Skip to content

Commit

Permalink
Bug 1867846 - Add mach msix repackage --unsigned. r=mhughes
Browse files Browse the repository at this point in the history
This allows `Appx-AddPackage -Unsigned ...` on Windows 11.

Differential Revision: https://phabricator.services.mozilla.com/D196894
  • Loading branch information
ncalexan committed Feb 21, 2024
1 parent 98c1dfe commit 381d510
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 0 deletions.
21 changes: 21 additions & 0 deletions browser/installer/windows/docs/MSIX.rst
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,27 @@ Linux users can obtain a prebuilt version with:
After `bug 1743036 <https://bugzilla.mozilla.org/show_bug.cgi?id=1743036>`__
is fixed, macOS and Windows users will have a similar option.

Avoiding signing locally with unsigned packages
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Windows 11 allows to install unsigned packages, provided that its AppX
manifest includes a special OID (organization ID) value in its
``Identity`` element. See
https://github.com/MicrosoftDocs/msix-docs/blob/769dee9364df2b6fd0b78000774f8d14de8fe814/msix-src/package/unsigned-package.md.
To produce a suitable package, use the ``--unsigned`` command line
switch, like:

::

$ ./mach repackage msix --unsigned

Note that unsigned packages **must** be installed by an administrator.
Generally, run Powershell as an administrator and then use commands like

::

$ Add-AppxPackage -Path ... -AllowUnsigned -ForceUpdateFromAnyVersion

Signing locally
~~~~~~~~~~~~~~~

Expand Down
22 changes: 22 additions & 0 deletions python/mozbuild/mozbuild/mach_commands.py
Original file line number Diff line number Diff line change
Expand Up @@ -2621,6 +2621,13 @@ def repackage_msi(
help="Sign repackaged MSIX with self-signed certificate for local testing. "
"(Default: false)",
)
@CommandArgument(
"--unsigned",
default=False,
action="store_true",
help="Support `Add-AppxPackage ... -AllowUnsigned` on Windows 11."
"(Default: false)",
)
def repackage_msix(
command_context,
input,
Expand All @@ -2636,6 +2643,7 @@ def repackage_msix(
output=None,
makeappx=None,
sign=False,
unsigned=False,
):
from mozbuild.repackaging.msix import repackage_msix

Expand Down Expand Up @@ -2700,6 +2708,20 @@ def repackage_msix(
)
return 1

if unsigned:
if sign:
command_context.log(
logging.ERROR,
"repackage-msix-signed-and-unsigned",
{},
"--sign and --unsigned are mutually exclusive",
)
return 1

# Support `Add-AppxPackage ... -AllowUnsigned` on Windows 11. See
# https://github.com/MicrosoftDocs/msix-docs/blob/769dee9364df2b6fd0b78000774f8d14de8fe814/msix-src/package/unsigned-package.md.
publisher = f"{publisher}, OID.2.25.311729368913984317654407730594956997722=1"

output = repackage_msix(
input,
command_context.topsrcdir,
Expand Down

0 comments on commit 381d510

Please sign in to comment.