You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add Authenticode signing support for PowerShell modules (#92)
## Summary
This PR adds comprehensive Authenticode code-signing capabilities to
PowerShellBuild, enabling modules to be signed with digital certificates
from multiple sources. It includes three new public functions and
corresponding build tasks for signing module files and creating/signing
Windows catalog files.
## Key Changes
- **New Function: `Get-PSBuildCertificate`** - Resolves code-signing
X509Certificate2 objects from five different sources:
- Auto (environment variable or certificate store, configurable)
- Windows certificate store (with optional thumbprint filtering)
- Base64-encoded PFX from environment variables (CI/CD pipelines)
- PFX files on disk with optional password protection
- Pre-resolved certificate objects (for custom providers like Azure Key
Vault)
- **New Function: `Invoke-PSBuildModuleSigning`** - Signs PowerShell
module files (*.psd1, *.psm1, *.ps1) with Authenticode signatures,
supporting configurable timestamp servers and hash algorithms (SHA256,
SHA384, SHA512, SHA1)
- **New Function: `New-PSBuildFileCatalog`** - Creates Windows catalog
(.cat) files that record cryptographic hashes of module contents for
tamper detection
- **New Build Tasks** - Added to both psakeFile.ps1 and IB.tasks.ps1:
- `SignModule` - Signs module files with Authenticode
- `BuildCatalog` - Creates a Windows catalog file
- `SignCatalog` - Signs the catalog file
- `Sign` - Meta-task that orchestrates the full signing pipeline
- **Configuration** - Extended `build.properties.ps1` with comprehensive
`Sign` configuration section supporting:
- Certificate source selection and parameters
- Timestamp server configuration
- Hash algorithm selection
- File inclusion patterns
- Catalog generation settings (version, filename)
- **Localization** - Added localized messages for certificate
resolution, file signing, and catalog creation
## Implementation Details
- All signing operations include platform checks (Windows-only) with
appropriate warnings
- Pre-condition checks ensure signing is only attempted when enabled and
dependencies are available
- Certificate resolution supports both explicit configuration and
environment-based auto-detection
- Task dependencies ensure proper execution order: Build → SignModule →
BuildCatalog → SignCatalog
- Verbose logging throughout for troubleshooting certificate resolution
and signing operations
https://claude.ai/code/session_01Bt5Xb9HLoSppQ22PQUTyGP
---------
Co-authored-by: Claude <noreply@anthropic.com>
if ([String]$PSBPreference.Build.Dependencies-ne [String]$__DefaultBuildDependencies) {
191
191
throw [NotSupportedException]'You cannot use $PSBPreference.Build.Dependencies with Invoke-Build. Please instead redefine the build task or your default task to include your dependencies. Example: Task . Dependency1,Dependency2,Build,Test or Task Build Dependency1,Dependency2,StageFiles'
192
192
}
193
-
},StageFiles,BuildHelp
193
+
},StageFiles,BuildHelp
194
194
195
195
# Synopsis: Execute Pester and ScriptAnalyzer tests
196
-
task Test Analyze,Pester
196
+
Task Test Analyze,Pester
197
197
198
-
task . Build,Test
198
+
Task . Build, Test
199
+
200
+
# Synopsis: Signs module files (*.psd1, *.psm1, *.ps1) with an Authenticode signature
201
+
Task SignModule -If {
202
+
if (-not$PSBPreference.Sign.Enabled) {
203
+
Write-Warning'Module signing is not enabled.'
204
+
return$false
205
+
}
206
+
if (-not (Get-Command-Name 'Set-AuthenticodeSignature'-ErrorAction Ignore)) {
207
+
Write-Warning'Set-AuthenticodeSignature is not available. Module signing requires Windows.'
0 commit comments