diff --git a/CLAUDE.md b/CLAUDE.md index 8c270e3..792856d 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -160,6 +160,24 @@ xetup.exe start ### Parallel winget - 02-software.ps1 launches all winget installs as background jobs (Start-Job) - Jobs run simultaneously, results collected after all complete +- Every install passes `--source winget` (msstore source fails on fresh Win11 ISOs: 0x8a15005e) + +### Atera agent +- Installed under NT AUTHORITY\SYSTEM via a one-shot scheduled task (msiexec /qn) - under SYSTEM + there is no interactive MFA prompt. Verified via the AteraAgent service (path check fallback). + +### Keyboard + accent (step 04) +- Keyboard: CZ primary + US secondary (Set-WinUserLanguageList + Preload in Default hive and HKU\.DEFAULT) +- Accent #223B47 needs AccentColor AND AccentPalette (REG_BINARY) or Win11 drops it on Start/taskbar +- Theme written to Default hive + current HKCU + HKU\.DEFAULT so all profiles match +- File Explorer pinned via AUMID (Microsoft.Windows.Explorer), not a custom .lnk (avoids 2nd Explorer) +- BackInfo.ini BackgroundColor is 0xRRGGBB decimal (RGB, not COLORREF): #223B47 = 2243399 + +### Code signing +- CI signs xetup.exe via Azure Trusted Signing (cert "X9.cz s.r.o.") + jsign + RFC3161 timestamp +- Certs are short-lived (~3 days); the timestamp keeps signatures valid past expiry +- Only AZURE_CLIENT_SECRET is a Forgejo Actions secret; the SP is shared across X9 projects - do NOT rotate +- jsign auth needs the Trusted Signing token; runner-config mounts the docker socket for the deploy.json step --- diff --git a/SPEC.md b/SPEC.md index dfab7e1..fa49850 100644 --- a/SPEC.md +++ b/SPEC.md @@ -67,7 +67,8 @@ Removes ~35 AppX packages (Cortana, Copilot, Teams, Xbox, Skype, News, etc.), ## Step 02 - Software installation -Parallel winget installs (Start-Job): +Parallel winget installs (Start-Job). Every install uses `--source winget` to bypass the +msstore source, which fails on fresh Win11 ISOs (stale App Installer cert, 0x8a15005e): | Software | Winget ID | |---|---| @@ -76,8 +77,13 @@ Parallel winget installs (Start-Job): | OpenVPN Connect | OpenVPNTechnologies.OpenVPNConnect | After Acrobat: UCPD driver stopped, .pdf → AcroExch.Document.DC set via HKCR, UCPD restarted. +On Win11 24H2 UCPD is a protected service and the stop fails (logged WARN, not ERROR); the +system-wide HKCR write succeeds regardless. -Atera RMM agent: downloaded from x9.servicedesk.atera.com, installed via msiexec /qn with -Wait. +Atera RMM agent: downloaded from x9.servicedesk.atera.com, installed under NT AUTHORITY\SYSTEM +via a one-shot scheduled task (msiexec /qn). Under SYSTEM the agent registers silently with no +interactive MFA prompt. Verified via the AteraAgent service (Get-Service), with a path check +(incl. C:\ProgramData) as fallback. --- @@ -104,12 +110,20 @@ Single hive load of C:\Users\Default\NTUSER.DAT. All changes applied to both Def hive and current HKCU. Feature-toggled sections: - **taskbarTweaks**: left alignment, hide Search/Copilot/TaskView/Widgets/Chat, show all - tray icons, taskbar layout XML per ProfileType (default/admin/user), NumLock on + tray icons, taskbar layout XML per ProfileType (default/admin/user), NumLock on. + File Explorer is pinned via its AppUserModelID (DesktopApplicationID="Microsoft.Windows.Explorer"), + not a custom .lnk - a hand-made shortcut launched a second Explorer and could not be unpinned. - **startMenuTweaks**: empty pins, disable Bing search, disable Copilot, disable GameDVR - **explorerTweaks**: show extensions, LaunchTo=ThisPC, hide Recent/Frequent, full path -Personalization (always): dark shell / light apps, accent #223B47, transparency off, -solid wallpaper #223B47 (BackInfo overwrites on logon). +Keyboard (always): CZ primary + US secondary - Set-WinUserLanguageList (current user) plus +the Preload key (1=00000405 CZ, 2=00000409 US) in the Default hive and HKU\.DEFAULT. + +Personalization (always): Custom mode (dark shell / light apps), accent #223B47 set via +AccentColor AND AccentPalette (the palette is required or Win11 drops the custom accent on +Start/taskbar), ColorPrevalence on for Start/taskbar and title bars/borders, transparency off, +solid wallpaper #223B47 (BackInfo overwrites on logon). Written to the Default hive (new users), +the current user (HKCU) and HKU\.DEFAULT (lock/welcome screen) so all profiles match. --- @@ -117,14 +131,17 @@ solid wallpaper #223B47 (BackInfo overwrites on logon). Copies BackInfo.exe + INI to C:\Program Files\Backinfo\. Detects OS, writes OSName to registry. Creates startup shortcut for all users. BackInfo renders system info BMP as -desktop wallpaper on every logon. +desktop wallpaper on every logon. Background is solid #223B47 (BackInfo.ini +BackgroundColor = 2243399; BackInfo reads the value as 0xRRGGBB / RGB, not COLORREF/BGR). --- ## Step 10 - Network Sets all connected adapters to Private profile. Enables ICMP echo (ping) and Network -Discovery firewall rules. +Discovery firewall rules. Network Discovery is matched by its resource-string group +(-Group "@FirewallAPI.dll,-32752"), not the localized display name, so it works on +non-English (e.g. Czech) Windows. --- @@ -149,7 +166,8 @@ from current. Exit 9 only when rename actually happened (restart required). Installs PSWindowsUpdate module, runs one update pass. Exit 9 when updates were installed (reboot needed for next round). Exit 0 when fully up to date. xetup state machine handles -the reboot cycle automatically. +the reboot cycle automatically. Installed updates are logged via their Result/Title +properties (logging the raw objects printed "System.__ComObject"). --- @@ -174,3 +192,14 @@ the reboot cycle automatically. Sent via SMTP2Go at end of deployment. HTML with per-step status table, timestamps, OK/ERROR/SKIPPED counts. Subject: "xetup report HOSTNAME". From: xetup@x9.cz, To: net@x9.cz. + +--- + +## Code signing (CI) + +The Forgejo Actions release workflow signs xetup.exe on every push to main (and via +workflow_dispatch): build → sign → publish. Signing uses Azure Trusted Signing (certificate +"X9.cz s.r.o.") through jsign, with an RFC3161 timestamp (timestamp.acs.microsoft.com). +Trusted Signing certs are short-lived (~3 days); the timestamp keeps the signature valid past +expiry. Only the Entra client secret is a Forgejo secret (AZURE_CLIENT_SECRET); the signed +binary is published as the "latest" release asset.