Remaining TODOs for MSIX installer

[davidanthoff]

I will keep this list at the top of the issue here updated to continually reflect things that need to be sorted out before this is really ready to be tested more broadly.

• Once MSIX installer build-extra#366 is merged, replace https://github.com/git-for-windows/git/pull/3331/files#diff-027c70cd6ed99ca64ca6fc12148edaf142051f780a5516aca15ef28f437b711aR565 with the origin repo.
• Pick up the correct version in the GitHub build script in places like https://github.com/git-for-windows/git/pull/3331/files#diff-027c70cd6ed99ca64ca6fc12148edaf142051f780a5516aca15ef28f437b711aR573 and a couple of other steps below. @dscho that is one of those parts where I don't understand the release process well enough, but all we need there is to use something more useful than 1.0.0.0. I think there might be a rule that we have to use 0 for the last part because the Windows Store reserves the right to increase that internally, but not entirely sure.
• Figure out what is going on with WebView2Loader.dll, i.e. remove https://github.com/git-for-windows/git/pull/3331/files#diff-027c70cd6ed99ca64ca6fc12148edaf142051f780a5516aca15ef28f437b711aR577 once we have a version of that file that doesn't error when it is put into the msix package.
• Sign the standalone version https://github.com/git-for-windows/git/pull/3331/files#diff-027c70cd6ed99ca64ca6fc12148edaf142051f780a5516aca15ef28f437b711aR594.
• Add more steps that push things to the store once that is ready.
• Context menus, at the moment they are just ignored.
• Figure out whether we should try to get the unvirtualizedResources capability. With that we could entirely avoid the container, which @dscho and I felt would probably make sense for git.
• Include the ARM builds again https://github.com/git-for-windows/build-extra/pull/366/files#diff-5eecd955b6b0d77afc89ebafb3c6aa3beeebc23ab833200dba3c2508d4dbf1bcR21.

[dscho]

* Figure out what is going on with `WebView2Loader.dll`, i.e. remove https://github.com/git-for-windows/git/pull/3331/files#diff-027c70cd6ed99ca64ca6fc12148edaf142051f780a5516aca15ef28f437b711aR577 once we have a version of that file that doesn't error when it is put into the msix package.

The error I get is:

Done Adding Additional Store

Number of errors: 1
SignTool Error: SignedCode::Sign returned error: 0x800700C1
        For more information, please see https://aka.ms/badexeformat
SignTool Error: An error occurred while attempting to sign: WebView2Loader.dll

When I look for that hex number, I find that it means ERROR_BAD_EXE_FORMAT (and following the link from the error message does not help, either). The .dll seems to be a valid i686 Dynamic Link Library, but even the i686 version of signtool.exe seems to be unable to sign it. When I ask osslsigncode to verify the .dll, it claims that there is a signature that is not at the end:

Corrupt PE file - current signature not at end of file: WebView2Loader.dll

[rimrul]

When I ask osslsigncode to verify the .dll, it claims that there is a signature that is not at the end:

Corrupt PE file - current signature not at end of file: WebView2Loader.dll

I went to take a look at what causes this particular error message. I looked into the source code of osslsigncode and dug into the PE image with a hex editor.

The check is fairly simple

It turns out filesize is 101376, sigpos is 101376 and siglen is 8608. So if I understand it correctly, the DLL used to have a signature at the end, but it got removed somehow without removing the meta information that there is a signature.

The binary shipped by GCM Core seems to be roughly siglen bytes larger, but mingw-w64-git-credential-manager-core should just copy the binaries from the release zipfile.

Our binaries in git-sdk-32 and git-sdk-64 seem to be lacking the signature already. It's really curious.

[rimrul]

I think i found the issue. makepkg tries to strip shared libraries of "unneeded" bloat by default.
We should add
options=('!strip') to the PKGBUILD.

[rimrul]

With options=('!strip') osslsigncode is quite happy.

Current PE checksum   : 0002A8DD
Calculated PE checksum: 0002A8DD

Message digest algorithm  : SHA256
Current message digest    : 3464030DB18AF5D8489B5763CD8D7E6B12FA1206222547FEBD19587B5466E852
Calculated message digest : 3464030DB18AF5D8489B5763CD8D7E6B12FA1206222547FEBD19587B5466E852

Signature verification: ok

Number of signers: 1
        Signer #0:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2010
                Serial : 3300000326AECEEDF9BCE47B92000000000326

Number of certificates: 2
        Cert #0:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2010
                Serial : 3300000326AECEEDF9BCE47B92000000000326
        ------------------
        Cert #1:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2010
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
                Serial : 610C524C000000000003

Succeeded

[dscho]

Closing as stale.