Install Windows SDK script (#431)

enisdenjo · web-flow · commit 9e92a2abedf1 · 2025-01-09T16:38:47.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -162,10 +162,7 @@ jobs:
         uses: actions/checkout@v4
       - if: runner.os == 'Windows'
         name: Install Windows SDK
-        uses: fbactions/setup-winsdk@v2
-        with:
-          # we want exact version because the signtool path depends on it in package-binary.ts
-          winsdk-build-version: 18362
+        run: scripts\install-winsdk.ps1
       - name: Set up env
         uses: the-guild-org/shared-config/setup@v1
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -134,10 +134,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
       - if: runner.os == 'Windows'
         name: Install Windows SDK
-        uses: fbactions/setup-winsdk@v2
-        with:
-          # we want exact version because the signtool path depends on it in package-binary.ts
-          winsdk-build-version: 18362
+        run: scripts\install-winsdk.ps1
       - name: Set up env
         uses: the-guild-org/shared-config/setup@v1
         with:
diff --git a/packages/gateway/scripts/package-binary.ts b/packages/gateway/scripts/package-binary.ts
@@ -18,7 +18,7 @@ if (!isDarwin && !isWindows && !isLinux) {
 const dest = 'hive-gateway' + (isWindows ? '.exe' : '');
 
 const signToolPath =
-  'C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.18362.0\\x64\\signtool.exe';
+  'C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.26100.0\\x64\\signtool.exe';
 
 console.log(
   `Packaging binary with Node SEA for ${platform}-${arch} to ${dest}`,
diff --git a/scripts/install-winsdk.ps1 b/scripts/install-winsdk.ps1
@@ -0,0 +1,331 @@
+#
+# Copied from https://github.com/fbactions/setup-winsdk/blob/808cfabb8fbe8537bcb677beb136682c9e712aff/externals/install-winsdk.ps1
+#
+# Script is modified to constantly use the Windows SDK 10.0.26100.0 and not accept any parameters.
+#
+# Note that changing the Windows SDK version will also require a change in the package-binary.ts#signToolPath.
+#
+
+[CmdletBinding()]
+
+# Ensure the error action preference is set to the default for PowerShell3, 'Stop'
+$ErrorActionPreference = 'Stop'
+
+# Constants
+$WindowsSDKOptions = @("OptionId.UWPCpp", "OptionId.DesktopCPPx64", "OptionId.DesktopCPPx86", "OptionID.DesktopCPPARM", "OptionID.DesktopCPPARM64")
+$WindowsSDKRegPath = "HKLM:\Software\Microsoft\Windows Kits\Installed Roots"
+$WindowsSDKRegRootKey = "KitsRoot10"
+$WindowsSDKVersion = "10.0.26100.0"
+$WindowsSDKDownloadURL = "https://software-static.download.prss.microsoft.com/dbazure/888969d5-f34g-4e03-ac9d-1f9786c66749/26100.1742.240904-1906.ge_release_svc_prod1_WindowsSDK.iso"
+$WindowsSDKInstalledRegPath = "$WindowsSDKRegPath\$WindowsSDKVersion\Installed Options"
+$StrongNameRegPath = "HKLM:\SOFTWARE\Microsoft\StrongName\Verification"
+$PublicKeyTokens = @("31bf3856ad364e35")
+
+function Download-File
+{
+    param ([string] $outDir,
+           [string] $downloadUrl,
+           [string] $downloadName)
+
+    $downloadPath = Join-Path $outDir "$downloadName.download"
+    $downloadDest = Join-Path $outDir $downloadName
+    $downloadDestTemp = Join-Path $outDir "$downloadName.tmp"
+
+    Write-Host -NoNewline "Downloading $downloadName..."
+
+    $retries = 10
+    $downloaded = $false
+    while (-not $downloaded)
+    {
+        try
+        {
+            $webclient = new-object System.Net.WebClient
+            $webclient.DownloadFile($downloadUrl, $downloadPath)
+            $downloaded = $true
+        }
+        catch [System.Net.WebException]
+        {
+            Write-Host
+            Write-Warning "Failed to fetch updated file from $downloadUrl : $($error[0])"
+            if (!(Test-Path $downloadDest))
+            {
+                if ($retries -gt 0)
+                {
+                    Write-Host "$retries retries left, trying download again"
+                    $retries--
+                    start-sleep -Seconds 10
+                }
+                else
+                {
+                    throw "$downloadName was not found at $downloadDest"
+                }
+            }
+            else
+            {
+                Write-Warning "$downloadName may be out of date"
+            }
+        }
+    }
+
+    Unblock-File $downloadPath
+
+    $downloadDestTemp = $downloadPath;
+
+    # Delete and rename to final dest
+    if (Test-Path -PathType Container $downloadDest)
+    {
+        [System.IO.Directory]::Delete($downloadDest, $true)
+    }
+
+    Move-Item -Force $downloadDestTemp $downloadDest
+    Write-Host "Done"
+
+    return $downloadDest
+}
+
+function Get-ISODriveLetter
+{
+    param ([string] $isoPath)
+
+    $diskImage = Get-DiskImage -ImagePath $isoPath
+    if ($diskImage)
+    {
+        $volume = Get-Volume -DiskImage $diskImage
+
+        if ($volume)
+        {
+            $driveLetter = $volume.DriveLetter
+            if ($driveLetter)
+            {
+                $driveLetter += ":"
+                return $driveLetter
+            }
+        }
+    }
+
+    return $null
+}
+
+function Mount-ISO
+{
+    param ([string] $isoPath)
+
+    # Check if image is already mounted
+    $isoDrive = Get-ISODriveLetter $isoPath
+
+    if (!$isoDrive)
+    {
+        Mount-DiskImage -ImagePath $isoPath -StorageType ISO | Out-Null
+    }
+
+    $isoDrive = Get-ISODriveLetter $isoPath
+    Write-Verbose "$isoPath mounted to ${isoDrive}:"
+}
+
+function Dismount-ISO
+{
+    param ([string] $isoPath)
+
+    $isoDrive = (Get-DiskImage -ImagePath $isoPath | Get-Volume).DriveLetter
+
+    if ($isoDrive)
+    {
+        Write-Verbose "$isoPath dismounted"
+        Dismount-DiskImage -ImagePath $isoPath | Out-Null
+    }
+}
+
+function Disable-StrongName
+{
+    param ([string] $publicKeyToken = "*")
+
+    reg ADD "HKLM\SOFTWARE\Microsoft\StrongName\Verification\*,$publicKeyToken" /f | Out-Null
+    if ($env:PROCESSOR_ARCHITECTURE -eq "AMD64")
+    {
+        reg ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\StrongName\Verification\*,$publicKeyToken" /f | Out-Null
+    }
+}
+
+function Test-Admin
+{
+    $identity = [Security.Principal.WindowsIdentity]::GetCurrent()
+    $principal = New-Object Security.Principal.WindowsPrincipal $identity
+    $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
+}
+
+function Test-RegistryPathAndValue
+{
+    param (
+        [parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $path,
+        [parameter(Mandatory=$true)]
+        [ValidateNotNullOrEmpty()]
+        [string] $value)
+
+    try
+    {
+        if (Test-Path $path)
+        {
+            Get-ItemProperty -Path $path | Select-Object -ExpandProperty $value -ErrorAction Stop | Out-Null
+            return $true
+        }
+    }
+    catch
+    {
+    }
+
+    return $false
+}
+
+function Test-InstallWindowsSDK
+{
+    $retval = $true
+
+    if (Test-RegistryPathAndValue -Path $WindowsSDKRegPath -Value $WindowsSDKRegRootKey)
+    {
+        # A Windows SDK is installed
+        # Is an SDK of our version installed with the options we need?
+        if (Test-RegistryPathAndValue -Path $WindowsSDKInstalledRegPath -Value "$WindowsSDKOptions")
+        {
+            # It appears we have what we need. Double check the disk
+            $sdkRoot = Get-ItemProperty -Path $WindowsSDKRegPath | Select-Object -ExpandProperty $WindowsSDKRegRootKey
+            if ($sdkRoot)
+            {
+                if (Test-Path $sdkRoot)
+                {
+                    $refPath = Join-Path $sdkRoot "References\$WindowsSDKVersion"
+                    if (Test-Path $refPath)
+                    {
+                        $umdPath = Join-Path $sdkRoot "UnionMetadata\$WindowsSDKVersion"
+                        if (Test-Path $umdPath)
+                        {
+                            # Pretty sure we have what we need
+                            $retval = $false
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    return $retval
+}
+
+function Test-InstallStrongNameHijack
+{
+    foreach($publicKeyToken in $PublicKeyTokens)
+    {
+        $key = "$StrongNameRegPath\*,$publicKeyToken"
+        if (!(Test-Path $key))
+        {
+            return $true
+        }
+    }
+
+    return $false
+}
+
+Write-Host -NoNewline "Checking for installed Windows SDK $WindowsSDKVersion..."
+$InstallWindowsSDK = Test-InstallWindowsSDK
+if ($InstallWindowsSDK)
+{
+    Write-Host "Installation required"
+}
+else
+{
+    Write-Host "INSTALLED"
+}
+
+$StrongNameHijack = Test-InstallStrongNameHijack
+Write-Host -NoNewline "Checking if StrongName bypass required..."
+
+if ($StrongNameHijack)
+{
+    Write-Host "REQUIRED"
+}
+else
+{
+    Write-Host "Done"
+}
+
+if ($StrongNameHijack -or $InstallWindowsSDK)
+{
+    if (!(Test-Admin))
+    {
+        Write-Host
+        throw "ERROR: Elevation required"
+    }
+}
+
+if ($InstallWindowsSDK)
+{
+    if ($env:TEMP -eq $null)
+    {
+        $env:TEMP = Join-Path $env:SystemDrive 'temp'
+    }
+
+    $winsdkTempDir = Join-Path $env:TEMP "WindowsSDK"
+
+    if (![System.IO.Directory]::Exists($winsdkTempDir))
+    {
+        [void][System.IO.Directory]::CreateDirectory($winsdkTempDir)
+    }
+
+    $file = "winsdk.iso"
+
+    Write-Verbose "Getting WinSDK from $WindowsSDKDownloadURL"
+    $downloadFile = Download-File $winsdkTempDir $WindowsSDKDownloadURL $file
+    Write-Verbose "File is at $downloadFile"
+    $downloadFileItem = Get-Item $downloadFile
+
+    # Check to make sure the file is at least 10 MB.
+    if ($downloadFileItem.Length -lt 10*1024*1024)
+    {
+        Write-Host
+        Write-Host "ERROR: Downloaded file doesn't look large enough to be an ISO. The requested version may not be on microsoft.com yet."
+        Write-Host
+        Exit 1
+    }
+
+    # TODO Check if zip, exe, iso, etc.
+    try
+    {
+        Write-Host -NoNewline "Mounting ISO $file..."
+        Mount-ISO $downloadFile
+        Write-Host "Done"
+
+        $isoDrive = Get-ISODriveLetter $downloadFile
+
+        if (Test-Path $isoDrive)
+        {
+            Write-Host -NoNewLine "Installing WinSDK..."
+
+            $setupPath = Join-Path "$isoDrive" "WinSDKSetup.exe"
+            Start-Process -Wait $setupPath "/features $WindowsSDKOptions /q"
+            Write-Host "Done"
+        }
+        else
+        {
+            throw "Could not find mounted ISO at ${isoDrive}"
+        }
+    }
+    finally
+    {
+        Write-Host -NoNewline "Dismounting ISO $file..."
+        #Dismount-ISO $downloadFile
+        Write-Host "Done"
+    }
+}
+
+if ($StrongNameHijack)
+{
+    Write-Host -NoNewline "Disabling StrongName for Windows SDK..."
+
+    foreach($key in $PublicKeyTokens)
+    {
+        Disable-StrongName $key
+    }
+
+    Write-Host "Done"
+}
