-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathsignfile.ps1
98 lines (84 loc) · 2.9 KB
/
signfile.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<#
.SYNOPSIS
Signs a file using AzureSignTool.
.DESCRIPTION
This function wraps AzureSignTool to sign files using Azure Key Vault. It supports different verbosity levels and allows for application authentication.
More information for AzureSignTool can be found here: https://github.com/vcsjones/AzureSignTool
Examples for using AzureSignTool directly for pipelines can be found here: https://github.com/vcsjones/AzureSignTool/blob/main/WALKTHROUGH.md
.PARAMETER Description
The description to be embedded in the signed file.
.PARAMETER TargetFile
The path of one or more files to be signed.
.PARAMETER CertFile
The name of the certificate in Azure Key Vault to use for signing.
.PARAMETER SignSecret
The secret associated with the Azure Key Vault.
.PARAMETER Verbosity
Controls the verbosity level of the output. Valid values are 0, 1, or 2.
.PARAMETER ApplicationId
The GUID of the Azure application to be authenticated. Default value is the ID of rg-devops-prod
.PARAMETER DirectoryId
The GUID of the Azure directory for the application. Default value is the directory of rg-devops-prod
.EXAMPLE
Azure-SignFile -Description "My Application" -TargetFile "path\to\file.exe" -CertFile "myCert" -SignSecret "secret" -Verbosity 1
#>
function Azure-SignFile
{
param (
[Parameter(Mandatory)]
[string] $CertFile,
[Parameter(Mandatory)]
[string] $SignSecret,
[Parameter(Mandatory)]
[string] $Description,
[Parameter(Mandatory)]
[string[]] $TargetFile,
[Parameter()]
[int] $Verbosity,
[Parameter()]
[string] $ApplicationId,
[Parameter()]
[string] $DirectoryId
)
$signtool = "$env:userprofile\.dotnet\tools\AzureSignTool.exe"
if (!(Test-Path "$signtool" -PathType leaf))
{
$toolInstall = Start-Process -FilePath "dotnet.exe" -ArgumentList "tool install --global azuresigntool" -Wait -NoNewWindow -PassThru
if ($toolInstall.ExitCode -ne 0)
{
Write-Host "Failed to install azuresigntool"
return;
}
}
$sVerbosity = "-q"
if ($Verbosity -eq 1)
{
$sVerbosity = ""
}
elseif ($Verbosity -eq 2)
{
$sVerbosity = "-v"
}
if ($Verbosity -eq 2)
{
Write-Host "Signing $TargetFile"
}
$arguments = "sign
$sVerbosity
-tr `"http://timestamp.digicert.com`"
-td sha256
-fd sha256
-d `"$Description`"
-du `"https://www.synergex.com`"
-kvu `"https://kv-synergex-premium-prod.vault.azure.net`"
-kvs `"$SignSecret`"
-kvi `"$ApplicationId`"
-kvt `"$DirectoryId`"
-kvc `"$CertFile`"
$TargetFile" -replace "`n","" -replace "`r","";
$signResult = Start-Process -FilePath "$signtool" -Wait -NoNewWindow -PassThru -ArgumentList $arguments
if ($signResult.ExitCode -ne 0)
{
Write-Error "Failed to sign files";
}
}