Make gsudo installable through winget #52
Comments
|
I am waiting for microsoft/winget-cli#140 before uploading a gsudo package... because gsudo ships as a ZIP file, and I rather not maintain yet another installation method such as MSIX. |
|
@gerardog - a bit ago I made MSI packing for gsudo for my own purposes (I use SaltStack, MSI's are easier to deploy declaratively then zips). It has MSI install gsudo.exe into the standard location and symlink to sudo.exe, plus add the directory to the path. Yay Wix! https://github.com/Silvenga/gsudomsi With #62 fixed, it should just work with WinGet's silent install. I would be more the happy maintaining it as a "community supported version" until superseded by the official version. |
|
This is great news @Silvenga. All contributions are greatly appreciated. I see you used MSI, instead of MSIX. Fine by me if it gets the job done. In the short term, here is my blessing to you if you want to upload your project as a 'community supported version'. Next I will happily accept you as a contributor. I've added your installer source to this repo as an experiment in FeatureInstaller branch, next it should integrate with the current build process: |
To my knowledge, MSIX won't work, since it requires gsudo to be ran within a sandbox, which I'm not sure will work. API calls, like to the registry hive, would be redirected to a separate hive mounted within gsudo's namespace.
I assumed that was best, since .NET should work under x86/x64 swimmingly, the WOW64 compalitibly layer shouldn't be a problem.
WinGet doesn't ever activate UAC directly. It relies on the MSI Engine to request an elevated context if MSI deems it necessary. But you're right. During install, MSI will show that yellow "this is unsigned" prompt without signatures.
Awesome!
Yeah, let's move this to a PR or something. I'm really good with anything. I can work in-tree (if you're good with installing all the Wix dependencies when releasing) - or I can work in my repo - set up some automation to automatically rebuild when you create a release on this repo or something. I've been meaning to get some code signing certs too, since I have other Open Source MSI projects that need signing, so that's not really a problem. Getting Wix to be happy can get a little annoying, TBH. So definitely don't want to force that on other developers 😆. I work with Wix, quite a bit, at my day job 🤷. Let me know what you're comfortable with - in-tree or separate. MSI packaging can continue to be a "community supported" deployment, at lot of Open Source projects do that (assuming because Wix really is an acquired taste). |
|
I've already installed Wix, imported part of your project and signed one MSI locally from gsudo repo. Check the FeatureInstaller branch / compare. I was able to sign the MSI as well. Please note the code-signing certificate I bought is physically impossible to be shared.
Let's aim only for the next gsudo release to include an .MSI installer file. Let's say that all logic to publish to winget is out of the scope of THIS repo at this point. Also it looks like you already have that working on Silvenga/gsudomsi, so maybe use that?. After gsudo oficially releases an MSI, the manifest should link that .msi from gsudo repo. Btw, unfortunately this error came on the 2nd run: Looks like mklink fails if the file already exists. Can we ignore errors on that? |
That error should not occur since the action My best guess is that on your computer, the MSI DB is in a bad state (common in local development when accidentally forgetting to change the product version). Make sure you completely uninstalling the MSI using the installed MSI before building a new one. This is because the product id is auto-generated.
We should key component these things. A key for a component basically tells MSI how to repair/upgrade/etc. If "key file" is missing, it knows to install the component. But say, if the component's "key file" exists, and MSI is trying to upgrade, it won't touch any other files in the component. During repairs, MSI will look at the key file's hash in the MSI DB, to figure out of any of the components need to be update. Think of MSI as a declarative "snapshot" of what should be. At the end of the install xyz should exist in abc. MSI goes and figures out what needs to be done based on the current system state. |
Looks good! Want to make that the one on wget? |
Agree. Merged.
Sure, I was doing an experiment. Thanks for the info.
The Symlink has been problematic in many ways, but IMHO it is still the best possible sudo alias I could find. For security considerations, gsudo speaks with it's elevated instance only if it's named pipe is rooted on the same Another option: To use a shim. For example kiennq/scoop-better-shimexe which seems to have addressed all the mayor shim issues. See this relevant discussion on how problematic a shim can be: ScoopInstaller/Scoop#3634. I should sign the shim. Also load time is a little bit reduced given that now IMHO is just easier to deal with MSI limitations. not reintroducing other problems. Lets try to bring on the best possible workaround. Can you check if the file exists and if not, execute the
Yes, I do. But only after we resolve these issues. |
I've just read MSIX Desktop Bridge and yes, it sounds like it won't work. |
|
This may not apply, but I thought I'd just point out that the new Windows Terminal is both a store app and stand alone installer from an .msixbundle file . However, it behaves like any normal desktop app and doesn't seem to have any sandbox restrictions, considering gsudo, works when called from inside the Terminal. I'm not sure how as the source (https://github.com/microsoft/terminal) doesn't look like it contains the MSIX package process, but it's clearly an app that once installed behaves like any other desktop app. And it could still be that the Terminal itself is somehow in a sandbox but the processes it runs are not. Or maybe MS has granted it special restricted store privledges. Just thought I'd mention this as it may help figure out MSIX packaging. |
|
That is a good point. Hmmm... I wonder if the marketing exaggerates how "containerized" msix apps are... or the campatibly layer is just that good e.g. WOW64. e.g.
IMO - there aren't any benefits to using MSIX over a properly made MSI:
I think the cons of using MSIX e.g. microsoft/terminal#1386 are rather large though. Plus, using MSI means that GSudo can be installed on anything Windows 7+ e.g. Windows Server 2016. |
Sounds good!
Yeah, the actions (mklink and del) are currently marked as ignored. So the MSI engine will execute it, and wait for an exit, but suppress any errors propagating and triggering a rollback of the transaction. While it is possible to check for existence, that makes things a lot more complex - since that involves running a custom action. Is the the error blocking the install on your machine? |
|
Turns out gsudo is available in winget since Dec-26! Not sure if the PR was uploaded or inspired by you guys or if someone else found the MSI and pushed it. Anyway a nice surprise, including the fact I haven't got much complaints on the MSI after almost 400 downloads. Thanks everyone!
It works in my machine. 😉 |
|
Awesome! (😆 wasn't me) |
|
Still, thank you @Silvenga for creating the MSI. |
Microsoft has released their own package installer for Windows called winget. gsudo should also be added to their package list here.
I would add it myself, but there isn't an executable installer that I can link to, which is needed if you make the manifest using the WinGetYamlGenerator tool.
The text was updated successfully, but these errors were encountered: