From 9e20ec4d437993715a8d1317a9b80043e6c07fe1 Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Mon, 17 Jan 2022 20:22:52 +0000
Subject: Restore MSIX signing and ensure expired certificates are not selected
 (GH-30649)

Reverts the change in d6c6e6b and applies a better fix.
---
 .azure-pipelines/windows-release/stage-pack-msix.yml | 8 +++++---
 .azure-pipelines/windows-release/stage-sign.yml      | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.azure-pipelines/windows-release/stage-pack-msix.yml b/.azure-pipelines/windows-release/stage-pack-msix.yml
index 6f3e7a5..9f7919e 100644
--- a/.azure-pipelines/windows-release/stage-pack-msix.yml
+++ b/.azure-pipelines/windows-release/stage-pack-msix.yml
@@ -96,9 +96,7 @@ jobs:
   displayName: Sign side-loadable MSIX bundles
   dependsOn:
   - Pack_MSIX
-  # Our current certificate does not support MSIX signing, so we unconditionally skip this step
-  #condition: and(succeeded(), variables['SigningCertificate'])
-  condition: false
+  condition: and(succeeded(), variables['SigningCertificate'])
 
   pool:
     name: 'Windows Release'
@@ -123,6 +121,10 @@ jobs:
       downloadPath: $(Build.BinariesDirectory)
 
   # MSIX must be signed and timestamped simultaneously
+  #
+  # Getting "Error: SignerSign() failed." (-2147024885/0x8007000b)"?
+  # It may be that the certificate info collected in stage-sign.yml is wrong. Check that
+  # you do not have multiple matches for the certificate name you have specified.
   - powershell: |
       $failed = $true
       foreach ($retry in 1..3) {
diff --git a/.azure-pipelines/windows-release/stage-sign.yml b/.azure-pipelines/windows-release/stage-sign.yml
index c21e1c9..d43e077 100644
--- a/.azure-pipelines/windows-release/stage-sign.yml
+++ b/.azure-pipelines/windows-release/stage-sign.yml
@@ -91,7 +91,7 @@ jobs:
   - powershell: |
       $m = 'CN=$(SigningCertificate)'
       $c = ((gci Cert:\CurrentUser\My), (gci Cert:\LocalMachine\My)) | %{ $_ } | `
-         ?{ $_.Subject -match $m } | `
+         ?{ $_.Subject -match $m -and $_.NotBefore -lt (Get-Date) -and $_.NotAfter -gt (Get-Date) } | `
          select -First 1
       if (-not $c) {
           Write-Host "Failed to find certificate for $(SigningCertificate)"
-- 
cgit v0.12