updated to the build script to include a digital signature

gcclinux · gcclinux · commit 455bbc6bb2f7 · 2026-04-29T22:46:17.000+01:00
diff --git a/installer/build-msi.ps1 b/installer/build-msi.ps1
@@ -1,22 +1,29 @@
 # ============================================================================
-# Weather Widget - MSI Package Builder (Traditional Installer)
+# Weather Widget - MSI Package Builder (Microsoft Store / Sideload)
 # ============================================================================
 # Usage:
-#   .\installer\build-msi.ps1 -Version "1.0.0.0"
-#   .\installer\build-msi.ps1 -Version "1.0.0.0" -CertPath "cert.pfx" -CertPassword "pass"
-#   .\installer\build-msi.ps1 -Version "1.0.0.0" -SkipSign
+#   # Sign with certificate from Windows certificate store (by thumbprint):
+#   .\installer\build-msi.ps1 -Version "0.0.5.0" -CertThumbprint "A9D97675327F7BF344BA308A357E91141A1DDE50"
+#
+#   # Sign with a .pfx file:
+#   .\installer\build-msi.ps1 -Version "0.0.5.0" -CertPath "cert.pfx" -CertPassword "pass"
+#
+#   # Build without signing (for testing only):
+#   .\installer\build-msi.ps1 -Version "0.0.5.0" -SkipSign
 #
 # Prerequisites:
 #   - Go 1.25+ with CGO enabled (for Fyne)
 #   - go-winres: go install github.com/tc-hib/go-winres@latest
-#   - WiX v4+: dotnet tool install --global wix
-#   - Code signing certificate (for production builds)
+#   - WiX v4+: dotnet tool install --global wix  (or WiX v7 via winget)
+#   - signtool.exe (from Windows SDK)
+#   - Code signing certificate (installed in cert store or as .pfx file)
 # ============================================================================
 
 param(
     [Parameter(Mandatory=$true)]
     [string]$Version,
 
+    [string]$CertThumbprint = "A9D97675327F7BF344BA308A357E91141A1DDE50",
     [string]$CertPath = "",
     [string]$CertPassword = "",
     [switch]$SkipSign,
@@ -35,6 +42,41 @@ if (-not (Test-Path $GoWinRes)) {
     throw "go-winres not found at $GoWinRes. Install with: go install github.com/tc-hib/go-winres@latest"
 }
 
+# Determine signing mode
+$SignMode = "none"
+if (-not $SkipSign) {
+    if ($CertThumbprint) {
+        $SignMode = "thumbprint"
+    } elseif ($CertPath) {
+        $SignMode = "pfx"
+    }
+}
+
+# Helper function to sign a file
+function Sign-File {
+    param([string]$FilePath, [string]$Description)
+
+    if ($SignMode -eq "none") { return }
+
+    $signArgs = @("sign", "/fd", "SHA256", "/tr", "http://timestamp.digicert.com", "/td", "SHA256")
+
+    if ($SignMode -eq "thumbprint") {
+        $signArgs += @("/sha1", $CertThumbprint, "/s", "My")
+    } else {
+        $signArgs += @("/f", $CertPath)
+        if ($CertPassword) { $signArgs += @("/p", $CertPassword) }
+    }
+
+    if ($Description) {
+        $signArgs += @("/d", $Description)
+    }
+
+    $signArgs += $FilePath
+
+    & signtool @signArgs
+    if ($LASTEXITCODE -ne 0) { throw "Signing failed for $FilePath" }
+}
+
 Push-Location $ProjectRoot
 
 try {
@@ -44,6 +86,7 @@ try {
     Write-Host ""
     Write-Host "============================================" -ForegroundColor Cyan
     Write-Host "  Weather Widget MSI Builder v$Version" -ForegroundColor Cyan
+    Write-Host "  Sign mode: $SignMode" -ForegroundColor Cyan
     Write-Host "============================================" -ForegroundColor Cyan
     Write-Host ""
 
@@ -60,6 +103,15 @@ try {
     # -------------------------------------------------------------------------
     if (-not $SkipBuild) {
         Write-Host "[2/5] Generating Windows resources..." -ForegroundColor Yellow
+
+        # Update version in winres.json before generating
+        $winresJson = Get-Content ".\winres\winres.json" -Raw | ConvertFrom-Json
+        $winresJson.RT_VERSION.'#1'.'0409'.fixed.file_version = $Version
+        $winresJson.RT_VERSION.'#1'.'0409'.fixed.product_version = $Version
+        $winresJson.RT_VERSION.'#1'.'0409'.info.'0409'.FileVersion = $Version
+        $winresJson.RT_VERSION.'#1'.'0409'.info.'0409'.ProductVersion = $Version
+        $winresJson | ConvertTo-Json -Depth 10 | Set-Content ".\winres\winres.json"
+
         & $GoWinRes make --in .\winres\winres.json --product-version $Version --file-version $Version
         if ($LASTEXITCODE -ne 0) { throw "go-winres failed" }
         Write-Host "       Done." -ForegroundColor Green
@@ -75,22 +127,21 @@ try {
         $ldflags = "-H windowsgui -s -w -X main.version=$Version"
         go build -ldflags="$ldflags" -o "$BuildDir\weatherwidget.exe" .\cmd\weatherwidget\
         if ($LASTEXITCODE -ne 0) { throw "Go build failed" }
-        Write-Host "       Done." -ForegroundColor Green
+        Write-Host "       Done. Output: $BuildDir\weatherwidget.exe" -ForegroundColor Green
     } else {
         Write-Host "[2/5] Skipping (SkipBuild)." -ForegroundColor DarkGray
         Write-Host "[3/5] Skipping (SkipBuild)." -ForegroundColor DarkGray
+        if (-not (Test-Path "$BuildDir\weatherwidget.exe")) {
+            throw "No existing exe found at $BuildDir\weatherwidget.exe. Remove -SkipBuild flag."
+        }
     }
 
     # -------------------------------------------------------------------------
     # Step 4: Sign the executable
     # -------------------------------------------------------------------------
-    if (-not $SkipSign -and $CertPath) {
+    if ($SignMode -ne "none") {
         Write-Host "[4/5] Signing executable..." -ForegroundColor Yellow
-        $signArgs = @("sign", "/fd", "SHA256", "/tr", "http://timestamp.digicert.com", "/td", "SHA256", "/f", $CertPath)
-        if ($CertPassword) { $signArgs += @("/p", $CertPassword) }
-        $signArgs += "$BuildDir\weatherwidget.exe"
-        & signtool @signArgs
-        if ($LASTEXITCODE -ne 0) { throw "Signing failed" }
+        Sign-File -FilePath "$BuildDir\weatherwidget.exe" -Description "Weather Widget"
         Write-Host "       Done." -ForegroundColor Green
     } else {
         Write-Host "[4/5] Skipping signing." -ForegroundColor DarkGray
@@ -106,29 +157,26 @@ try {
     if (-not $wixExe) {
         $wixPaths = @(
             "${env:ProgramFiles}\WiX Toolset v7.0\bin\wix.exe",
-            "${env:ProgramFiles}\WiX Toolset v4.0\bin\wix.exe",
-            "${env:ProgramFiles(x86)}\WiX Toolset v3.14\bin\candle.exe"
+            "${env:ProgramFiles}\WiX Toolset v4.0\bin\wix.exe"
         )
         foreach ($p in $wixPaths) {
             if (Test-Path $p) { $wixExe = $p; break }
         }
     }
     if (-not $wixExe) {
-        throw "WiX not found. Install with: winget install WiXToolset.WiXCLI"
+        throw "WiX not found. Install with: dotnet tool install --global wix"
     }
     Write-Host "       Using WiX: $wixExe" -ForegroundColor DarkGray
 
     & $wixExe build .\installer\Package.wxs -d BuildDir=$BuildDir -d Version=$Version -o $OutputMsi
     if ($LASTEXITCODE -ne 0) { throw "WiX build failed" }
+    Write-Host "       MSI created." -ForegroundColor Green
 
     # Sign the MSI
-    if (-not $SkipSign -and $CertPath) {
+    if ($SignMode -ne "none") {
         Write-Host "       Signing MSI..." -ForegroundColor Yellow
-        $signArgs = @("sign", "/fd", "SHA256", "/tr", "http://timestamp.digicert.com", "/td", "SHA256", "/f", $CertPath)
-        if ($CertPassword) { $signArgs += @("/p", $CertPassword) }
-        $signArgs += $OutputMsi
-        & signtool @signArgs
-        if ($LASTEXITCODE -ne 0) { throw "MSI signing failed" }
+        Sign-File -FilePath $OutputMsi -Description "Weather Widget Installer"
+        Write-Host "       MSI signed." -ForegroundColor Green
     }
 
     Write-Host ""
@@ -138,6 +186,13 @@ try {
     Write-Host "============================================" -ForegroundColor Green
     Write-Host ""
 
+    if ($SignMode -eq "none") {
+        Write-Host "  WARNING: Package is unsigned. Microsoft Store" -ForegroundColor Yellow
+        Write-Host "  requires SHA256 code signing (Policy 10.2.9)." -ForegroundColor Yellow
+        Write-Host "  Use -CertThumbprint or -CertPath to sign." -ForegroundColor Yellow
+        Write-Host ""
+    }
+
 } finally {
     Pop-Location
 }
diff --git a/installer/build-msix.ps1 b/installer/build-msix.ps1
@@ -152,9 +152,12 @@ try {
     Copy-Item "$BuildDir\weatherwidget.exe" "$PackageDir\"
 
     # Copy and update AppxManifest with current version
+    # Use a lookbehind to only replace the Version inside the Identity element,
+    # not the version="1.0" in the <?xml ?> declaration.
     $manifest = Get-Content ".\installer\AppxManifest.xml" -Raw
-    $manifest = $manifest -replace 'Version="[^"]*"', "Version=`"$Version`""
-    Set-Content -Path "$PackageDir\AppxManifest.xml" -Value $manifest
+    $manifest = $manifest -replace '(?<=<Identity\s[^>]*)Version="[^"]*"', "Version=`"$Version`""
+    # MakeAppx requires UTF-8 without BOM — Set-Content adds a BOM which breaks the XML declaration
+    [System.IO.File]::WriteAllText("$PackageDir\AppxManifest.xml", $manifest, (New-Object System.Text.UTF8Encoding $false))
 
     # Copy store assets (user must provide these)
     $storeAssetsDir = ".\installer\store-assets"
@@ -239,8 +242,13 @@ try {
 
         # .msixupload is a ZIP containing the .msix (and optionally .msixsym)
         # Partner Center expects this format for Store submissions.
+        # Compress-Archive in Windows PowerShell 5.1 only allows .zip extension,
+        # so create as .zip first, then rename to .msixupload.
         if (Test-Path $OutputMsixUpload) { Remove-Item $OutputMsixUpload -Force }
-        Compress-Archive -Path $OutputMsix -DestinationPath $OutputMsixUpload -Force
+        $tempZip = "$OutputMsixUpload.zip"
+        if (Test-Path $tempZip) { Remove-Item $tempZip -Force }
+        Compress-Archive -Path $OutputMsix -DestinationPath $tempZip -Force
+        Move-Item -Path $tempZip -Destination $OutputMsixUpload -Force
 
         Write-Host "       Done." -ForegroundColor Green
     }
diff --git a/winres/winres.json b/winres/winres.json
@@ -23,19 +23,19 @@
     "#1": {
       "0409": {
         "fixed": {
-          "file_version": "1.0.0.0",
-          "product_version": "1.0.0.0"
+          "file_version": "0.0.5.0",
+          "product_version": "0.0.5.0"
         },
         "info": {
           "0409": {
             "CompanyName": "WeatherWidget",
             "FileDescription": "Weather Widget Desktop Application",
-            "FileVersion": "1.0.0.0",
+            "FileVersion": "0.0.5.0",
             "InternalName": "weatherwidget",
             "LegalCopyright": "© 2026 WeatherWidget",
             "OriginalFilename": "weatherwidget.exe",
             "ProductName": "Weather Widget",
-            "ProductVersion": "1.0.0.0"
+            "ProductVersion": "0.0.5.0"
           }
         }
       }
