[0.74] Backport certificate fixes to unblock CI (#14059)

## Description

This PR cherry-picks the following certificate-related commits to unblock CI in 0.74:

3a5ca66
3534af4
5fad854

---------

Co-authored-by: Danny van Velzen 🁴 <[email protected]>

Author: jonthysell

.ado/jobs/e2e-test.yml

@@ -83,7 +83,6 @@ jobs:
             - template: ../templates/run-windows-with-certificates.yml
               parameters:
                 buildEnvironment: ${{ parameters.BuildEnvironment }}
-                certificateName: reactUWPTestAppEncodedKey
                 buildConfiguration: Release
                 buildPlatform: ${{ matrix.BuildPlatform }}
                 buildLogDirectory: $(BuildLogDirectory)
@@ -191,7 +190,6 @@ jobs:
               - template: ../templates/run-windows-with-certificates.yml
                 parameters:
                   buildEnvironment: ${{ parameters.BuildEnvironment }}
-                  certificateName: reactUWPTestAppEncodedKey
                   buildConfiguration: Release
                   buildPlatform: ${{ matrix.BuildPlatform }}
                   buildLogDirectory: $(BuildLogDirectory)

.ado/jobs/playground.yml

@@ -8,6 +8,9 @@ parameters:
       - Continuous
   - name: AgentPool
     type: object
+  - name: certificatePassword
+    type: string
+    default: 'pwd'
   - name: buildMatrix
     type: object
     default:
@@ -135,8 +138,8 @@ jobs:
             - ${{if eq(config.BuildEnvironment, 'Continuous')}}:
               - template: ../templates/write-certificate.yml
                 parameters:
-                  certificateName: playgroundEncodedKey
-
+                  certificatePassword: ${{ parameters.certificatePassword }}
+        
             - ${{ if eq(matrix.UseExperimentalWinUI3, true) }}:
               - template:  ../templates/set-experimental-feature.yml
                 parameters:
@@ -175,6 +178,7 @@ jobs:
                 ${{if eq(config.BuildEnvironment, 'Continuous')}}:
                   msbuildArgs:
                     /p:PackageCertificateKeyFile=$(Build.SourcesDirectory)\EncodedKey.pfx
+                    /p:PackageCertificatePassword=${{ parameters.certificatePassword }}
 
             - ${{if and(endsWith(matrix.Name, 'Universal'), eq(matrix.BuildConfiguration, 'Debug')) }}:
               # Execute debug feature tests (skip this step for the Win32 Playground app and for release builds)

.ado/jobs/sample-apps.yml

@@ -94,7 +94,6 @@ jobs:
             - template: ../templates/run-windows-with-certificates.yml
               parameters:
                 buildEnvironment: ${{ parameters.BuildEnvironment }}
-                certificateName: sampleAppCPPEncodedKey
                 buildConfiguration: ${{ matrix.BuildConfiguration }}
                 buildPlatform: ${{ matrix.BuildPlatform }}
                 deployOption:  ${{ matrix.DeployOption }}

.ado/templates/react-native-init-windows.yml

@@ -62,8 +62,8 @@ steps:
       workingDirectory: $(Agent.BuildDirectory)
 
   - ${{ if and(endsWith(parameters.template, '-lib'), not(startsWith(parameters.template, 'old'))) }}:
-    - script: |
-        npx --yes create-react-native-library@latest --slug testcli --description testcli --author-name "React-Native-Windows Bot" --author-email [email protected] --author-url http://example.com --repo-url http://example.com --languages kotlin-objc --type module-new --react-native-version $(reactNativeDevDependency) --example vanilla testcli
+    - script: | # Force version 0.42.1, version 0.42.2 is broken, see https://github.com/callstack/react-native-builder-bob/issues/674
+        npx --yes create-react-native-library@0.42.1 --slug testcli --description testcli --author-name "React-Native-Windows Bot" --author-email [email protected] --author-url http://example.com --repo-url http://example.com --languages kotlin-objc --type module-new --react-native-version $(reactNativeDevDependency) --example vanilla testcli
       displayName: Init new lib project with create-react-native-library
       workingDirectory: $(Agent.BuildDirectory)
 
@@ -177,7 +177,6 @@ steps:
   - template: ../templates/run-windows-with-certificates.yml
     parameters:
       buildEnvironment: ${{ parameters.BuildEnvironment }}
-      certificateName: RNWEncodedKey
       buildConfiguration: ${{ parameters.configuration }}
       buildPlatform: ${{ parameters.platform }}
       deployOption: ${{ parameters.additionalRunArguments }}
@@ -224,4 +223,4 @@ steps:
     inputs:
       pathtoPublish: '$(Build.StagingDirectory)/Tracing'
       artifactName: 'Traces - $(Agent.JobName)-$(System.JobAttempt)'
-    condition: succeededOrFailed()
+    condition: succeededOrFailed()

.ado/templates/react-native-init.yml

@@ -161,7 +161,6 @@ steps:
   - template: ../templates/run-windows-with-certificates.yml
     parameters:
       buildEnvironment: ${{ parameters.BuildEnvironment }}
-      certificateName: RNWEncodedKey
       buildConfiguration: ${{ parameters.configuration }}
       buildPlatform: ${{ parameters.platform }}
       deployOption: ${{ parameters.additionalRunArguments }}

.ado/templates/run-windows-with-certificates.yml

@@ -6,8 +6,6 @@ parameters:
       - PullRequest
       - SecurePullRequest
       - Continuous
-  - name: certificateName
-    type: string
   - name: buildConfiguration
     type: string
     values:
@@ -31,7 +29,10 @@ parameters:
   - name: moreMSBuildProps
     type: string
     default: ''
-
+  - name: certificatePassword
+    type: string
+    default: 'pwd'
+  
 steps:
   - ${{ if eq(parameters.buildConfiguration, 'Debug') }}:
     - script: >
@@ -61,7 +62,7 @@ steps:
   - ${{ if and(eq(parameters.buildConfiguration, 'Release'), eq(parameters.buildEnvironment, 'Continuous')) }}:
     - template: ../templates/write-certificate.yml
       parameters:
-        certificateName: ${{ parameters.certificateName }}
+        certificatePassword: ${{ parameters.certificatePassword }}
 
     - script: >
         yarn react-native run-windows
@@ -70,7 +71,7 @@ steps:
         --no-launch
         --logging
         --buildLogDirectory ${{ parameters.buildLogDirectory }}
-        --msbuildprops RestoreLockedMode=${{ parameters.restoreLockedMode }},RestoreForceEvaluate=${{ parameters.restoreForceEvaluate }},PackageCertificateKeyFile=$(Build.SourcesDirectory)\EncodedKey.pfx${{ parameters.moreMSBuildProps }}
+        --msbuildprops RestoreLockedMode=${{ parameters.restoreLockedMode }},RestoreForceEvaluate=${{ parameters.restoreForceEvaluate }},PackageCertificateKeyFile=$(Build.SourcesDirectory)\EncodedKey.pfx,PackageCertificatePassword=${{ parameters.certificatePassword }}${{ parameters.moreMSBuildProps }}
         ${{ parameters.deployOption }}
       displayName: run-windows (Release) - CI
       workingDirectory: ${{ parameters.workingDirectory }}

.ado/templates/write-certificate.yml

@@ -1,15 +1,20 @@
 parameters:
-  - name: certificateName
+  - name: certificatePassword
     type: string
+    default: 'pwd'
 
 steps:
   - powershell: |
-      Write-Host "Using certificate named ${{ parameters.certificateName }}"
-      Write-Host "##vso[task.setvariable variable=EncodedKey]$(${{ parameters.certificateName }})"
-    displayName: Determining certificate
+      $certStoreRoot="cert:\CurrentUser\My"
+      $rootFolder="$(Build.SourcesDirectory)"
 
-  - powershell: |
-      $PfxBytes = [System.Convert]::FromBase64String("$(EncodedKey)")
-      $PfxPath = [System.IO.Path]::GetFullPath( (Join-Path -Path $(Build.SourcesDirectory) -ChildPath EncodedKey.pfx) )
-      [System.IO.File]::WriteAllBytes("$PfxPath", $PfxBytes)
-    displayName: Write certificate
+      # the following two lines must match
+      [System.Security.SecureString] $password = ConvertTo-SecureString -String "${{ parameters.certificatePassword }}" -Force -AsPlainText
+
+      $cert = New-SelfSignedCertificate -KeyExportPolicy Exportable -CertStoreLocation $certStoreRoot -DnsName "Development Root CA" -NotAfter (Get-Date).AddYears(5) -Type CodeSigningCert -KeyUsage DigitalSignature
+      [String] $pfxPath = [System.IO.Path]::GetFullPath( (Join-Path -Path $rootFolder -ChildPath EncodedKey.pfx) )
+      [String] $certPath = "$certStoreRoot\$($cert.Thumbprint)"
+
+      Export-PfxCertificate -Cert $certPath -FilePath $pfxPath -Password $password
+
+    displayName: Create self-signed certificate