -8,28 +8,14 @@ Param(
    [string]$TempDir,
    [Parameter()]
    [switch]$ReadOnly,
-    [Parameter(ValueFromRemainingArguments = $true)]
-    [string[]]$AdditionalFiles
+    [Parameter(Mandatory = $True)]
+    [string]$SignedFilesRoot
 )

-$AdditionalFilesNames = New-Object string[] $AdditionalFiles.Length
-for ($idx = 0; $idx -ne $AdditionalFiles.Length; $idx++) {
-    $raw = $AdditionalFiles[$idx]
-    if (-not (Test-Path $raw)) {
-        Write-Error "'$raw' did not exist."
-        throw
-    }
-
-    $itemized = Get-Item $raw
-    $AdditionalFiles[$idx] = $itemized.FullName
-    $AdditionalFilesNames[$idx] = $itemized.Name
-}
-
 $sha = Get-Content "$PSScriptRoot/vcpkg-scripts-sha.txt" -Raw
 $sha = $sha.Trim()

 $scripts_dependencies = @(
-    'addPoshVcpkgToPowershellProfile.ps1',
    'build_info.cmake',
    'buildsystems',
    'cmake',
@ -47,6 +33,11 @@ $scripts_dependencies = @(
    'vcpkgTools.xml'
 )

+$scripts_exclusions = @(
+    'buildsystems/msbuild/applocal.ps1',
+    'posh-vcpkg/0.0.1/posh-vcpkg.psm1'
+)
+
 if (Test-Path $TempDir) {
    Remove-Item -Recurse $TempDir
 }
@ -62,6 +53,9 @@ try {
    Push-Location "vcpkg-$sha"
    try {
        Move-Item 'triplets' '../out/triplets'
+        foreach ($exclusion in $scripts_exclusions) {
+            Remove-Item "scripts/$exclusion" -Recurse -Force
+        }
        foreach ($dep in $scripts_dependencies) {
            Move-Item "scripts/$dep" "../out/scripts/$dep"
        }
@ -70,9 +64,14 @@ try {
        Pop-Location
    }

-    for ($idx = 0; $idx -ne $AdditionalFiles.Length; $idx++) {
-        Copy-Item -Path $AdditionalFiles[$idx] -Destination "out/$($AdditionalFilesNames[$idx])"
-    }
+    Copy-Item -Path "$SignedFilesRoot/vcpkg-init" -Destination 'out/vcpkg-init'
+    Copy-Item -Path "$SignedFilesRoot/vcpkg-init.ps1" -Destination 'out/vcpkg-init.ps1'
+    Copy-Item -Path "$SignedFilesRoot/vcpkg-init.cmd" -Destination 'out/vcpkg-init.cmd'
+    Copy-Item -Path "$SignedFilesRoot/addPoshVcpkgToPowershellProfile.ps1" -Destination 'out/scripts/addPoshVcpkgToPowershellProfile.ps1'
+    New-Item -Path 'out/scripts/buildsystems/msbuild' -ItemType 'Directory' -Force
+    Copy-Item -Path "$SignedFilesRoot/applocal.ps1" -Destination 'out/scripts/buildsystems/msbuild/applocal.ps1'
+    New-Item -Path 'out/scripts/posh-vcpkg/0.0.1' -ItemType 'Directory' -Force
+    Copy-Item -Path "$SignedFilesRoot/posh-vcpkg.psm1" -Destination 'out/scripts/posh-vcpkg/0.0.1/posh-vcpkg.psm1'

    $bundleConfig = @{
        'readonly'       = [bool]$ReadOnly;