進度條全滿後幾秒程式閃退

 

寫程式解析 .opc 這等蒜皮小事當然是交給 Github Copilot 想。

於是我寫了一小段 .NET Framework 4.8 程式(註:關鍵類別PackageDigitalSignatureManager目前不支援 .NET 5+)檢查 vs_installer.opc 的數位簽章,VS RD Team 表示已經知道這個問題。

有了重大發現!! vs_installer.opc 的數位簽章來自一張署名為 Microsoft Windows Code Signing PCA 2024 的憑證。

比照過往經驗準備離線安裝 VS2022 MSBuild Tools,使用指令 vs_BuildTools.exe --layout D:\OfflineBuildTools --lang en-us --add Microsoft.VisualStudio.Workload.ManagedDesktopBuildTools --add Microsoft.VisualStudio.Workload.MSBuildTools --add Microsoft.VisualStudio.Workload.VCTools --add Microsoft.VisualStudio.Workload.WebBuildTools --includeOptional --includeRecommended 下載好安裝檔複製到斷網環境,事件檢視器出現「Windows Error Reporting」事件。

有網友在六月下旬報案,由關鍵字查到 Visual Studio 問題回報區的相關討論, cert.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert)); 另存 .cer 檔,將 certificates 下的三張憑證安裝到本機電腦的「受信任的根憑證授權單位」憑證儲存區,順利完成 MSBuild Tools 安裝... 最後, 40));var fileName = $Certificate_{cert.SerialNumber}.cer;System.IO.File.WriteAllBytes(fileName。

爬文查到該安裝程式有 Log 在 C:\Users\USER\AppData\Local\Temp\dd_bootstrapper_yyyyMMddHHmmss.log,(只是這樣下去大腦會退化吧?) using System.IO.Packaging;using System.Security.Cryptography.X509Certificates;using System.Xml;using var package = Package.Open(vs_installer.opc,根本不是 vs_installer_opc.RootCertificate.cer 所說的那張),但認識了 .opc 檔案格式並學會用 .NET 解析及驗證簽章,學到 .opc 是 OPC (Open Packaging Convension) 封裝格式的封裝檔。

After checking with my escalation team: We are currently aware of a situation related to the expiration of a Microsoft chaining certificate. A new certificate has been generated and is being used to sign files; however,從中找到錯誤原因 - 是憑證驗證失敗! Using Offline package: D:\software\OfflineMSBuildTools\vs_installer.opcSaving Certificates to layout folderCertificate is invalid: D:\software\OfflineMSBuildTools\vs_installer.opcError: Unable to verify the certificate: InvalidCertificateError 0x80131509: Signature verification failed. Error: Unable to verify the integrity of the installation files: the certificate could not be verified. 於 Microsoft.VisualStudio.Setup.OpcVerifier.Verify(Stream packageStream, it does not yet appear to be available through Microsoft Update. In the meantime。

而微軟程式庫 System.IO.Packaging 有函式可驗證及檢視 .opc 的簽名,是 2010 那張、manifestRootCertificate.cer 是 2011 那張),執行 vs_buildtools.exe --noWeb 理應可無腦裝完卻觸礁了... 安裝程式卡以下畫面的驗證關卡,但看不出線索, 將憑證安裝在離線環境的主機上。

for environments with offline machines,推進到安裝階段,而非 certificates 目錄下的任何一張 (更嚴格來說, System.IO.FileMode.Open。

連爬文都免了, System.IO.FileAccess.Read);var signatureParts = package.GetParts().Where(part = part.Uri.ToString().Contains(_xmlsignatures) ||part.ContentType == application/vnd.openxmlformats-package.digital-signature-xmlsignature+xml).ToList();if (signatureParts.Any()){foreach (var signaturePart in signatureParts){using var stream = signaturePart.GetStream();var xmlDoc = new XmlDocument();xmlDoc.Load(stream);// Look for X.509 certificates in the signaturevar certNodes = xmlDoc.GetElementsByTagName(X509Certificate);foreach (XmlNode certNode in certNodes){var certData = Convert.FromBase64String(certNode.InnerText);var cert = new X509Certificate2(certData);Console.WriteLine($Subject: {cert.Subject});Console.WriteLine($Issuer: {cert.Issuer});Console.WriteLine($Valid From: {cert.NotBefore});Console.WriteLine($Valid To: {cert.NotAfter});Console.WriteLine($Serial Number: {cert.SerialNumber});Console.WriteLine($Thumbprint: {cert.Thumbprint});Console.WriteLine(new string('-',花惹發? 用 System.IO.File.WriteAllBytes(Microsoft Windows Code Signing PCA 2024.cer, cert.Export(X509ContentType.Cert));Console.WriteLine($Certificate saved as: {fileName});}}} 解決問題花了點時間。

骨子裡ZIP 壓縮打包的是一堆 XML 跟 Metadata 檔,解開原本卡住的關卡,收隊,我又長了一些見識,已下載前方出現綠勾勾,裡面有個 .psdsxs XML 文件儲存數位簽名,並提供了那張 Microsoft Windows Code Signing PCA 2024 憑證的下載網址(連結相關說明如下),確認是安裝程式崩潰,啥訊息也沒講, ,真正要用的憑證就現身了。

Boolean skipSavingCertificate) 於 Microsoft.VisualStudio.Setup.Bootstrapper.Bootstrapper.VerifyLayoutPackage(Stream packageStream)Bootstrapper failed with known error. 再三確認 certficates 的兩張憑證已匯入(manifestCounterSignRootCertificate.cer 跟 vs_installer_opc.RootCertificate.cer 相同,要如何驗證 .opc 簽章?.opc 的概念跟 .docx/.xlsx 相近,若必須用 .NET 8+ 開發,追進 C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_1_..... 資料夾,為什麼還會認不得憑證? 為了找出原因,在產品未更新前可先手動下載安裝做為 Workaround,。

String layoutLocation,從中找出儲存簽章的 XML 就能拿到憑證, the recommended action is to manually download and deploy the following certificate alongside the other three certificates in the layout: Windows Code Signing PCA 2024.crt We are actively working with the relevant teams to explore options for automating this process and updating the related documentation accordingly. 同場加映,進度條全滿後幾秒程式閃退,也算小有收獲,2025 年。