From 82fc493520925cb71323964bff6939e768e6d83a Mon Sep 17 00:00:00 2001 From: Luke Parker <10430890+Hona@users.noreply.github.com> Date: Sat, 28 Mar 2026 11:20:19 +1000 Subject: feat(ci): use Azure Artifact Signing for Windows releases (#15201) --- script/sign-windows.ps1 | 70 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 script/sign-windows.ps1 (limited to 'script') diff --git a/script/sign-windows.ps1 b/script/sign-windows.ps1 new file mode 100644 index 000000000..aaf2a5b65 --- /dev/null +++ b/script/sign-windows.ps1 @@ -0,0 +1,70 @@ +param( + [Parameter(ValueFromRemainingArguments = $true)] + [string[]] $Path +) + +$ErrorActionPreference = "Stop" + +if (-not $Path -or $Path.Count -eq 0) { + throw "At least one path is required" +} + +if ($env:GITHUB_ACTIONS -ne "true") { + Write-Host "Skipping Windows signing because this is not running on GitHub Actions" + exit 0 +} + +$vars = @{ + endpoint = $env:AZURE_TRUSTED_SIGNING_ENDPOINT + account = $env:AZURE_TRUSTED_SIGNING_ACCOUNT_NAME + profile = $env:AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE +} + +if ($vars.Values | Where-Object { -not $_ }) { + Write-Host "Skipping Windows signing because Azure Artifact Signing is not configured" + exit 0 +} + +$moduleVersion = "0.5.8" +$module = Get-Module -ListAvailable -Name TrustedSigning | Where-Object { $_.Version -eq [version] $moduleVersion } + +if (-not $module) { + try { + Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser | Out-Null + } + catch { + Write-Host "NuGet package provider install skipped: $($_.Exception.Message)" + } + + Install-Module -Name TrustedSigning -RequiredVersion $moduleVersion -Force -Repository PSGallery -Scope CurrentUser +} + +Import-Module TrustedSigning -RequiredVersion $moduleVersion -Force + +$files = @($Path | ForEach-Object { Resolve-Path $_ -ErrorAction SilentlyContinue } | Select-Object -ExpandProperty Path -Unique) + +if (-not $files -or $files.Count -eq 0) { + throw "No files matched the requested paths" +} + +$params = @{ + Endpoint = $vars.endpoint + CodeSigningAccountName = $vars.account + CertificateProfileName = $vars.profile + Files = ($files -join ",") + FileDigest = "SHA256" + TimestampDigest = "SHA256" + TimestampRfc3161 = "http://timestamp.acs.microsoft.com" + ExcludeEnvironmentCredential = $true + ExcludeWorkloadIdentityCredential = $true + ExcludeManagedIdentityCredential = $true + ExcludeSharedTokenCacheCredential = $true + ExcludeVisualStudioCredential = $true + ExcludeVisualStudioCodeCredential = $true + ExcludeAzureCliCredential = $false + ExcludeAzurePowerShellCredential = $true + ExcludeAzureDeveloperCliCredential = $true + ExcludeInteractiveBrowserCredential = $true +} + +Invoke-TrustedSigning @params -- cgit v1.2.3