From 4a50a3194e8c6727b9f4c6e90c7bfec1340422a4 Mon Sep 17 00:00:00 2001 From: AdmiringWorm Date: Wed, 22 May 2024 15:36:02 +0200 Subject: [PATCH 1/2] (#155) Keep directory structure for signed scripts This updates how scripts that are signed will be handled, by using the same directory structure in the output folder as is relative for the now new parameter for a Root Folder. This allows multiple files to be signed that have the same name, without them replacing eachother. --- .../Content/sign-powershell.ps1 | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/Chocolatey.Cake.Recipe/Content/sign-powershell.ps1 b/Chocolatey.Cake.Recipe/Content/sign-powershell.ps1 index 5d4d034..fd8bf72 100644 --- a/Chocolatey.Cake.Recipe/Content/sign-powershell.ps1 +++ b/Chocolatey.Cake.Recipe/Content/sign-powershell.ps1 @@ -23,6 +23,10 @@ Param( [String] $OutputFolder, + [Parameter()] + [string] + $RootFolder, + [Parameter()] [String] $TimeStampServer, @@ -61,21 +65,32 @@ if ($Cert) { 'Cert' = $Cert } + if (!$RootFolder) { + $RootFolder = Resolve-Path "./" + } + + Push-Location $RootFolder + foreach ($Script in $ScriptsToSign) { $ExistingSig = Get-AuthenticodeSignature -FilePath $Script if ($ExistingSig.Status -ne 'Valid' -or $ExistingSig.SignerCertificate.Issuer -notmatch 'DigiCert' -or $ExistingSig.SignerCertificate.NotAfter -lt [datetime]::Now) { + $relativePath = (Resolve-Path -Relative -LiteralPath $Script).TrimStart('.', '/', '\') + $destinationPath = Join-Path $OutputFolder $relativePath + $destinationFolder = Split-Path -Parent $destinationPath $NewSig = Set-AuthenticodeSignature -FilePath $Script @CommonSignParams Write-Host "Script file '$Script' signed with status: $($NewSig.Status)" - if (!(Test-Path -Path $OutputFolder)) { - $null = New-Item -Path $OutputFolder -Type Directory + if (!(Test-Path -Path $destinationFolder)) { + $null = New-Item -Path $destinationFolder -Type Directory -Force } - Copy-Item -Path $Script -Destination $OutputFolder + Copy-Item -Path $Script -Destination $destinationPath } else { Write-Host "Script file '$Script' does not need signing, current signature is valid." } } + + Pop-Location } else { Write-Warning "Skipping script signing, no currently valid DigiCert issued Authenticode signing certificate matching '$($CertificateSubjectName)' was found." } \ No newline at end of file From 7c0e543ef921664b041cf8cfef7b17b70ce288c2 Mon Sep 17 00:00:00 2001 From: AdmiringWorm Date: Wed, 22 May 2024 15:37:45 +0200 Subject: [PATCH 2/2] (#155) Create zip archive for signed scripts This updates the signing process of PowerShell scripts, to instead of uploading them as artifacts in an uncompressed way that requires downloading multiple files, we instead create a zip archive of the scripts while preserving the directory structure where the files came from. This allows it to be easier in the future when changes have been made, and we only need to extract a single archive without having to manually figure out where the files need to be located. --- Chocolatey.Cake.Recipe/Content/sign.cake | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Chocolatey.Cake.Recipe/Content/sign.cake b/Chocolatey.Cake.Recipe/Content/sign.cake index c89fea8..bb3aa7c 100644 --- a/Chocolatey.Cake.Recipe/Content/sign.cake +++ b/Chocolatey.Cake.Recipe/Content/sign.cake @@ -97,10 +97,11 @@ BuildParameters.Tasks.SignPowerShellScriptsTask = Task("Sign-PowerShellScripts") }); } - foreach (var signedFile in GetFiles(BuildParameters.Paths.Directories.SignedFiles + "/**/*")) - { - BuildParameters.BuildProvider.UploadArtifact(signedFile); - } + var files = GetFiles(BuildParameters.Paths.Directories.SignedFiles + "/**/*") - GetFiles(BuildParameters.Paths.Directories.SignedFiles + "/**/*.zip"); + var destination = BuildParameters.Paths.Directories.SignedFiles.CombineWithFilePath("SignedFiles.zip"); + Zip(BuildParameters.Paths.Directories.SignedFiles, destination, files); + + BuildParameters.BuildProvider.UploadArtifact(destination); } else {