Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to only signing PowerShell scripts when required #149

Closed
2 tasks done
gep13 opened this issue May 14, 2024 · 1 comment · Fixed by #150
Closed
2 tasks done

Switch to only signing PowerShell scripts when required #149

gep13 opened this issue May 14, 2024 · 1 comment · Fixed by #150
Assignees
@gep13
Labels
5 - Released The issue has been resolved, and released to the public for consumption Improvement Issues that enhances existing functionality, or adds new features
Milestone
0.28.0

Comments

@gep13
Copy link
Member

gep13 commented May 14, 2024

Checklist

  • I have verified this is the correct repository for opening this issue.
  • I have verified no other issues exist related to my request.

Is Your Feature Request Related To A Problem? Please describe.

Currently, Chocolatey.Cake.Recipe signs each and every PowerShell script, when the official signing certificate is in place on the build server. This is wasteful, and we should only sign scripts if/when required.

Describe The Solution. Why is it needed?

All PowerShell scripts should be signed with the official certificate, and committed directly in the repository. Then, a verification task should be completed to check that signature assigned to the file is valid, and if it isn't, the build should fail.

At this point, another task should be created to sign the files, and this will be executed when the official certificate is in place on the build server.

Additional Context

N/A

Related Issues

N/A
@gep13 gep13 added Improvement Issues that enhances existing functionality, or adds new features 0 - Backlog Issue is accepted, but is not ready to be worked on or not in current sprint labels May 14, 2024
@gep13 gep13 added this to the 0.28.0 milestone May 14, 2024
@gep13 gep13 self-assigned this May 14, 2024
gep13 added a commit to gep13/Chocolatey.Cake.Recipe that referenced this issue May 14, 2024
@gep13
(chocolatey#149) Switch to only signing when required
4b9f73b 
We don't want to sign files when we don't need to.  Going forward,
PowerShell scripts are going to be signed when they are committed to
the repository and only re-signed when required.

This commit addresses this need by changing the DAG to use a new
Verify-PowerShellScipts task, rather than the Sign-PowerShellScripts
task.  The latter is still available to call directly, when required,
but only when a valid certificate is in place.

Supporting parameters and build directories have been created, to allow
control over what the tasks due, including the ability to skip the
verification step, using the --shouldVerifyPowerShellScripts command
line argument.

A new verify-powershell.ps1 file has been added to check the list of
incoming files, and the sign-powershell.ps1 has been updated to only
sign when the current signature is invalid.  To aid with getting the
signed files added to back into the repository, the signed files are
uploaded as artifacts of the build.
@gep13 gep13 mentioned this issue May 14, 2024
Merged
10 tasks
Windos added a commit that referenced this issue May 16, 2024
@Windos
Merge pull request #150 from gep13/verify-scripts
e772355 
(#149) Switch to only signing when required
@gep13 gep13 added 4 - Done Code has been added to the repository, and has been reviewed by a team member and removed 0 - Backlog Issue is accepted, but is not ready to be worked on or not in current sprint labels May 16, 2024
gep13 added a commit that referenced this issue May 16, 2024
@gep13
Merge branch 'release/0.28.0'
8a699ac 
* release/0.28.0:
  (#149) Switch to only signing when required
  (#147) Update cert subject name + set via env var
@gep13 gep13 added 5 - Released The issue has been resolved, and released to the public for consumption and removed 4 - Done Code has been added to the repository, and has been reviewed by a team member labels May 16, 2024
@choco-bot
Copy link

🎉 This issue has been resolved in version 0.28.0 🎉

The release is available on:

Your GitReleaseManager bot 📦 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gep13 gep13

Labels
5 - Released The issue has been resolved, and released to the public for consumption Improvement Issues that enhances existing functionality, or adds new features
Projects
None yet
Milestone
0.28.0
Development

Successfully merging a pull request may close this issue.

(#149) Switch to only signing when required gep13/Chocolatey.Cake.Recipe
2 participants
@gep13 @choco-bot