Treat MSI files as containers

Directory.Packages.props

@@ -33,5 +33,6 @@
     <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="9.0.4" />
     <PackageVersion Include="System.Security.Cryptography.Xml" Version="9.0.4" />
     <PackageVersion Include="System.Text.Json" Version="9.0.4" />
+    <PackageVersion Include="WixToolset.Dtf.WindowsInstaller.Package" Version="6.0.0" />
   </ItemGroup>
 </Project>

NuGet.Config

@@ -6,6 +6,8 @@
     <add key="dotnet-libraries" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-libraries/nuget/v3/index.json" />
     <add key="dotnet-tools" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json" />
     <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" />
+    <!-- TODO: Mirror WixToolset.Dtf.WindowsInstaller.Package and dependencies -->
+    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
   <disabledPackageSources />
 </configuration>

src/Sign.Core/Containers/ContainerProvider.cs

@@ -17,6 +17,7 @@ internal sealed class ContainerProvider : IContainerProvider
         private readonly IMakeAppxCli _makeAppxCli;
         private readonly HashSet<string> _nuGetExtensions;
         private readonly HashSet<string> _zipExtensions;
+        private readonly HashSet<string> _msiExtensions;
 
         // Dependency injection requires a public constructor.
         public ContainerProvider(
@@ -68,6 +69,12 @@ public ContainerProvider(
                 ".vsix",
                 ".zip"
             };
+
+            _msiExtensions = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+            {
+                ".msi",
+                ".msm"
+            };
         }
 
         public bool IsAppxBundleContainer(FileInfo file)
@@ -98,6 +105,13 @@ public bool IsZipContainer(FileInfo file)
             return _zipExtensions.Contains(file.Extension);
         }
 
+        public bool IsMsiContainer(FileInfo file)
+        {
+            ArgumentNullException.ThrowIfNull(file, nameof(file));
+
+            return _msiExtensions.Contains(file.Extension);
+        }
+
         public IContainer? GetContainer(FileInfo file)
         {
             ArgumentNullException.ThrowIfNull(file, nameof(file));
@@ -122,6 +136,11 @@ public bool IsZipContainer(FileInfo file)
                 return new NuGetContainer(file, _directoryService, _fileMatcher, _logger);
             }
 
+            if (IsMsiContainer(file))
+            {
+                return new MsiContainer(file, _directoryService, _fileMatcher, _logger);
+            }
+
             return null;
         }
     }

src/Sign.Core/Containers/IContainerProvider.cs

@@ -10,6 +10,7 @@ internal interface IContainerProvider
         bool IsAppxContainer(FileInfo file);
         bool IsNuGetContainer(FileInfo file);
         bool IsZipContainer(FileInfo file);
+        bool IsMsiContainer(FileInfo file);
         IContainer? GetContainer(FileInfo file);
     }
 }

src/Sign.Core/Containers/MsiContainer.cs

@@ -0,0 +1,81 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+using Microsoft.Extensions.Logging;
+using WixToolset.Dtf.WindowsInstaller;
+using WixToolset.Dtf.WindowsInstaller.Package;
+
+namespace Sign.Core
+{
+    internal class MsiContainer : Container
+    {
+        private readonly IDirectoryService _directoryService;
+        private readonly ILogger _logger;
+        private readonly FileInfo _msiFile;
+
+        public MsiContainer(
+            FileInfo msiFile,
+            IDirectoryService directoryService,
+            IFileMatcher fileMatcher,
+            ILogger logger)
+            : base(fileMatcher)
+        {
+            ArgumentNullException.ThrowIfNull(msiFile, nameof(msiFile));
+            ArgumentNullException.ThrowIfNull(directoryService, nameof(directoryService));
+            ArgumentNullException.ThrowIfNull(logger, nameof(logger));
+
+            _directoryService = directoryService;
+            _logger = logger;
+            _msiFile = msiFile;
+        }
+
+        public override ValueTask OpenAsync()
+        {
+            if (TemporaryDirectory is not null)
+            {
+                throw new InvalidOperationException();
+            }
+
+            TemporaryDirectory = new TemporaryDirectory(_directoryService);
+
+            _logger.LogInformation(
+            Resources.OpeningContainer,
+                _msiFile.FullName,
+                TemporaryDirectory.Directory.FullName);
+
+            using var package = new InstallPackage(
+                _msiFile.FullName,
+                DatabaseOpenMode.ReadOnly,
+                sourceDir: null,
+                TemporaryDirectory.Directory.FullName);
+
+            package.ExtractFiles();
+
+            return ValueTask.CompletedTask;
+        }
+
+        public override ValueTask SaveAsync()
+        {
+            if (TemporaryDirectory is null)
+            {
+                throw new InvalidOperationException();
+            }
+
+            _logger.LogInformation(
+            Resources.SavingContainer,
+                _msiFile.FullName,
+                TemporaryDirectory.Directory.FullName);
+
+            using var package = new InstallPackage(
+                _msiFile.FullName,
+                DatabaseOpenMode.Direct,
+                sourceDir: null,
+                TemporaryDirectory.Directory.FullName);
+
+            package.UpdateFiles();
+
+            return ValueTask.CompletedTask;
+        }
+    }
+}

src/Sign.Core/DataFormatSigners/AggregatingSigner.cs

@@ -179,6 +179,36 @@ where _containerProvider.IsAppxBundleContainer(file)
                 containers.Clear();
             }
 
+            List<FileInfo> msis = (from file in files
+                                   where _containerProvider.IsMsiContainer(file)
+                                   select file).ToList();
+
+            try
+            {
+                foreach (FileInfo msi in msis)
+                {
+                    IContainer container = _containerProvider.GetContainer(msi)!;
+
+                    await container.OpenAsync();
+
+                    containers.Add(container);
+                }
+
+                List<FileInfo> allFiles = containers.SelectMany(c => GetFiles(c, options)).ToList();
+
+                if (allFiles.Count > 0)
+                {
+                    await SignAsync(allFiles, options);
+
+                    await Parallel.ForEachAsync(containers, (c, cancellationToken) => c.SaveAsync());
+                }
+            }
+            finally
+            {
+                containers.ForEach(c => c.Dispose());
+                containers.Clear();
+            }
+
             // split by code sign service and fallback to default
 
             var grouped = (from signer in _signers

src/Sign.Core/Sign.Core.csproj

@@ -19,6 +19,7 @@
     <PackageReference Include="System.Security.Cryptography.Pkcs" PrivateAssets="analyzers;build;compile;contentfiles" />
     <PackageReference Include="System.Security.Cryptography.Xml" PrivateAssets="analyzers;build;compile;contentfiles" />
     <PackageReference Include="System.Text.Json" PrivateAssets="analyzers;build;compile;contentfiles" />
+    <PackageReference Include="WixToolset.Dtf.WindowsInstaller.Package" />
   </ItemGroup>
 
   <ItemGroup>

test/Sign.Core.Test/TestInfrastructure/ContainerProviderStub.cs

@@ -43,6 +43,11 @@ public bool IsZipContainer(FileInfo file)
             return _containerProvider.IsZipContainer(file);
         }
 
+        public bool IsMsiContainer(FileInfo file)
+        {
+            return _containerProvider.IsMsiContainer(file);
+        }
+
         public IContainer? GetContainer(FileInfo file)
         {
             ArgumentNullException.ThrowIfNull(file, nameof(file));