🐛 install location + re-enable arm64 MSI builds (#490)

* Re-enable support for arm64 builds for mondoo.msi

- Revert "Revert "Build arm64 MSI packages additionally to the current amd64 ones (#482)" (#486)"
    - This reverts commit 843a783.

- Revert the `Platform` attribute in the Package definition, as that
appears to dictate which install location the package should use
i.e. "Program Files" vs "Program Files (x64)"

- Some minor improvements

* Fix: add logout step to cnspec test

* Correct msi filename in test block

.github/workflows/pkg_msi.yaml

@@ -53,12 +53,18 @@ jobs:
           echo "trimmed_version=$(echo ${V} | sed 's/-.*//')" >> $GITHUB_OUTPUT
       - name: Ensure version of cnquery and cnspec are available
         run: |
-          curl -sL --head --fail https://github.com/mondoohq/cnquery/releases/download/v${{ steps.version.outputs.version }}/cnquery_${{ steps.version.outputs.version }}_windows_amd64.zip
-          curl -sL --head --fail https://github.com/mondoohq/cnspec/releases/download/v${{ steps.version.outputs.version }}/cnspec_${{ steps.version.outputs.version }}_windows_amd64.zip
-
+          curl -sL --head --fail https://github.com/mondoohq/cnquery/releases/download/v${{ steps.version.outputs.version }}/cnquery_${{ steps.version.outputs.version }}_windows_amd64.zip \
+            https://github.com/mondoohq/cnspec/releases/download/v${{ steps.version.outputs.version }}/cnspec_${{ steps.version.outputs.version }}_windows_amd64.zip \
+            https://github.com/mondoohq/cnquery/releases/download/v${{ steps.version.outputs.version }}/cnquery_${{ steps.version.outputs.version }}_windows_arm64.zip \
+            https://github.com/mondoohq/cnspec/releases/download/v${{ steps.version.outputs.version }}/cnspec_${{ steps.version.outputs.version }}_windows_arm64.zip
 
   dist-prepare:
-    name: 'Prepare Distribution for Packaging'
+    name: Prepare Distribution for Packaging
+    strategy:
+      matrix:
+        arch:
+          - amd64
+          - arm64
     runs-on: ubuntu-latest
     needs: setup
     steps:
@@ -69,34 +75,40 @@ jobs:
           VERSION: ${{ needs.setup.outputs.version }}
         run: |
           # TODO: We should check the sums here
-          mkdir -p dist && cd dist
-          curl -sSL -O https://github.com/mondoohq/cnspec/releases/download/v${VERSION}/cnspec_${VERSION}_windows_amd64.zip
-          unzip cnspec_${VERSION}_windows_amd64.zip
-          rm cnspec_${VERSION}_windows_amd64.zip
-          curl -sSL -O https://github.com/mondoohq/cnquery/releases/download/v${VERSION}/cnquery_${VERSION}_windows_amd64.zip
-          unzip cnquery_${VERSION}_windows_amd64.zip
-          rm cnquery_${VERSION}_windows_amd64.zip
+          mkdir -p dist/${{ matrix.arch }} && cd dist/${{ matrix.arch }}
+          curl -sSL -O https://github.com/mondoohq/cnspec/releases/download/v${VERSION}/cnspec_${VERSION}_windows_${{ matrix.arch }}.zip
+          unzip cnspec_${VERSION}_windows_${{ matrix.arch }}.zip
+          rm cnspec_${VERSION}_windows_${{ matrix.arch }}.zip
+          curl -sSL -O https://github.com/mondoohq/cnquery/releases/download/v${VERSION}/cnquery_${VERSION}_windows_${{ matrix.arch }}.zip
+          unzip cnquery_${VERSION}_windows_${{ matrix.arch }}.zip
+          rm cnquery_${VERSION}_windows_${{ matrix.arch }}.zip
           ls -lh
       - name: Upload Distribution
         uses: actions/upload-artifact@v4
         with:
-          name: dist
-          path: dist
-
+          name: dist-${{ matrix.arch }}
+          path: dist/${{ matrix.arch }}
 
   msi-build:
     name: 'Packaging: Windows MSI'
     runs-on: windows-latest
-    needs: [ setup, dist-prepare ]
+    strategy:
+      matrix:
+        arch:
+          - amd64
+          - arm64
+    needs:
+      - setup
+      - dist-prepare
     #  For Version: ${{ needs.setup.outputs.version }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: Download Distribution
         uses: actions/download-artifact@v4
         with:
-          name: dist
-          path: dist
+          name: dist-${{ matrix.arch }}
+          path: dist/${{ matrix.arch }}
 
       - name: Setup Certificate
         shell: bash
@@ -131,19 +143,19 @@ jobs:
         run: |
           $mondooVersion = ${env:VERSION}
           echo "Running build job for version ${mondooVersion}"
-          Copy-Item .\dist\cnquery.exe .\packages\msi\msi\
-          Copy-Item .\dist\cnspec.exe .\packages\msi\msi\
-          Copy-Item .\dist\cnquery.exe .\packages\msi\appx\
-          Copy-Item .\dist\cnspec.exe .\packages\msi\appx\
+          Copy-Item .\dist\${{ matrix.arch }}\cnquery.exe .\packages\msi\msi\
+          Copy-Item .\dist\${{ matrix.arch }}\cnspec.exe .\packages\msi\msi\
+          Copy-Item .\dist\${{ matrix.arch }}\cnquery.exe .\packages\msi\appx\
+          Copy-Item .\dist\${{ matrix.arch }}\cnspec.exe .\packages\msi\appx\
           # build msi package
           echo " - Packaging MSI..."
           Set-Location -Path '.\packages\msi\'
-          ./package.ps1 -version $mondooVersion
+          ./package.ps1 -version $mondooVersion -arch ${{ matrix.arch }}
           # sign msi package
           echo " - Signing MSI..."
           Set-Location -Path '.\..\..'
-          signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 .\packages\msi\mondoo.msi
-          Copy-Item '.\packages\msi\mondoo.msi' '.\dist\'
+          signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 .\packages\msi\mondoo_${{ matrix.arch }}.msi
+          Copy-Item '.\packages\msi\mondoo_${{ matrix.arch }}.msi' '.\dist\${{ matrix.arch }}'
       - name: Dump Signing Log on Failure
         if: failure()
         run: |
@@ -158,15 +170,14 @@ jobs:
 
       - name: Cleanup dist before upload
         run: |
-          Remove-Item -Path .\dist\cnquery.exe -Force
-          Remove-Item -Path .\dist\cnspec.exe -Force
+          Remove-Item -Path .\dist\${{ matrix.arch }}\cnquery.exe -Force
+          Remove-Item -Path .\dist\${{ matrix.arch }}\cnspec.exe -Force
 
       - name: Upload Distribution
         uses: actions/upload-artifact@v4
         with:
-          name: msi
-          path: dist/
-
+          name: msi-${{ matrix.arch }}
+          path: dist/${{ matrix.arch }}
 
   test-msi-install:
     name: Test Signed Package
@@ -183,16 +194,16 @@ jobs:
       - name: Download MSI Package
         uses: actions/download-artifact@v4
         with:
-          name: msi
+          name: msi-${{ matrix.arch }}
           path: dist
       - name: Verify digital signature is valid
         run: |
           cd dist
-          Get-AuthenticodeSignature -FilePath .\\mondoo.msi
+          Get-AuthenticodeSignature -FilePath .\\mondoo_${{ matrix.arch }}.msi
       - name: Install artifact
         run: |
           cd dist
-          msiexec /qn /i mondoo.msi
+          msiexec /qn /i mondoo_${{ matrix.arch }}.msi
       - name: Verify the correct cnquery version is installed
         run: |
           $version=& 'C:\Program Files\Mondoo\cnquery.exe' version
@@ -220,10 +231,17 @@ jobs:
         run: |
           & 'C:\Program Files\Mondoo\cnspec.exe' policy download mondoo-windows-installer -f mondoo-windows-installer.mql.yaml
           & 'C:\Program Files\Mondoo\cnspec.exe' scan local --detect-cicd --score-threshold 100 -o full --policy-bundle mondoo-windows-installer.mql.yaml
-
+      - name: Logout from edge with cnspec
+        run: |
+          & 'C:\Program Files\Mondoo\cnspec.exe' logout --config C:\ProgramData\Mondoo\mondoo.yml --force
 
   publish:
     name: 'Publish: Releases'
+    strategy:
+      matrix:
+        arch:
+          - amd64
+          - arm64
     needs:
       - setup
       - msi-build
@@ -236,15 +254,15 @@ jobs:
       - name: Download MSI Package
         uses: actions/download-artifact@v4
         with:
-          name: msi
+          name: msi-${{ matrix.arch }}
           path: dist
       - name: Authenticate with Google Cloud
         id: gauth
-        uses: 'google-github-actions/auth@v2'
+        uses: google-github-actions/auth@v2
         with:
-          credentials_json: '${{secrets.GCP_CREDENTIALS}}'
-      - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@v2'
+          credentials_json: ${{secrets.GCP_CREDENTIALS}}
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
       - name: Verify access to release bucket
         env:
           VERSION: ${{ needs.setup.outputs.version }}
@@ -255,10 +273,10 @@ jobs:
           VERSION: ${{ needs.setup.outputs.version }}
         run: |
           cd dist
-          mv mondoo.msi mondoo_${VERSION}_windows_amd64.msi
-          sha256sum mondoo_${VERSION}_windows_amd64.msi >> checksums.windows.txt
-          gsutil cp checksums.windows.txt gs://releases-us.mondoo.io/mondoo/${VERSION}/checksums.windows.txt
-          gsutil cp mondoo_${VERSION}_windows_amd64.msi gs://releases-us.mondoo.io/mondoo/${VERSION}/mondoo_${VERSION}_windows_amd64.msi
+          mv mondoo_${{ matrix.arch }}.msi mondoo_${VERSION}_windows_${{ matrix.arch }}.msi
+          sha256sum mondoo_${VERSION}_windows_${{ matrix.arch }}.msi >> checksums.windows_${{ matrix.arch }}.txt
+          gsutil cp checksums.windows_${{ matrix.arch }}.txt gs://releases-us.mondoo.io/mondoo/${VERSION}/checksums.windows_${{ matrix.arch }}.txt
+          gsutil cp mondoo_${VERSION}_windows_${{ matrix.arch }}.msi gs://releases-us.mondoo.io/mondoo/${VERSION}/mondoo_${VERSION}_windows_${{ matrix.arch }}.msi
       - name: Reindex folder on releaser.mondoo.com
         uses: peter-evans/repository-dispatch@v3
         env:
@@ -273,5 +291,4 @@ jobs:
             }'
       - name: Cleanup
         run: |
-          rm -f "${{ steps.gauth.outputs.credentials_file_path }}"
-
+          rm -f "${{ steps.gauth.outputs.credentials_file_path }}"

.gitignore

@@ -18,4 +18,10 @@ packages/msi/v16
 
 # Arch AUR Generated Files
 packages/archlinux/cnquery
-packages/archlinux/cnspec
+packages/archlinux/cnspec
+
+# vscode
+.vscode
+
+# OS caches
+.DS_Store

packages/msi/msi/Product.wxs

@@ -6,13 +6,28 @@
 
 <?define UpgradeCodeStandard = "b0fee933-ccd2-467c-8fe4-bb0ac6a099c8" ?>
 <?define UpgradeCodeEnterprise = "4ABDD5C7-E1E1-41A6-8119-DCE65634A6CC" ?>
-<?if $(var.MondooSKU) = "standard" ?>
-<?define UpgradeCode = "$(var.UpgradeCodeStandard)"?>
+<?define UpgradeCodeArm64 = "090cfb7d-c00c-4d36-94fe-f649a4b29c91" ?>
 <?define ProductName = "Mondoo"?>
 <?define ServiceInstallStart = "demand" ?>
 <?define RegistrationTokenRequired = "0"?>
 <?define OtherSKU = "$(var.UpgradeCodeEnterprise)"?>
-<?elseif $(var.MondooSKU) = "enterprise" ?>
+<?if $(var.arch) = "arm64"?>
+<?define UpgradeCode = "$(var.UpgradeCodeArm64)"?>
+<!--
+ InstallerVersion 500 is the minimum required for arm64
+ It is roughly equivalent to Windows 7
+ For details, see https://wixtoolset.org/docs/v3/xsd/wix/package/
+-->
+<?define InstallerVersion="500"?>
+<?else?>
+<!--
+ InstallerVersion 200 is the minimum required for x64
+ It is roughly equivalent to Windows XP
+-->
+<?define InstallerVersion="200"?>
+<?if $(var.MondooSKU) = "standard"?>
+<?define UpgradeCode = "$(var.UpgradeCodeStandard)"?>
+<?elseif $(var.MondooSKU) = "enterprise"?>
 <?define UpgradeCode = "$(var.UpgradeCodeEnterprise)"?>
 <?define ProductName = "Mondoo Enterprise"?>
 <?define ServiceInstallStart = "auto" ?>
@@ -21,17 +36,19 @@
 <?else?>
 <?error MondooSKU must be defined as one of "standard" or "enterprise" ?>
 <?endif?>
+<?endif?>
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"
   xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">
   <Product Name="$(var.ProductName)" Version="$(var.ProductVersion)" Manufacturer="Mondoo, Inc." Language="1033" Codepage="1252" Id="*" UpgradeCode="$(var.UpgradeCode)">
     <!-- custom action do not work if its not privileged-->
+    <!-- Platform="x64" makes our package install in Program Files vs Program Files (x64)-->
     <Package
       Description="Mondoo verifies your system for known vulnerabilities"
       Manufacturer="Mondoo, Inc."
-      InstallerVersion="200"
+      InstallerVersion="$(var.InstallerVersion)"
       Compressed="yes"
       Comments="Windows Installer Package"
-      Platform="x64"
+      Platform="$(var.arch)"
       InstallScope="perMachine"
       InstallPrivileges="elevated"
       />

packages/msi/package.ps1

@@ -3,9 +3,12 @@
 
 # use: ./package.ps1 -version 0.32.0
 param (
-    [string]$version = 'x.xx.x'
+    [string]$version = 'x.xx.x',
+    [string]$arch = 'amd64|arm64'
 )
 
+$platform = $arch -eq "amd64" ? "x64" : $arch
+
 function info($msg) {  Write-Host $msg -f white }
 
 # info "build appx package"
@@ -16,22 +19,25 @@ function info($msg) {  Write-Host $msg -f white }
 
 info "build msi package $version"
 # delete previous build
-Remove-Item .\mondoo.msi -ErrorAction Ignore
+Remove-Item ".\mondoo.msi" -ErrorAction Ignore
+Remove-Item ".\mondoo_${arch}.msi" -ErrorAction Ignore
 cd msi
 # delete previous intermediate files
 Remove-Item .\Product.wixobj -ErrorAction Ignore
 Remove-Item .\mondoo.wixpdb -ErrorAction Ignore
 # build package
 dir 'C:\Program Files (x86)\'
 info "run candle (standard)"
-& 'C:\Program Files (x86)\WiX Toolset v3.14\bin\candle' -nologo -arch x64 -dMondooSKU="standard" -dProductVersion="$version" -ext WixUtilExtension Product.wxs
+& 'C:\Program Files (x86)\WiX Toolset v3.14\bin\candle' -nologo -dMondooSKU="standard" -darch="$platform" -dProductVersion="$version" -ext WixUtilExtension Product.wxs
 
 info "run light (standard)"
-& 'C:\Program Files (x86)\WiX Toolset v3.14\bin\light' -nologo -dcl:high -cultures:en-us -loc en-us.wxl -ext WixUIExtension -ext WixUtilExtension product.wixobj -o mondoo.msi
+
+& 'C:\Program Files (x86)\WiX Toolset v3.14\bin\light' -nologo -dcl:high -cultures:en-us -loc en-us.wxl -ext WixUIExtension -ext WixUtilExtension product.wixobj -o "mondoo_${arch}.msi"
 
 # delete previous intermediate files
 Remove-Item .\Product.wixobj -ErrorAction Ignore
 Remove-Item .\mondoo.wixpdb -ErrorAction Ignore
 cd ..
 
-Move-Item .\msi\mondoo.msi .
+Move-Item ".\msi\mondoo_${arch}.msi" .
+