Skip to content

Add portable Authenticode PowerShell cmdlets #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Marc-André Moreau (mamoreau-devolutions) merged 10 commits into from
May 22, 2026
Merged

Add portable Authenticode PowerShell cmdlets #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9ba83d6
Add portable Authenticode PowerShell module
mamoreau-devolutions May 21, 2026
606921a
Close portable PowerShell Authenticode gaps
mamoreau-devolutions May 22, 2026
2d71d4e
Fix portable module PFX loading on macOS
mamoreau-devolutions May 22, 2026
8bc637d
Use exportable PFX key storage for portable module
mamoreau-devolutions May 22, 2026
7fe6037
Load PFX signing material in portable core
mamoreau-devolutions May 22, 2026
47f11e0
Align portable PowerShell signing parity
mamoreau-devolutions May 22, 2026
8927477
Split fast Unix formatting check
mamoreau-devolutions May 22, 2026
10c53ff
Parallelize Unix portable validation
mamoreau-devolutions May 22, 2026
d206d3c
Rename portable native library to psign-core
mamoreau-devolutions May 22, 2026
ca13eb6
Package PowerShell module from prebuilt psign-core
mamoreau-devolutions May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 81 additions & 13 deletions .github/workflows/ci-unix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,20 +10,34 @@ jobs:
steps:
- uses: actions/checkout@v6

- name: Install Rust stable (rustfmt, clippy)
- name: Install Rust stable (rustfmt)
run: |
rustup toolchain install stable --profile minimal
rustup default stable
rustup component add rustfmt clippy --toolchain stable
rustup component add rustfmt --toolchain stable

- name: rustfmt
run: cargo fmt --all --check

- name: Cargo.lock consistency
run: cargo metadata --locked --format-version 1 > /dev/null

- name: clippy (portable digest + trust + Azure REST crates)
run: cargo clippy -p psign-sip-digest -p psign-digest-cli -p psign-authenticode-trust -p psign-codesigning-rest -p psign-azure-kv-rest --all-targets --locked -- -D warnings
portable-clippy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- name: Install Rust stable (clippy)
run: |
rustup toolchain install stable --profile minimal
rustup default stable
rustup component add clippy --toolchain stable

- name: Cache cargo artifacts
uses: Swatinem/rust-cache@v2.9.1

- name: clippy (portable digest + trust + core + Azure REST crates)
run: cargo clippy -p psign-sip-digest -p psign-digest-cli -p psign-authenticode-trust -p psign-portable-core -p psign-portable-ffi -p psign-codesigning-rest -p psign-azure-kv-rest --all-targets --locked -- -D warnings

- name: clippy (digest-cli with artifact-signing-rest)
run: cargo clippy -p psign-digest-cli --all-targets --features artifact-signing-rest --locked -- -D warnings
Expand All @@ -37,29 +51,83 @@ jobs:
- name: clippy (psign portable lib)
run: cargo clippy -p psign --lib --locked -- -D warnings

portable-crate-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- name: Install Rust stable
run: |
rustup toolchain install stable --profile minimal
rustup default stable

- name: Cache cargo artifacts
uses: Swatinem/rust-cache@v2.9.1

- name: SIP digest crate tests (no Win32)
run: cargo test -p psign-sip-digest --lib --locked

- name: Authenticode trust crate tests (no Win32)
run: cargo test -p psign-authenticode-trust --lib --locked

- name: Portable core crate tests (no Win32)
run: cargo test -p psign-portable-core --locked

- name: Portable FFI crate tests (no Win32)
run: cargo test -p psign-portable-ffi --locked

- name: Codesigning REST crate tests (no Win32)
run: cargo test -p psign-codesigning-rest --locked

- name: Azure KV REST crate tests (no Win32)
run: cargo test -p psign-azure-kv-rest --locked

- name: Portable digest CLI (integration smoke)
run: cargo test -p psign --test cli_pe_digest --locked

- name: Portable digest CLI (artifact-signing-rest subcommand)
run: cargo test -p psign --test cli_pe_digest --features artifact-signing-rest --locked

- name: Portable digest CLI (azure-kv-sign-portable subcommand)
run: cargo test -p psign --test cli_pe_digest --features azure-kv-sign --locked

- name: Check psign stub binary + portable lib
run: cargo check -p psign --bins --lib --locked

- name: Portable lib unit tests (native argv / response files)
run: cargo test -p psign --lib --locked

portable-cli-tests:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- name: integration-smoke
features: ""
- name: artifact-signing-rest
features: "--features artifact-signing-rest"
- name: azure-kv-sign-portable
features: "--features azure-kv-sign"
steps:
- uses: actions/checkout@v6

- name: Install Rust stable
run: |
rustup toolchain install stable --profile minimal
rustup default stable

- name: Cache cargo artifacts
uses: Swatinem/rust-cache@v2.9.1

- name: Portable digest CLI (${{ matrix.name }})
run: cargo test -p psign --test cli_pe_digest ${{ matrix.features }} --locked

portable-checks:
runs-on: ubuntu-latest
needs:
- portable-clippy
- portable-crate-tests
- portable-cli-tests
if: always()
steps:
- name: Check split portable jobs
env:
PORTABLE_CLIPPY: ${{ needs.portable-clippy.result }}
PORTABLE_CRATE_TESTS: ${{ needs.portable-crate-tests.result }}
PORTABLE_CLI_TESTS: ${{ needs.portable-cli-tests.result }}
run: |
test "$PORTABLE_CLIPPY" = "success"
test "$PORTABLE_CRATE_TESTS" = "success"
test "$PORTABLE_CLI_TESTS" = "success"
67 changes: 67 additions & 0 deletions .github/workflows/powershell-module.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
name: powershell-module

on:
push:
pull_request:

permissions:
contents: read

jobs:
build_and_test:
name: Build PowerShell module (${{ matrix.name }})
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- name: linux-x64
os: ubuntu-latest
- name: windows-x64
os: windows-2022
- name: macos-arm64
os: macos-14

steps:
- name: Checkout
uses: actions/checkout@v6

- name: Install Rust stable
shell: pwsh
run: |
rustup toolchain install stable --profile minimal
rustup default stable

- name: Setup .NET 8
uses: actions/setup-dotnet@v5
with:
dotnet-version: 8.0.x

- name: Cache cargo artifacts
uses: Swatinem/rust-cache@v2.9.1

- name: Build psign portable shared library and PowerShell module
shell: pwsh
run: ./PowerShell/build.ps1 -Configuration Release

- name: Run PowerShell module end-to-end tests
shell: pwsh
run: ./PowerShell/tests/Invoke-PortableSignatureTests.ps1 -Configuration Release

- name: Package PowerShell module for current RID
shell: pwsh
run: ./PowerShell/package.ps1 -Configuration Release

- name: Upload staged module
uses: actions/upload-artifact@v7
with:
name: Devolutions.Psign-${{ matrix.name }}
path: PowerShell/Devolutions.Psign
if-no-files-found: error

- name: Upload module package
uses: actions/upload-artifact@v7
with:
name: Devolutions.Psign-package-${{ matrix.name }}
path: artifacts/powershell/*.nupkg
if-no-files-found: error
Loading