(#149) Switch to only signing when required #150
Conversation
We don't want to sign files when we don't need to. Going forward, PowerShell scripts are going to be signed when they are committed to the repository and only re-signed when required. This commit addresses this need by changing the DAG to use a new Verify-PowerShellScipts task, rather than the Sign-PowerShellScripts task. The latter is still available to call directly, when required, but only when a valid certificate is in place. Supporting parameters and build directories have been created, to allow control over what the tasks due, including the ability to skip the verification step, using the --shouldVerifyPowerShellScripts command line argument. A new verify-powershell.ps1 file has been added to check the list of incoming files, and the sign-powershell.ps1 has been updated to only sign when the current signature is invalid. To aid with getting the signed files added to back into the repository, the signed files are uploaded as artifacts of the build.
There was a problem hiding this comment.
I've tested this as best I can, and all is looking good. Will wait until chatting with you before merging or any next steps.
Amongst the testing I did, I validated the logic in both the verify-powershell.ps1 and sign-powershell.ps1 scripts using the alternative signing certificate.
Initially, no scripts had a valid certificate. This is seen in the output of the verify script and the fact that it threw at the end of testing all scripts.
Next I manually signed three scripts, and the verify noted that these were now valid, but the rest weren't, and it still threw at the end as expected.
Next I ran the signing script, it saw that the three scripts I manually signed were already valid and signed the other 38 scripts. It copied only the scripts that it signed into the output directory as expected.
Next, the signing script was re-run. Everything at this point was valid so nothing needed signing and therefore nothing was copied to the output directory.
Finally, rerunning the verify script shows all signatures are now valid and it did not throw.
|
Thanks for getting this in, @gep13! |
Description Of Changes
This commit addresses this need by changing the DAG to use a new Verify-PowerShellScipts task, rather than the Sign-PowerShellScripts task. The latter is still available to call directly, when required, but only when a valid certificate is in place.
Supporting parameters and build directories have been created, to allow control over what the tasks due, including the ability to skip the verification step, using the --shouldVerifyPowerShellScripts command line argument.
A new verify-powershell.ps1 file has been added to check the list of incoming files, and the sign-powershell.ps1 has been updated to only sign when the current signature is invalid. To aid with getting the signed files added to back into the repository, the signed files are uploaded as artifacts of the build.
Motivation and Context
We don't want to sign files when we don't need to. Going forward, PowerShell scripts are going to be signed when they are committed to the repository and only re-signed when required.
Testing
This will be a tricky one to test 😢
This will need to be tested in conjunction with this PR, and also in conjunction with a new build configuration for calling the updated Sign-PowerShellScripts task.
Happy to jump on a quick call to discuss further.
Operating Systems Testing
N/A
Change Types Made
Change Checklist
Related Issue
Fixes #149