From ebcc9a1d10f2f974bff2cbc8f4db89725e914ecf Mon Sep 17 00:00:00 2001
From: Tero Heikkinen <tero.heikkinen@qt.io>
Date: Fri, 14 Mar 2025 08:25:06 +0200
Subject: [PATCH] Provisioning: Add Root Certificate update for Windows

Windows usually updates certificates once a week, but due
to disabling Windows background updates there is need to
install and update certificates manually.

Updating certificates during provisioning is selected method
as it's aligned with the same procedure how linux machines have
handled the same.

Task-number: QTQAINFRA-7001
Pick-to: 6.9 6.8 5.15
Change-Id: I7c077b5e08328b12c481a3501736f06baf85e71e
Reviewed-by: Oliver Wolff <oliver.wolff@qt.io>
Reviewed-by: Matti Paaso <matti.paaso@qt.io>
---
 .../common/windows/certificate-updates.ps1           | 12 ++++++++++++
 .../00-certificate-updates.ps1                       |  1 +
 .../00-certificate-updates.ps1                       |  1 +
 .../00-certificate-updates.ps1                       |  1 +
 .../00-certificate-updates.ps1                       |  1 +
 .../00-certificate-updates.ps1                       |  1 +
 .../00-certificate-updates.ps1                       |  1 +
 .../00-certificate-updates.ps1                       |  1 +
 8 files changed, 19 insertions(+)
 create mode 100644 coin/provisioning/common/windows/certificate-updates.ps1
 create mode 100644 coin/provisioning/qtci-windows-10-x86_64/00-certificate-updates.ps1
 create mode 100644 coin/provisioning/qtci-windows-10_21H2-x86_64/00-certificate-updates.ps1
 create mode 100644 coin/provisioning/qtci-windows-10_22H2-x86_64/00-certificate-updates.ps1
 create mode 100644 coin/provisioning/qtci-windows-11_21H2-x86_64/00-certificate-updates.ps1
 create mode 100644 coin/provisioning/qtci-windows-11_22H2-aarch64/00-certificate-updates.ps1
 create mode 100644 coin/provisioning/qtci-windows-11_22H2-x86_64/00-certificate-updates.ps1
 create mode 100644 coin/provisioning/qtci-windows-11_23H2-x86_64/00-certificate-updates.ps1

diff --git a/coin/provisioning/common/windows/certificate-updates.ps1 b/coin/provisioning/common/windows/certificate-updates.ps1
new file mode 100644
index 00000000..f22a97a4
--- /dev/null
+++ b/coin/provisioning/common/windows/certificate-updates.ps1
@@ -0,0 +1,12 @@
+# Copyright (C) 2025 The Qt Company Ltd.
+# SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+
+# This script updates Windows Root Certifications which are usually updated weekly by Windows update
+
+. "$PSScriptRoot\helpers.ps1"
+
+$sstCerts = "C:\Windows\Temp\certificates.sst"
+Run-Executable "certutil.exe" "-generateSSTFromWU $sstCerts"
+$sstCertsPath = (Get-ChildItem -Path $sstCerts)
+$sstCertsPath | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root" | Out-String | Measure-Object -Line
+Remove-Item -Path $sstCerts
diff --git a/coin/provisioning/qtci-windows-10-x86_64/00-certificate-updates.ps1 b/coin/provisioning/qtci-windows-10-x86_64/00-certificate-updates.ps1
new file mode 100644
index 00000000..3691baf2
--- /dev/null
+++ b/coin/provisioning/qtci-windows-10-x86_64/00-certificate-updates.ps1
@@ -0,0 +1 @@
+. "$PSScriptRoot\..\common\windows\certificate-updates.ps1"
diff --git a/coin/provisioning/qtci-windows-10_21H2-x86_64/00-certificate-updates.ps1 b/coin/provisioning/qtci-windows-10_21H2-x86_64/00-certificate-updates.ps1
new file mode 100644
index 00000000..3691baf2
--- /dev/null
+++ b/coin/provisioning/qtci-windows-10_21H2-x86_64/00-certificate-updates.ps1
@@ -0,0 +1 @@
+. "$PSScriptRoot\..\common\windows\certificate-updates.ps1"
diff --git a/coin/provisioning/qtci-windows-10_22H2-x86_64/00-certificate-updates.ps1 b/coin/provisioning/qtci-windows-10_22H2-x86_64/00-certificate-updates.ps1
new file mode 100644
index 00000000..3691baf2
--- /dev/null
+++ b/coin/provisioning/qtci-windows-10_22H2-x86_64/00-certificate-updates.ps1
@@ -0,0 +1 @@
+. "$PSScriptRoot\..\common\windows\certificate-updates.ps1"
diff --git a/coin/provisioning/qtci-windows-11_21H2-x86_64/00-certificate-updates.ps1 b/coin/provisioning/qtci-windows-11_21H2-x86_64/00-certificate-updates.ps1
new file mode 100644
index 00000000..3691baf2
--- /dev/null
+++ b/coin/provisioning/qtci-windows-11_21H2-x86_64/00-certificate-updates.ps1
@@ -0,0 +1 @@
+. "$PSScriptRoot\..\common\windows\certificate-updates.ps1"
diff --git a/coin/provisioning/qtci-windows-11_22H2-aarch64/00-certificate-updates.ps1 b/coin/provisioning/qtci-windows-11_22H2-aarch64/00-certificate-updates.ps1
new file mode 100644
index 00000000..3691baf2
--- /dev/null
+++ b/coin/provisioning/qtci-windows-11_22H2-aarch64/00-certificate-updates.ps1
@@ -0,0 +1 @@
+. "$PSScriptRoot\..\common\windows\certificate-updates.ps1"
diff --git a/coin/provisioning/qtci-windows-11_22H2-x86_64/00-certificate-updates.ps1 b/coin/provisioning/qtci-windows-11_22H2-x86_64/00-certificate-updates.ps1
new file mode 100644
index 00000000..3691baf2
--- /dev/null
+++ b/coin/provisioning/qtci-windows-11_22H2-x86_64/00-certificate-updates.ps1
@@ -0,0 +1 @@
+. "$PSScriptRoot\..\common\windows\certificate-updates.ps1"
diff --git a/coin/provisioning/qtci-windows-11_23H2-x86_64/00-certificate-updates.ps1 b/coin/provisioning/qtci-windows-11_23H2-x86_64/00-certificate-updates.ps1
new file mode 100644
index 00000000..3691baf2
--- /dev/null
+++ b/coin/provisioning/qtci-windows-11_23H2-x86_64/00-certificate-updates.ps1
@@ -0,0 +1 @@
+. "$PSScriptRoot\..\common\windows\certificate-updates.ps1"