Sign PowerShell Scripts #45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sign PowerShell Scripts | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - '**.ps1' | |
| - '**.psm1' | |
| - '**.psd1' | |
| jobs: | |
| sign_scripts: | |
| name: Sign PowerShell scripts | |
| runs-on: windows-2022 | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v3 | |
| - name: Sign powershell script | |
| shell: powershell | |
| env: | |
| PFX_CERT: ${{ secrets.PFX_CERT }} | |
| run: | | |
| Set-Content -Value $([System.Convert]::FromBase64String($env:PFX_CERT)) -Path .\mondoo_code_signing_cert.pfx -Encoding Byte | |
| # sign install.sh and ensure proper encoding as UTF8 NoBOM | |
| $filename = 'install.ps1' | |
| $content = Get-Content $filename | |
| [IO.File]::WriteAllLines($filename, $content) | |
| Set-AuthenticodeSignature -Certificate (Get-PfxCertificate -FilePath .\mondoo_code_signing_cert.pfx) -FilePath $filename -TimestampServer 'http://timestamp.digicert.com' -HashAlgorithm 'SHA256' | |
| (Get-AuthenticodeSignature "$filename").Status -eq 'Valid' | |
| # sign download.sh and ensure proper encoding as UTF8 NoBOM | |
| $filename = 'download.ps1' | |
| $content = Get-Content $filename | |
| [IO.File]::WriteAllLines($filename, $content) | |
| Set-AuthenticodeSignature -Certificate (Get-PfxCertificate -FilePath .\mondoo_code_signing_cert.pfx) -FilePath $filename -TimestampServer 'http://timestamp.digicert.com' -HashAlgorithm 'SHA256' | |
| (Get-AuthenticodeSignature "$filename").Status -eq 'Valid' | |
| # sign Mondoo.Installer.psm1 and ensure proper encoding as UTF8 NoBOM | |
| $filename = './powershell/Mondoo.Installer/Mondoo.Installer.psm1' | |
| $content = Get-Content $filename | |
| [IO.File]::WriteAllLines($filename, $content) | |
| Set-AuthenticodeSignature -Certificate (Get-PfxCertificate -FilePath .\mondoo_code_signing_cert.pfx) -FilePath $filename -TimestampServer 'http://timestamp.digicert.com' -HashAlgorithm 'SHA256' | |
| (Get-AuthenticodeSignature "$filename").Status -eq 'Valid' | |
| # sign Mondoo.Installer.psd1 and ensure proper encoding as UTF8 NoBOM | |
| $filename = './powershell/Mondoo.Installer/Mondoo.Installer.psd1' | |
| $content = Get-Content $filename | |
| [IO.File]::WriteAllLines($filename, $content) | |
| Set-AuthenticodeSignature -Certificate (Get-PfxCertificate -FilePath .\mondoo_code_signing_cert.pfx) -FilePath $filename -TimestampServer 'http://timestamp.digicert.com' -HashAlgorithm 'SHA256' | |
| (Get-AuthenticodeSignature "$filename").Status -eq 'Valid' | |
| # ensure windows line-feed | |
| git config --global core.autocrlf true | |
| # commit changes | |
| git config --global user.email "[email protected]" | |
| git config --global user.name "Mondoo Tools" | |
| git add install.ps1 | |
| git add download.ps1 | |
| git add powershell/Mondoo.Installer/Mondoo.Installer.psm1 | |
| git add powershell/Mondoo.Installer/Mondoo.Installer.psd1 | |
| git commit -m "Sign powershell scripts" | |
| git push |