-
Notifications
You must be signed in to change notification settings - Fork 20
50 lines (47 loc) · 2.16 KB
/
SignPowerShell.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: Sign PowerShell Scripts
# https://tech.nicolonsky.ch/github-actions-powershell-signing/
on:
push:
branches: [none]
env:
ARTIFACT_NAME: PowerShell.Workflows.ScriptSigning
jobs:
sign_scripts:
name: Sign and publish PowerShell scripts as pipeline artifacts
runs-on: windows-2019
steps:
- name: Import code signing certificate
shell: powershell
run: |
$pfxCertFilePath = Join-Path -Path $PSScriptRoot -ChildPath "CodeSigningCertificate.pfx"
Set-Content -Value $([System.Convert]::FromBase64String($env:BASE64_PFX)) -Path $pfxCertFilePath -Encoding Byte
$codeSigningCert = Import-PfxCertificate -FilePath $pfxCertFilePath -Password $($env:PFX_PASSWORD | ConvertTo-SecureString -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My
env:
BASE64_PFX: ${{ secrets.BASE64_PFX }}
PFX_PASSWORD: ${{ secrets.PFX_PASSWORD }}
- name: Check out repository
uses: actions/checkout@v2
- name: Sign PowerShell scripts
shell: powershell
run: |
# remove git dir from checked out repo
Get-ChildItem -Path "." -Filter ".git*" -Force | ForEach-Object {Remove-Item -Path $_.FullName -Recurse -Force}
$scripts = Get-ChildItem -Path . -Filter "*.ps1" -Recurse -ErrorAction Stop
# load cert
$codeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
foreach ($script in $scripts) {
try {
$scriptContent = Get-Content -Path $script.FullName
Write-Output "Signing script `"$($script.Name)`" with certificate `"$($codeSigningCert.Thumbprint)`""
# sign script
$null = Set-AuthenticodeSignature -Certificate $codeSigningCert -FilePath $script.FullName -TimestampServer "http://timestamp.comodoca.com/rfc3161"
}
catch {
Write-Error $_
}
}
- name: Publish artifacts
uses: actions/upload-artifact@v2
with:
name: ${{ env.ARTIFACT_NAME }}
path: .