-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathSign.psm1
162 lines (152 loc) · 7.3 KB
/
Sign.psm1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
<#
.SYNOPSIS
Checks whether nuget.org is added as a nuget source.
#>
function AssertNugetSourceIsAdded() {
$nugetSource = "https://api.nuget.org/v3/index.json"
$nugetSourceExists = dotnet nuget list source | Select-String -Pattern $nugetSource
if (-not $nugetSourceExists) {
throw "Nuget source $nugetSource is not added. Please add the source using 'dotnet nuget add source $nugetSource' or add another source with nuget.org as an upstream source."
}
}
<#
.SYNOPSIS
Installs the dotnet signing tool.
.DESCRIPTION
Installs the dotnet signing tool.
#>
function Install-SigningTool() {
. (Join-Path -Path $PSScriptRoot -ChildPath "..\AL-Go-Helper.ps1" -Resolve)
# Create folder in temp directory with a unique name
$tempFolder = Join-Path -Path ([System.IO.Path]::GetTempPath()) "SigningTool-$(Get-Random)"
# Get version of the signing tool
$version = GetPackageVersion -PackageName "sign"
# Install the signing tool in the temp folder
Write-Host "Installing signing tool version $version in $tempFolder"
New-Item -ItemType Directory -Path $tempFolder | Out-Null
dotnet tool install sign --version $version --tool-path $tempFolder | Out-Host
# Return the path to the signing tool
$signingTool = Join-Path -Path $tempFolder "sign.exe"
if (-not (Test-Path -Path $signingTool)) {
# Check if nuget.org is added as a nuget source
AssertNugetSourceIsAdded
# If the tool is not found, throw an error
throw "Failed to install signing tool. If you are using a self-hosted runner please make sure you've followed all the steps described in https://aka.ms/algosettings#runs-on."
}
return $signingTool
}
<#
.SYNOPSIS
Signs files in a given path using a certificate from Azure Key Vault.
.DESCRIPTION
Signs files in a given path using a certificate from Azure Key Vault.
Connection to the Azure Key Vault can be done using a service principal or a managed identity.
.PARAMETER KeyVaultName
The name of the Azure Key Vault where the certificate is stored.
.PARAMETER CertificateName
The name of the certificate in the Azure Key Vault.
.PARAMETER ClientId
[Optional] The client ID of the service principal used to authenticate with Azure Key Vault. If not specified, managed identity will be used.
.PARAMETER ClientSecret
[Optional] The client secret of the service principal used to authenticate with Azure Key Vault. If not specified, managed identity will be used.
.PARAMETER TenantId
[Optional] The tenant ID of the service principal used to authenticate with Azure Key Vault. If not specified, managed identity will be used.
.PARAMETER FilesToSign
The path to the file(s) to be signed. Supports wildcards.
.PARAMETER Description
The description to be included in the signature.
.PARAMETER DescriptionUrl
The URL to be included in the signature.
.PARAMETER TimestampService
The URL of the timestamp server.
.PARAMETER DigestAlgorithm
The digest algorithm to use for signing and timestamping.
.PARAMETER Verbosity
The verbosity level of the signing tool.
.EXAMPLE
Invoke-SigningTool -KeyVaultName "my-key-vault" -CertificateName "my-certificatename" -ClientId "my-client-id" -ClientSecret "my-client-secret" -TenantId "my-tenant-id" `
-FilesToSign "C:\path\to\files\*.app" -Description "Signed with AL-Go for GitHub" -DescriptionUrl "github.com/myorg/myrepo"
.EXAMPLE
Invoke-SigningTool -KeyVaultName "my-key-vault" -CertificateName "my-certificatename" -FilesToSign "C:\path\to\files\*.app" -Description "Signed with AL-Go for GitHub" -DescriptionUrl "github.com/myorg/myrepo"
#>
function Invoke-SigningTool() {
param(
[Parameter(Mandatory = $true, ParameterSetName="KeyVaultSigning")]
[string] $KeyVaultName,
[Parameter(Mandatory = $true, ParameterSetName="KeyVaultSigning")]
[string] $CertificateName,
[Parameter(Mandatory = $false, ParameterSetName="KeyVaultSigning")]
[string] $ClientId,
[Parameter(Mandatory = $false, ParameterSetName="KeyVaultSigning")]
[string] $ClientSecret,
[Parameter(Mandatory = $false, ParameterSetName="KeyVaultSigning")]
[string] $TenantId,
[Parameter(Mandatory = $true, ParameterSetName="TrustedSigning")]
[string] $SigningEndpoint,
[Parameter(Mandatory = $true, ParameterSetName="TrustedSigning")]
[string] $SigningAccount,
[Parameter(Mandatory = $true, ParameterSetName="TrustedSigning")]
[string] $SigningCertificateProfile,
[Parameter(Mandatory = $true)]
[string] $FilesToSign,
[Parameter(Mandatory = $true)]
[string] $Description,
[Parameter(Mandatory = $true)]
[string] $DescriptionUrl,
[Parameter(Mandatory = $false)]
[string] $TimestampService = "http://timestamp.digicert.com",
[Parameter(Mandatory = $false)]
[string] $DigestAlgorithm = "sha256",
[Parameter(Mandatory = $false)]
[string] $Verbosity = "Information"
)
$signingToolExe = Install-SigningTool
# Sign files
if ($PsCmdlet.ParameterSetName -eq "TrustedSigning") {
Write-Host "Invoking signing tool using trusted signing"
. $signingToolExe code trusted-signing `
--trusted-signing-endpoint $SigningEndpoint `
--trusted-signing-account $SigningAccount `
--trusted-signing-certificate-profile $SigningCertificateProfile `
--description $Description `
--description-url $DescriptionUrl `
--file-digest $DigestAlgorithm `
--timestamp-digest $DigestAlgorithm `
--timestamp-url $TimestampService `
--verbosity $Verbosity `
$FilesToSign
}
else {
if ($ClientId -and $ClientSecret -and $TenantId) {
Write-Host "Invoking signing tool using clientId/clientSecret"
. $signingToolExe code azure-key-vault `
--azure-key-vault-url "https://$KeyVaultName.vault.azure.net/" `
--azure-key-vault-certificate $CertificateName `
--azure-key-vault-client-id $ClientId `
--azure-key-vault-client-secret $ClientSecret `
--azure-key-vault-tenant-id $TenantId `
--description $Description `
--description-url $DescriptionUrl `
--file-digest $DigestAlgorithm `
--timestamp-digest $DigestAlgorithm `
--timestamp-url $TimestampService `
--verbosity $Verbosity `
$FilesToSign
}
else {
Write-Host "Invoking signing tool using managed identity"
. $signingToolExe code azure-key-vault `
--azure-key-vault-url "https://$KeyVaultName.vault.azure.net/" `
--azure-key-vault-certificate $CertificateName `
--azure-key-vault-managed-identity $true `
--description $Description `
--description-url $DescriptionUrl `
--file-digest $DigestAlgorithm `
--timestamp-digest $DigestAlgorithm `
--timestamp-url $TimestampService `
--verbosity $Verbosity `
$FilesToSign
}
}
}
Export-ModuleMember -Function Invoke-SigningTool