forked from anomalyco/opencode
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsign-windows.ps1
More file actions
70 lines (57 loc) · 2.25 KB
/
sign-windows.ps1
File metadata and controls
70 lines (57 loc) · 2.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
param(
[Parameter(ValueFromRemainingArguments = $true)]
[string[]] $Path
)
$ErrorActionPreference = "Stop"
if (-not $Path -or $Path.Count -eq 0) {
throw "At least one path is required"
}
if ($env:GITHUB_ACTIONS -ne "true") {
Write-Host "Skipping Windows signing because this is not running on GitHub Actions"
exit 0
}
$vars = @{
endpoint = $env:AZURE_TRUSTED_SIGNING_ENDPOINT
account = $env:AZURE_TRUSTED_SIGNING_ACCOUNT_NAME
profile = $env:AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE
}
if ($vars.Values | Where-Object { -not $_ }) {
Write-Host "Skipping Windows signing because Azure Artifact Signing is not configured"
exit 0
}
$moduleVersion = "0.5.8"
$module = Get-Module -ListAvailable -Name TrustedSigning | Where-Object { $_.Version -eq [version] $moduleVersion }
if (-not $module) {
try {
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser | Out-Null
}
catch {
Write-Host "NuGet package provider install skipped: $($_.Exception.Message)"
}
Install-Module -Name TrustedSigning -RequiredVersion $moduleVersion -Force -Repository PSGallery -Scope CurrentUser
}
Import-Module TrustedSigning -RequiredVersion $moduleVersion -Force
$files = @($Path | ForEach-Object { Resolve-Path $_ -ErrorAction SilentlyContinue } | Select-Object -ExpandProperty Path -Unique)
if (-not $files -or $files.Count -eq 0) {
throw "No files matched the requested paths"
}
$params = @{
Endpoint = $vars.endpoint
CodeSigningAccountName = $vars.account
CertificateProfileName = $vars.profile
Files = ($files -join ",")
FileDigest = "SHA256"
TimestampDigest = "SHA256"
TimestampRfc3161 = "http://timestamp.acs.microsoft.com"
ExcludeEnvironmentCredential = $true
ExcludeWorkloadIdentityCredential = $true
ExcludeManagedIdentityCredential = $true
ExcludeSharedTokenCacheCredential = $true
ExcludeVisualStudioCredential = $true
ExcludeVisualStudioCodeCredential = $true
ExcludeAzureCliCredential = $false
ExcludeAzurePowerShellCredential = $true
ExcludeAzureDeveloperCliCredential = $true
ExcludeInteractiveBrowserCredential = $true
}
Invoke-TrustedSigning @params