# Signing packages with Azure Trusted Signing

This was a bit more of a doozy than I would have liked. There's a lot of very manual setup, which isn't documented the best.



## Notebook Setup

Before running this notebook, make sure you're in the sln root:

In [None]:
$gitRoot = git rev-parse --show-toplevel
cd $gitRoot

## Dependencies

We need both a PowerShell module for using `signtool`, and also the `az` CLI for auth

In [None]:
Install-Module -Name TrustedSigning

Install azcli with winget, then restart the connection to refresh the path

In [None]:
winget install --id Microsoft.AzureCLI

### Azure setup

In addition to those tools, you also need to do a bunch of setup on the Azure portal itself.

This link is actually a good place to start: [Quickstart: Set up Trusted Signing](https://learn.microsoft.com/en-us/azure/trusted-signing/quickstart?tabs=registerrp-portal%2Caccount-portal%2Corgvalidation%2Ccertificateprofile-portal%2Cdeleteresources-portal)

One thing that's critical, which I'm not sure is listed here: 
**You need to make sure to grant the following roles to someone**:
* Trusted Signing Identity Verifier
  * This is to be able to create a trusted signing identity
* Trusted Signing Certificate Profile Signer
  * This is to actually sign code with the cert profile you created

This is also probably the thing I did the most wrong. I'm sure you're not supposed to just grant that access to the one user you have, but the stakes are incredibly low for this test repo.

## Signing

Now that you've got all your deps installed, and you've got Azure an Trusted Certificate Account & Certificate Profile setup, you're ready to build some packages and sign them

### Build the packages

The simplest way I've found to build all the x64 packages is with the following dotnet command:

In [None]:
$gitRoot = git rev-parse --show-toplevel
cd $gitRoot

dotnet build --configuration Release --no-restore -p Platform=x64 .\Extensions.sln

### Collect up the packages

Now, we're gonna stick all the packages into a single folder, for ease of signing.

In [None]:
$gitRoot = git rev-parse --show-toplevel
cd $gitRoot

.\src\tools\Find-Msixs.ps1

### Logging in with az cli


Then, login with the following command. The first time I ran this, I had to manually select "Default directory" as the tenant. `az login` will print the tenant id, and loging with `az login --tenant TENANT_ID` instead

In [None]:
az login

(I also need to manually select subscription 3, "Visual Studio Enterprise with MSDN")

## Actually doing the signing

Now that you're all signed in, and youve built the packages, and you've got them binplaced into `x64/tmp`, run the following:

In [None]:
$gitRoot = git rev-parse --show-toplevel
cd $gitRoot

.\src\tools\Sign-Msixs.ps1

## Uploading to WinGet

Now that youve got signed packages, it's time to share them with the world.

To do that, 

1. draft up a new release on GitHub, and send that. 
   - For the sake of this repo, use `<extension>/<version>` for the tags. 
   - I'll probably start enforcing PRs now
2. Then you'll need to create the package on winget. To do this, head on over to the `winget-pkgs` repo. If you haven't already forked it and cloned that locally, do that. Otherwise `git fetch origin` and `git checkout origin/main`.
3. Depending on if this is a new package or not:
   - If it's a new package, you'll need to run `wingetcreate new`
     - Paste in the path to the `.msix` on the release you made on GitHub
     - It'll prompt you for all the fields you need to fill out.
     - I strongly urge you not name the package `{PluralThings}Extension`. Try instead `{PluralThings}ForCmdPal`.
     - **DON'T** auto-submit it. You need to make two edits before you submit:
       - Add a dependency to WindowsAppSDK to the `installer.yaml` manifest:
         ```yaml
            Dependencies:
            PackageDependencies:
            - PackageIdentifier: Microsoft.WindowsAppRuntime.1.6
         ```
       - Add the `windows-commandpalette-extension` tag to each `locale` file:
         ```yaml
            Tags:
            - windows-commandpalette-extension
         ```
     - Then run `wingetcreate submit {path to manifest}`
   - If it's an existing package
     - Run `wingetcreate update --urls {path to msix} --version {version} {packageId}`
       - as an example: `wingetcreate update --urls https://github.com/zadjii/CmdPalExtensions/releases/download/hackernews%2Fv0.0.5/HackerNewsExtension_0.0.5.0_x64.msix --version 0.0.5 zadjii.HackerNewsforCommandPalette`
     - Then run `wingetcreate submit {path to manifest}`
       - as example: `wingetcreate submit .\manifests\z\zadjii\HackerNewsforCommandPalette\0.0.5\`
