Generate Code Integrity catalog when packaging MSIX
Categories
(Firefox :: Installer, enhancement, P3)
Tracking
()
People
(Reporter: nalexander, Unassigned)
References
(Blocks 1 open bug)
Details
This is from :agashlin in a different medium: "The makemsix signing branch that we use in automation doesn't generate a Code Integrity catalog when signing the package, unlike makeappx.exe. I assume that when Microsoft signs the package for the store they use makeappx.exe, we may need to do this as well for testing. This lack of Code Integrity may also be missed by some enterprise MSIX users."
This ticket tracks including a Code Integrity catalog when packaging MSIX, possibly by teaching makemsix how to so.
If this is a hard blocker, we could try using Wine to run makeappx.exe, or we could run the relevant MSIX jobs on Windows directly.
|
||
Comment 1•3 years ago
|
||
Minor correction to myself: the signing would be done by signtool, not makeappx.
|
||
Updated•3 years ago
|
|
|
||
Comment 2•3 years ago
|
||
I no longer think there's any application for this: If an enterprise is enforcing code integrity independent of the Store, they'd want to sign the Code Integrity catalog with their own key to limit the binaries that are allowed to run.
Description
•