diff options
Diffstat (limited to 'script')
| -rw-r--r-- | script/sign-windows.ps1 | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/script/sign-windows.ps1 b/script/sign-windows.ps1 new file mode 100644 index 000000000..aaf2a5b65 --- /dev/null +++ b/script/sign-windows.ps1 @@ -0,0 +1,70 @@ +param( + [Parameter(ValueFromRemainingArguments = $true)] + [string[]] $Path +) + +$ErrorActionPreference = "Stop" + +if (-not $Path -or $Path.Count -eq 0) { + throw "At least one path is required" +} + +if ($env:GITHUB_ACTIONS -ne "true") { + Write-Host "Skipping Windows signing because this is not running on GitHub Actions" + exit 0 +} + +$vars = @{ + endpoint = $env:AZURE_TRUSTED_SIGNING_ENDPOINT + account = $env:AZURE_TRUSTED_SIGNING_ACCOUNT_NAME + profile = $env:AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE +} + +if ($vars.Values | Where-Object { -not $_ }) { + Write-Host "Skipping Windows signing because Azure Artifact Signing is not configured" + exit 0 +} + +$moduleVersion = "0.5.8" +$module = Get-Module -ListAvailable -Name TrustedSigning | Where-Object { $_.Version -eq [version] $moduleVersion } + +if (-not $module) { + try { + Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser | Out-Null + } + catch { + Write-Host "NuGet package provider install skipped: $($_.Exception.Message)" + } + + Install-Module -Name TrustedSigning -RequiredVersion $moduleVersion -Force -Repository PSGallery -Scope CurrentUser +} + +Import-Module TrustedSigning -RequiredVersion $moduleVersion -Force + +$files = @($Path | ForEach-Object { Resolve-Path $_ -ErrorAction SilentlyContinue } | Select-Object -ExpandProperty Path -Unique) + +if (-not $files -or $files.Count -eq 0) { + throw "No files matched the requested paths" +} + +$params = @{ + Endpoint = $vars.endpoint + CodeSigningAccountName = $vars.account + CertificateProfileName = $vars.profile + Files = ($files -join ",") + FileDigest = "SHA256" + TimestampDigest = "SHA256" + TimestampRfc3161 = "http://timestamp.acs.microsoft.com" + ExcludeEnvironmentCredential = $true + ExcludeWorkloadIdentityCredential = $true + ExcludeManagedIdentityCredential = $true + ExcludeSharedTokenCacheCredential = $true + ExcludeVisualStudioCredential = $true + ExcludeVisualStudioCodeCredential = $true + ExcludeAzureCliCredential = $false + ExcludeAzurePowerShellCredential = $true + ExcludeAzureDeveloperCliCredential = $true + ExcludeInteractiveBrowserCredential = $true +} + +Invoke-TrustedSigning @params |