# # Add-AppxDevPackage.ps1 is a PowerShell script designed to install app # packages created by Visual Studio for developers. To run this script from # Explorer, right-click on its icon and choose "Run with PowerShell". # # Visual Studio supplies this script in the folder generated with its # "Prepare Package" command. The same folder will also contain the app # package (a .appx file), the signing certificate (a .cer file), and a # "Dependencies" subfolder containing all the framework packages used by the # app. # # This script simplifies installing these packages by automating the # following functions: # 1. Find the app package and signing certificate in the script directory # 2. Prompt the user to acquire a developer license and to install the # certificate if necessary # 3. Find dependency packages that are applicable to the operating system's # CPU architecture # 4. Install the package along with all applicable dependencies # # All command line parameters are reserved for use internally by the script. # Users should launch this script from Explorer. # # .Link # http://go.microsoft.com/fwlink/?LinkId=243053 param( [switch]$Force = $false, [switch]$GetDeveloperLicense = $false, [string]$CertificatePath = $null ) $ErrorActionPreference = "Stop" # The language resources for this script are placed in the # "Add-AppDevPackage.resources" subfolder alongside the script. Since the # current working directory might not be the directory that contains the # script, we need to create the full path of the resources directory to # pass into Import-LocalizedData $ScriptPath = $null try { $ScriptPath = (Get-Variable MyInvocation).Value.MyCommand.Path $ScriptDir = Split-Path -Parent $ScriptPath } catch {} if (!$ScriptPath) { PrintMessageAndExit $UiStrings.ErrorNoScriptPath $ErrorCodes.NoScriptPath } $LocalizedResourcePath = Join-Path $ScriptDir "Add-AppDevPackage.resources" Import-LocalizedData -BindingVariable UiStrings -BaseDirectory $LocalizedResourcePath $ErrorCodes = Data { ConvertFrom-StringData @' Success = 0 NoScriptPath = 1 NoPackageFound = 2 ManyPackagesFound = 3 NoCertificateFound = 4 ManyCertificatesFound = 5 BadCertificate = 6 PackageUnsigned = 7 CertificateMismatch = 8 ForceElevate = 9 LaunchAdminFailed = 10 GetDeveloperLicenseFailed = 11 InstallCertificateFailed = 12 AddPackageFailed = 13 ForceDeveloperLicense = 14 CertUtilInstallFailed = 17 CertIsCA = 18 BannedEKU = 19 NoBasicConstraints = 20 NoCodeSigningEku = 21 InstallCertificateCancelled = 22 BannedKeyUsage = 23 ExpiredCertificate = 24 '@ } function PrintMessageAndExit($ErrorMessage, $ReturnCode) { Write-Host $ErrorMessage if (!$Force) { Pause } exit $ReturnCode } # # Warns the user about installing certificates, and presents a Yes/No prompt # to confirm the action. The default is set to No. # function ConfirmCertificateInstall { $Answer = $host.UI.PromptForChoice( "", $UiStrings.WarningInstallCert, [System.Management.Automation.Host.ChoiceDescription[]]@($UiStrings.PromptYesString, $UiStrings.PromptNoString), 1) return $Answer -eq 0 } # # Validates whether a file is a valid certificate using CertUtil. # This needs to be done before calling Get-PfxCertificate on the file, otherwise # the user will get a cryptic "Password: " prompt for invalid certs. # function ValidateCertificateFormat($FilePath) { # certutil -verify prints a lot of text that we don't need, so it's redirected to $null here certutil.exe -verify $FilePath > $null if ($LastExitCode -lt 0) { PrintMessageAndExit ($UiStrings.ErrorBadCertificate -f $FilePath, $LastExitCode) $ErrorCodes.BadCertificate } # Check if certificate is expired $cert = Get-PfxCertificate $FilePath if (($cert.NotBefore -gt (Get-Date)) -or ($cert.NotAfter -lt (Get-Date))) { PrintMessageAndExit ($UiStrings.ErrorExpiredCertificate -f $FilePath) $ErrorCodes.ExpiredCertificate } } # # Verify that the developer certificate meets the following restrictions: # - The certificate must contain a Basic Constraints extension, and its # Certificate Authority (CA) property must be false. # - The certificate's Key Usage extension must be either absent, or set to # only DigitalSignature. # - The certificate must contain an Extended Key Usage (EKU) extension with # Code Signing usage. # - The certificate must NOT contain any other EKU except Code Signing and # Lifetime Signing. # # These restrictions are enforced to decrease security risks that arise from # trusting digital certificates. # function CheckCertificateRestrictions { Set-Variable -Name BasicConstraintsExtensionOid -Value "2.5.29.19" -Option Constant Set-Variable -Name KeyUsageExtensionOid -Value "2.5.29.15" -Option Constant Set-Variable -Name EkuExtensionOid -Value "2.5.29.37" -Option Constant Set-Variable -Name CodeSigningEkuOid -Value "1.3.6.1.5.5.7.3.3" -Option Constant Set-Variable -Name LifetimeSigningEkuOid -Value "1.3.6.1.4.1.311.10.3.13" -Option Constant $CertificateExtensions = (Get-PfxCertificate $CertificatePath).Extensions $HasBasicConstraints = $false $HasCodeSigningEku = $false foreach ($Extension in $CertificateExtensions) { # Certificate must contain the Basic Constraints extension if ($Extension.oid.value -eq $BasicConstraintsExtensionOid) { # CA property must be false if ($Extension.CertificateAuthority) { PrintMessageAndExit $UiStrings.ErrorCertIsCA $ErrorCodes.CertIsCA } $HasBasicConstraints = $true } # If key usage is present, it must be set to digital signature elseif ($Extension.oid.value -eq $KeyUsageExtensionOid) { if ($Extension.KeyUsages -ne "DigitalSignature") { PrintMessageAndExit ($UiStrings.ErrorBannedKeyUsage -f $Extension.KeyUsages) $ErrorCodes.BannedKeyUsage } } elseif ($Extension.oid.value -eq $EkuExtensionOid) { # Certificate must contain the Code Signing EKU $EKUs = $Extension.EnhancedKeyUsages.Value if ($EKUs -contains $CodeSigningEkuOid) { $HasCodeSigningEKU = $True } # EKUs other than code signing and lifetime signing are not allowed foreach ($EKU in $EKUs) { if ($EKU -ne $CodeSigningEkuOid -and $EKU -ne $LifetimeSigningEkuOid) { PrintMessageAndExit ($UiStrings.ErrorBannedEKU -f $EKU) $ErrorCodes.BannedEKU } } } } if (!$HasBasicConstraints) { PrintMessageAndExit $UiStrings.ErrorNoBasicConstraints $ErrorCodes.NoBasicConstraints } if (!$HasCodeSigningEKU) { PrintMessageAndExit $UiStrings.ErrorNoCodeSigningEku $ErrorCodes.NoCodeSigningEku } } # # Performs operations that require administrative privileges: # - Prompt the user to obtain a developer license # - Install the developer certificate (if -Force is not specified, also prompts the user to confirm) # function DoElevatedOperations { if ($GetDeveloperLicense) { Write-Host $UiStrings.GettingDeveloperLicense if ($Force) { PrintMessageAndExit $UiStrings.ErrorForceDeveloperLicense $ErrorCodes.ForceDeveloperLicense } try { Show-WindowsDeveloperLicenseRegistration } catch { $Error[0] # Dump details about the last error PrintMessageAndExit $UiStrings.ErrorGetDeveloperLicenseFailed $ErrorCodes.GetDeveloperLicenseFailed } } if ($CertificatePath) { Write-Host $UiStrings.InstallingCertificate # Make sure certificate format is valid and usage constraints are followed ValidateCertificateFormat $CertificatePath CheckCertificateRestrictions # If -Force is not specified, warn the user and get consent if ($Force -or (ConfirmCertificateInstall)) { # Add cert to store certutil.exe -addstore TrustedPeople $CertificatePath if ($LastExitCode -lt 0) { PrintMessageAndExit ($UiStrings.ErrorCertUtilInstallFailed -f $LastExitCode) $ErrorCodes.CertUtilInstallFailed } } else { PrintMessageAndExit $UiStrings.ErrorInstallCertificateCancelled $ErrorCodes.InstallCertificateCancelled } } } # # Checks whether the machine is missing a valid developer license. # function CheckIfNeedDeveloperLicense { $Result = $true try { $Result = (Get-WindowsDeveloperLicense | Where-Object { $_.IsValid } | Measure-Object).Count -eq 0 } catch {} return $Result } # # Launches an elevated process running the current script to perform tasks # that require administrative privileges. This function waits until the # elevated process terminates, and checks whether those tasks were successful. # function LaunchElevated { # Set up command line arguments to the elevated process $RelaunchArgs = '-ExecutionPolicy Unrestricted -file "' + $ScriptPath + '"' if ($Force) { $RelaunchArgs += ' -Force' } if ($NeedDeveloperLicense) { $RelaunchArgs += ' -GetDeveloperLicense' } if ($NeedInstallCertificate) { $RelaunchArgs += ' -CertificatePath "' + $DeveloperCertificatePath.FullName + '"' } # Launch the process and wait for it to finish try { $AdminProcess = Start-Process "$PsHome\PowerShell.exe" -Verb RunAs -ArgumentList $RelaunchArgs -PassThru } catch { $Error[0] # Dump details about the last error PrintMessageAndExit $UiStrings.ErrorLaunchAdminFailed $ErrorCodes.LaunchAdminFailed } while (!($AdminProcess.HasExited)) { Start-Sleep -Seconds 2 } # Check if all elevated operations were successful if ($NeedDeveloperLicense) { if (CheckIfNeedDeveloperLicense) { PrintMessageAndExit $UiStrings.ErrorGetDeveloperLicenseFailed $ErrorCodes.GetDeveloperLicenseFailed } else { Write-Host $UiStrings.AcquireLicenseSuccessful } } if ($NeedInstallCertificate) { $Signature = Get-AuthenticodeSignature $DeveloperPackagePath -Verbose if ($Signature.Status -ne "Valid") { PrintMessageAndExit ($UiStrings.ErrorInstallCertificateFailed -f $Signature.Status) $ErrorCodes.InstallCertificateFailed } else { Write-Host $UiStrings.InstallCertificateSuccessful } } } # # Finds all applicable dependency packages according to OS architecture, and # installs the developer package with its dependencies. The expected layout # of dependencies is: # # # \Dependencies # .appx # \x86 # .appx # \x64 # .appx # \arm # .appx # function InstallPackageWithDependencies { $DependencyPackagesDir = (Join-Path $ScriptDir "Dependencies") $DependencyPackages = @() if (Test-Path $DependencyPackagesDir) { # Get architecture-neutral dependencies $DependencyPackages += Get-ChildItem (Join-Path $DependencyPackagesDir "*.appx") | Where-Object { $_.Mode -NotMatch "d" } # Get architecture-specific dependencies if (($Env:Processor_Architecture -eq "x86" -or $Env:Processor_Architecture -eq "amd64") -and (Test-Path (Join-Path $DependencyPackagesDir "x86"))) { $DependencyPackages += Get-ChildItem (Join-Path $DependencyPackagesDir "x86\*.appx") | Where-Object { $_.Mode -NotMatch "d" } } if (($Env:Processor_Architecture -eq "amd64") -and (Test-Path (Join-Path $DependencyPackagesDir "x64"))) { $DependencyPackages += Get-ChildItem (Join-Path $DependencyPackagesDir "x64\*.appx") | Where-Object { $_.Mode -NotMatch "d" } } if (($Env:Processor_Architecture -eq "arm") -and (Test-Path (Join-Path $DependencyPackagesDir "arm"))) { $DependencyPackages += Get-ChildItem (Join-Path $DependencyPackagesDir "arm\*.appx") | Where-Object { $_.Mode -NotMatch "d" } } } Write-Host $UiStrings.InstallingPackage $AddPackageSucceeded = $False try { if ($DependencyPackages.FullName.Count -gt 0) { Write-Host $UiStrings.DependenciesFound $DependencyPackages.FullName Add-AppxPackage -Path $DeveloperPackagePath.FullName -DependencyPath $DependencyPackages.FullName -ForceApplicationShutdown } else { Add-AppxPackage -Path $DeveloperPackagePath.FullName -ForceApplicationShutdown } $AddPackageSucceeded = $? } catch { $Error[0] # Dump details about the last error } if (!$AddPackageSucceeded) { if ($NeedInstallCertificate) { PrintMessageAndExit $UiStrings.ErrorAddPackageFailedWithCert $ErrorCodes.AddPackageFailed } else { PrintMessageAndExit $UiStrings.ErrorAddPackageFailed $ErrorCodes.AddPackageFailed } } } # # Main script logic when the user launches the script without parameters. # function DoStandardOperations { # List all .appx files in the script directory $PackagePath = Get-ChildItem (Join-Path $ScriptDir "*.appx") | Where-Object { $_.Mode -NotMatch "d" } $PackageCount = ($PackagePath | Measure-Object).Count # List all .appxbundle files in the script directory $BundlePath = Get-ChildItem (Join-Path $ScriptDir "*.appxbundle") | Where-Object { $_.Mode -NotMatch "d" } $BundleCount = ($BundlePath | Measure-Object).Count # List all .eappx files in the script directory $EncryptedPackagePath = Get-ChildItem (Join-Path $ScriptDir "*.eappx") | Where-Object { $_.Mode -NotMatch "d" } $EncryptedPackageCount = ($EncryptedPackagePath | Measure-Object).Count # List all .eappxbundle files in the script directory $EncryptedBundlePath = Get-ChildItem (Join-Path $ScriptDir "*.eappxbundle") | Where-Object { $_.Mode -NotMatch "d" } $EncryptedBundleCount = ($EncryptedBundlePath | Measure-Object).Count $NumberOfPackagesAndBundles = $PackageCount + $BundleCount + $EncryptedPackageCount + $EncryptedBundleCount # There must be exactly 1 package/bundle if ($NumberOfPackagesAndBundles -lt 1) { PrintMessageAndExit $UiStrings.ErrorNoPackageFound $ErrorCodes.NoPackageFound } elseif ($NumberOfPackagesAndBundles -gt 1) { PrintMessageAndExit $UiStrings.ErrorManyPackagesFound $ErrorCodes.ManyPackagesFound } if ($PackageCount -eq 1) { $DeveloperPackagePath = $PackagePath Write-Host ($UiStrings.PackageFound -f $DeveloperPackagePath.FullName) } elseif ($BundleCount -eq 1) { $DeveloperPackagePath = $BundlePath Write-Host ($UiStrings.BundleFound -f $DeveloperPackagePath.FullName) } elseif ($EncryptedPackageCount -eq 1) { $DeveloperPackagePath = $EncryptedPackagePath Write-Host ($UiStrings.EncryptedPackageFound -f $DeveloperPackagePath.FullName) } elseif ($EncryptedBundleCount -eq 1) { $DeveloperPackagePath = $EncryptedBundlePath Write-Host ($UiStrings.EncryptedBundleFound -f $DeveloperPackagePath.FullName) } # The package must be signed $PackageSignature = Get-AuthenticodeSignature $DeveloperPackagePath $PackageCertificate = $PackageSignature.SignerCertificate if (!$PackageCertificate) { PrintMessageAndExit $UiStrings.ErrorPackageUnsigned $ErrorCodes.PackageUnsigned } # Test if the package signature is trusted. If not, the corresponding certificate # needs to be present in the current directory and needs to be installed. $NeedInstallCertificate = ($PackageSignature.Status -ne "Valid") if ($NeedInstallCertificate) { # List all .cer files in the script directory $DeveloperCertificatePath = Get-ChildItem (Join-Path $ScriptDir "*.cer") | Where-Object { $_.Mode -NotMatch "d" } $DeveloperCertificateCount = ($DeveloperCertificatePath | Measure-Object).Count # There must be exactly 1 certificate if ($DeveloperCertificateCount -lt 1) { PrintMessageAndExit $UiStrings.ErrorNoCertificateFound $ErrorCodes.NoCertificateFound } elseif ($DeveloperCertificateCount -gt 1) { PrintMessageAndExit $UiStrings.ErrorManyCertificatesFound $ErrorCodes.ManyCertificatesFound } Write-Host ($UiStrings.CertificateFound -f $DeveloperCertificatePath.FullName) # The .cer file must have the format of a valid certificate ValidateCertificateFormat $DeveloperCertificatePath # The package signature must match the certificate file if ($PackageCertificate -ne (Get-PfxCertificate $DeveloperCertificatePath)) { PrintMessageAndExit $UiStrings.ErrorCertificateMismatch $ErrorCodes.CertificateMismatch } } $NeedDeveloperLicense = CheckIfNeedDeveloperLicense # Relaunch the script elevated with the necessary parameters if needed if ($NeedDeveloperLicense -or $NeedInstallCertificate) { Write-Host $UiStrings.ElevateActions if ($NeedDeveloperLicense) { Write-Host $UiStrings.ElevateActionDevLicense } if ($NeedInstallCertificate) { Write-Host $UiStrings.ElevateActionCertificate } $IsAlreadyElevated = ([Security.Principal.WindowsIdentity]::GetCurrent().Groups.Value -contains "S-1-5-32-544") if ($IsAlreadyElevated) { if ($Force -and $NeedDeveloperLicense) { PrintMessageAndExit $UiStrings.ErrorForceDeveloperLicense $ErrorCodes.ForceDeveloperLicense } if ($Force -and $NeedInstallCertificate) { Write-Warning $UiStrings.WarningInstallCert } } else { if ($Force) { PrintMessageAndExit $UiStrings.ErrorForceElevate $ErrorCodes.ForceElevate } else { Write-Host $UiStrings.ElevateActionsContinue Pause } } LaunchElevated } InstallPackageWithDependencies } # # Main script entry point # if ($GetDeveloperLicense -or $CertificatePath) { DoElevatedOperations } else { DoStandardOperations PrintMessageAndExit $UiStrings.Success $ErrorCodes.Success } # SIG # Begin signature block # MIIh0wYJKoZIhvcNAQcCoIIhxDCCIcACAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAnYmBUpv/sjF9s # UpSJeaz8bsgho4m0HYf/wsPXcJL9raCCC1YwggTeMIIDxqADAgECAhMzAAABzLVb # QhcHYBMRAAAAAAHMMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTAwHhcNMTcwOTEyMTgwNzA2WhcNMTgwOTEyMTgwNzA2WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQCpkHWajIMyG+isxN7HWH5SZZnnaBLtBXRLEpiJMDY/cSmbclWZF6E+H3v0HvLo # hCALULWOtm+3EjbVybEjYo5+Qi7pDLBgdmiHLEjUkxt8N5VlUIdpp9Apb4hl4pnC # MAyXYLAap4sKZFjds1GyrnH2V08otBfl1mCwK4Z5KCtZ9Bu+XDn0tM38OzmQaRl/ # Z0xLO7qfWVUaBj/spPvlkKr+nungSu5JMg8xScKSzfkHNMcrADAQ/RDKGewkY+rd # rYqT9caaCJQiz0KjQKdtzCxd1fFBx5N1yi9+K25guWjyqjBFNfnvkuF1JIlAXJ6m # CZM33hi8CbRtRZpCwrlzMHGLAgMBAAGjggFdMIIBWTAfBgNVHSUEGDAWBgorBgEE # AYI3PQYBBggrBgEFBQcDAzAdBgNVHQ4EFgQUWVXEgo8svduWnjnVL9Gj/TICsn8w # NAYDVR0RBC0wK6QpMCcxDTALBgNVBAsTBE1PUFIxFjAUBgNVBAUTDTIzMDg2NSsy # NDI0MDYwHwYDVR0jBBgwFoAU5vxfe7siAFjkck619CF0IzLm76wwVgYDVR0fBE8w # TTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVj # dHMvTWljQ29kU2lnUENBXzIwMTAtMDctMDYuY3JsMFoGCCsGAQUFBwEBBE4wTDBK # BggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9N # aWNDb2RTaWdQQ0FfMjAxMC0wNy0wNi5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG # 9w0BAQsFAAOCAQEA0ZPuJ7HuV62ZGYwja2MQzDn3VRhyWDvxqbfO4MqWMFFTzJjw # ElMYK+gamKQJtQHRI0ahePf/Zc5OWx5gLnN+sAl6SufXfXcCf9HFEYmwPzLthrfz # EAnbjhHTVh30hVcCKf7quFG/Q+58VJ8fuZ3J4AwMThjQOPePqnDwKhu08ythe3CK # Fu8799o79p+eLqW/hGUJJTmx0iAJ2rjZD+QnfUqDAXXsgnfQuaBDK6Y+pR71SwN0 # JYijYGIlzY069pEKGwO9Z0LJo6uak/16Wu5R1vmGbkznAFgsQ9P6RMgDHp/vxMzh # zbDJ6/pdCNpHgVcRJ25xwcZPfkQIrxzuq5UOozCCBnAwggRYoAMCAQICCmEMUkwA # AAAAAAMwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX # YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg # Q29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRl # IEF1dGhvcml0eSAyMDEwMB4XDTEwMDcwNjIwNDAxN1oXDTI1MDcwNjIwNTAxN1ow # fjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMf # TWljcm9zb2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMDCCASIwDQYJKoZIhvcNAQEB # BQADggEPADCCAQoCggEBAOkOZFB5Z7XE4/0JAEyelKz3VmjqRNjPxVhPqaV2fG1F # utM5krSkHvn5ZYLkF9KP/UScCOhlk84sVYS/fQjjLiuoQSsYt6JLbklMaxUH3tHS # wokecZTNtX9LtK8I2MyI1msXlDqTziY/7Ob+NJhX1R1dSfayKi7VhbtZP/iQtCuD # dMorsztG4/BGScEXZlTJHL0dxFViV3L4Z7klIDTeXaallV6rKIDN1bKe5QO1Y9Oy # FMjByIomCll/B+z/Du2AEjVMEqa+Ulv1ptrgiwtId9aFR9UQucboqu6Lai0FXGDG # tCpbnCMcX0XjGhQebzfLGTOAaolNo2pmY3iT1TDPlR8CAwEAAaOCAeMwggHfMBAG # CSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTm/F97uyIAWORyTrX0IXQjMubvrDAZ # BgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/ # BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8E # TzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9k # dWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBM # MEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRz # L01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDCBnQYDVR0gBIGVMIGSMIGPBgkr # BgEEAYI3LgMwgYEwPQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cubWljcm9zb2Z0LmNv # bS9QS0kvZG9jcy9DUFMvZGVmYXVsdC5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABl # AGcAYQBsAF8AUABvAGwAaQBjAHkAXwBTAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJ # KoZIhvcNAQELBQADggIBABp071dPKXvEFoV4uFDTIvwJnayCl/g0/yosl5US5eS/ # z7+TyOM0qduBuNweAL7SNW+v5X95lXflAtTx69jNTh4bYaLCWiMa8IyoYlFFZwjj # Pzwek/gwhRfIOUCm1w6zISnlpaFpjCKTzHSY56FHQ/JTrMAPMGl//tIlIG1vYdPf # B9XZcgAsaYZ2PVHbpjlIyTdhbQfdUxnLp9Zhwr/ig6sP4GubldZ9KFGwiUpRpJps # yLcfShoOaanX3MF+0Ulwqratu3JHYxf6ptaipobsqBBEm2O2smmJBsdGhnoYP+jF # HSHVe/kCIy3FQcu/HUzIFu+xnH/8IktJim4V46Z/dlvRU3mRhZ3V0ts9czXzPK5U # slJHasCqE5XSjhHamWdeMoz7N4XR3HWFnIfGWleFwr/dDY+Mmy3rtO7PJ9O1Xmn6 # pBYEAackZ3PPTU+23gVWl3r36VJN9HcFT4XG2Avxju1CCdENduMjVngiJja+yrGM # bqod5IXaRzNij6TJkTNfcR5Ar5hlySLoQiElihwtYNk3iUGJKhYP12E8lGhgUu/W # R5mggEDuFYF3PpzgUxgaUB04lZseZjMTJzkXeIc2zk7DX7L1PUdTtuDl2wthPSrX # kizON1o+QEIxpB8QCMJWnL8kXVECnWp50hfT2sGUjgd7JXFEqwZq5tTG3yOalnXF # MYIV0zCCFc8CAQEwgZUwfjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 # b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh # dGlvbjEoMCYGA1UEAxMfTWljcm9zb2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMAIT # MwAAAcy1W0IXB2ATEQAAAAABzDANBglghkgBZQMEAgEFAKCBwjAZBgkqhkiG9w0B # CQMxDAYKKwYBBAGCNwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAv # BgkqhkiG9w0BCQQxIgQgzqwaCX0QjcEocY9opGCsXU79tW/zLu1Bm6otXPLysWIw # VgYKKwYBBAGCNwIBDDFIMEagLIAqAEEAZABkAC0AQQBwAHAARABlAHYAUABhAGMA # awBhAGcAZQAuAHAAcwAxoRaAFGh0dHA6Ly9taWNyb3NvZnQuY29tMA0GCSqGSIb3 # DQEBAQUABIIBAFcndnQlRHOfKMcusesyIOnXq6VZSQ37nv5Hj+7OQh5ynYO8Hhhp # J9ekfx4E+nhm9NuRZ0WzFm1Ups+QApGVj53wdIGYCeC8+a4wztaWCi6XCqda/DtQ # VUU7r458+/1GGQPAlNVvpEoAAwd34Sjf2PH8ZgCOEGFI/8+D8NNZthSGmzKyUjW2 # NKS4JVuu5/wBuJ8kauHfNmkUgfDiFCA3OVHAEoZeIL4QoDiAXL6TL6rJobVVvaYc # AtyGReTSjXb1YtGt/v8ueKnCDilkfCiUPCThba6PBNpB13TZo9Ys+vxs9V48fkTw # QZfUxALs0bSceM1oocVJ69/GBwQH08mDVRuhghNJMIITRQYKKwYBBAGCNwMDATGC # EzUwghMxBgkqhkiG9w0BBwKgghMiMIITHgIBAzEPMA0GCWCGSAFlAwQCAQUAMIIB # PAYLKoZIhvcNAQkQAQSgggErBIIBJzCCASMCAQEGCisGAQQBhFkKAwEwMTANBglg # hkgBZQMEAgEFAAQgGY2BBegSvni/9ayUWJVzK0fChTbwkjUB7gcLBtHsoNQCBlqy # m9F0bBgTMjAxODA0MDMyMTIxMTEuNzQ4WjAHAgEBgAIB9KCBuKSBtTCBsjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEMMAoGA1UECxMDQU9DMScw # JQYDVQQLEx5uQ2lwaGVyIERTRSBFU046N0FCNS0yREYyLURBM0YxJTAjBgNVBAMT # HE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2Wggg7NMIIGcTCCBFmgAwIBAgIK # YQmBKgAAAAAAAjANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm # aWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMTAwNzAxMjEzNjU1WhcNMjUwNzAxMjE0 # NjU1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYD # VQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCASIwDQYJKoZIhvcN # AQEBBQADggEPADCCAQoCggEBAKkdDbx3EYo6IOz8E5f1+n9plGt0VBDVpQoAgoX7 # 7XxoSyxfxcPlYcJ2tz5mK1vwFVMnBDEfQRsalR3OCROOfGEwWbEwRA/xYIiEVEMM # 1024OAizQt2TrNZzMFcmgqNFDdDq9UeBzb8kYDJYYEbyWEeGMoQedGFnkV+BVLHP # k0ySwcSmXdFhE24oxhr5hoC732H8RsEnHSRnEnIaIYqvS2SJUGKxXf13Hz3wV3Ws # vYpCTUBR0Q+cBj5nf/VmwAOWRH7v0Ev9buWayrGo8noqCjHw2k4GkbaICDXoeByw # 6ZnNPOcvRLqn9NxkvaQBwSAJk3jN/LzAyURdXhacAQVPIk0CAwEAAaOCAeYwggHi # MBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTVYzpcijGQ80N7fEYbxTNoWoVt # VTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0T # AQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNV # HR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9w # cm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEE # TjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl # cnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDCBoAYDVR0gAQH/BIGVMIGS # MIGPBgkrBgEEAYI3LgMwgYEwPQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cubWljcm9z # b2Z0LmNvbS9QS0kvZG9jcy9DUFMvZGVmYXVsdC5odG0wQAYIKwYBBQUHAgIwNB4y # IB0ATABlAGcAYQBsAF8AUABvAGwAaQBjAHkAXwBTAHQAYQB0AGUAbQBlAG4AdAAu # IB0wDQYJKoZIhvcNAQELBQADggIBAAfmiFEN4sbgmD+BcQM9naOhIW+z66bM9TG+ # zwXiqf76V20ZMLPCxWbJat/15/B4vceoniXj+bzta1RXCCtRgkQS+7lTjMz0YBKK # dsxAQEGb3FwX/1z5Xhc1mCRWS3TvQhDIr79/xn/yN31aPxzymXlKkVIArzgPF/Uv # eYFl2am1a+THzvbKegBvSzBEJCI8z+0DpZaPWSm8tv0E4XCfMkon/VWvL/625Y4z # u2JfmttXQOnxzplmkIz/amJ/3cVKC5Em4jnsGUpxY517IW3DnKOiPPp/fZZqkHim # bdLhnPkd/DjYlPTGpQqWhqS9nhquBEKDuLWAmyI4ILUl5WTs9/S/fmNZJQ96LjlX # dqJxqgaKD4kWumGnEcua2A5HmoDF0M2n0O99g/DhO3EJ3110mCIIYdqwUB5vvfHh # AN/nMQekkzr3ZUd46PioSKv33nJ+YWtvd6mBy6cJrDm77MbL2IK0cs0d9LiFAR6A # +xuJKlQ5slvayA1VmXqHczsI5pgt6o3gMy4SKfXAL1QnIffIrE7aKLixqduWsqdC # osnPGUFN4Ib5KpqjEWYw07t0MkvfY3v1mYovG8chr1m1rtxEPJdQcdeh0sVV42ne # V8HR3jDA/czmTfsNv11P6Z0eGTgvvM9YBS7vDaBQNdrvCScc1bN+NR4Iuto229Nf # j950iEkSMIIE2TCCA8GgAwIBAgITMwAAAKteQJ3uRt8sbAAAAAAAqzANBgkqhkiG # 9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G # A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYw # JAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0xNjA5MDcx # NzU2NTRaFw0xODA5MDcxNzU2NTRaMIGyMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMQwwCgYDVQQLEwNBT0MxJzAlBgNVBAsTHm5DaXBoZXIgRFNF # IEVTTjo3QUI1LTJERjItREEzRjElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgU2VydmljZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPmflCY # oEYJsGYBJoo00ynJfZg1mgws3TPKA88OAtcL77vhyC5JpNPQ2dxz07tFhZxd5QH1 # /CumYpvhgAKn8zcoRUs13ri6bvuGkO3hqxDyOPB3wlvPQBPuOUob0ip6HvyLAfip # vJqPeQPD43DRrADzpsDLId101NSHhCiBrRpZUmLe7P3MxQOJTE0Hs6DUHp57AcI6 # zWNpCZCIE5PDLZShLAQpuDfVSrUxiuS+bpEz23zuzDJ8XMEt4biw1iKJISokeeLk # o88uGdZVyUgRJKSoyfVIyFLCMZKQ+mY2APmhMBpoD61pZEta8etpn3OGerZgH5SR # Xo4gvdTfDiqQyEsCAwEAAaOCARswggEXMB0GA1UdDgQWBBQNx0fQHGDL6cBrlMxf # Bg5iuNhqpzAfBgNVHSMEGDAWgBTVYzpcijGQ80N7fEYbxTNoWoVtVTBWBgNVHR8E # TzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9k # dWN0cy9NaWNUaW1TdGFQQ0FfMjAxMC0wNy0wMS5jcmwwWgYIKwYBBQUHAQEETjBM # MEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRz # L01pY1RpbVN0YVBDQV8yMDEwLTA3LTAxLmNydDAMBgNVHRMBAf8EAjAAMBMGA1Ud # JQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IBAQA/n/66LmHxciqtqhVm # laAES32zwkbd0OtbQDz0jHUFraGBbyR7DS7So4m68DYr+cjFdw56uHzeVOL9DyZf # PAx2LfoY0aIQqIheSypZlchfd3/+RCS4ApmEkZSvAsemKoaEsYv4kSTH0G6jNr/7 # +LgHmm8+ae228ZthZ1StNujb8trlYqY7yG3MQ5omIvNEjOstRyZ108Lmm9aKnRVP # k+iAIM4OLZUDU/NA4BrcaVxMIddKEygvRdWC/aTB3yE7yes/OKU/MvrNBku4H7yb # GrORsZNd4v95oRbRuDX24ZHK93Hs/f6Kw+BlNVjLpF4PluanIq9o8z7P3qSNqtju # EqTioYIDdzCCAl8CAQEwgeKhgbikgbUwgbIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI # EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv # ZnQgQ29ycG9yYXRpb24xDDAKBgNVBAsTA0FPQzEnMCUGA1UECxMebkNpcGhlciBE # U0UgRVNOOjdBQjUtMkRGMi1EQTNGMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1T # dGFtcCBTZXJ2aWNloiUKAQEwCQYFKw4DAhoFAAMVAMnsu0gtNdmUvraO9yapMW6K # h44yoIHBMIG+pIG7MIG4MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv # bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 # aW9uMQwwCgYDVQQLEwNBT0MxJzAlBgNVBAsTHm5DaXBoZXIgTlRTIEVTTjoyNjY1 # LTRDM0YtQzVERTErMCkGA1UEAxMiTWljcm9zb2Z0IFRpbWUgU291cmNlIE1hc3Rl # ciBDbG9jazANBgkqhkiG9w0BAQUFAAIFAN5ty40wIhgPMjAxODA0MDMwOTQ0NDVa # GA8yMDE4MDQwNDA5NDQ0NVowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA3m3LjQIB # ADAKAgEAAgINqgIB/zAHAgEAAgIaVDAKAgUA3m8dDQIBADA2BgorBgEEAYRZCgQC # MSgwJjAMBgorBgEEAYRZCgMBoAowCAIBAAIDFuNgoQowCAIBAAIDB6EgMA0GCSqG # SIb3DQEBBQUAA4IBAQBHe3W69oqVtg2VurBY+FU5QhETBgRxdboyr8cCQ1lnpj7W # G9pDF7+CXryijr4K1fvf3uC6lCA3eBoiv6VL8Lc/TGJPMgox8ONfKP52xNK3q4I5 # V71DO+SXmFdrYnahHPIFSHeD+pyhaN8F6446GPOwrAbaU3hFrYC9mTZSKjFA0FWU # 5CU2KUt51pSzp/fuOpeAKVwSpy+eCy/H1njcPSQO2G79foGNIIaw5qC8GpH7QFZ+ # SjqDPzu7f1LKfws6IFrmI2CQYB8f1+LsuqhWnAsfdmpHu7TKowLW0dT4fNeWEHO/ # dZ+pfyfVeHwpeNlCfl3aXoP/k8gu5SCo0GS49/cXMYIC9TCCAvECAQEwgZMwfDEL # MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v # bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWlj # cm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAACrXkCd7kbfLGwAAAAAAKsw # DQYJYIZIAWUDBAIBBQCgggEyMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAv # BgkqhkiG9w0BCQQxIgQgdBSHtxgTryyfOfT5bK8TQJ3J157h4n96B0jIHh2o9CUw # geIGCyqGSIb3DQEJEAIMMYHSMIHPMIHMMIGxBBTJ7LtILTXZlL62jvcmqTFuioeO # MjCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # JjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAAq15A # ne5G3yxsAAAAAACrMBYEFKDoGoGiVUmWbBluFeNftHVskSx6MA0GCSqGSIb3DQEB # CwUABIIBABwjv1Y9ECsSIdMR4q4Pz1AVH6yUzeQW0lRs14wm/ll+gOo3CzFZ64my # e7XeF05DKt714NROS3snw/oTabFsfmbo617KkgFHTXA0Kic6YtfkDbBWtTaXoFQF # dev2xgEC4DMI6+w+h9uwDtHo7A7fsTR9vUa0MHHyssHJnAn9xgIS/Q+GCpU9O/tl # kDGKZmQyEI4+G01lxg7XEQfC9w28q8M4XQ6I7skB31ur5Nz0AiXdM1MbUrqmYkJK # uIJbX3cb38wbEqQ1JCezwumroAmPtsdcWy3A82+0w9u7zp8mUcpDyS/N1YydanPF # VasOmwcKWHBL9IaF6FRPlwxSK0q5sCk= # SIG # End signature block