Update build scripts (#2)

jborean93 · Jun 18, 2023 · 40d291d · 40d291d
1 parent 7166431
commit 40d291d
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 22 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -22,7 +22,7 @@ env:
 jobs:
   build:
     name: build
-    runs-on: windows-latest
+    runs-on: ubuntu-latest
     steps:
     - name: Check out repository
       uses: actions/checkout@v3
@@ -37,8 +37,7 @@ jobs:
       run: ./build.ps1 -Configuration $env:BUILD_CONFIGURATION -Task Build
       if: ${{ env.BUILD_CONFIGURATION == 'Release' }}
       env:
-        PSMODULE_SIGNING_CERT: ${{ secrets.PSMODULE_SIGNING_CERT }}
-        PSMODULE_SIGNING_CERT_PASSWORD: ${{ secrets.PSMODULE_SIGNING_CERT_PASSWORD }}
+        AZURE_KEYVAULT_CREDENTIALS: ${{ secrets.AZURE_KEYVAULT_CREDENTIALS }}
 
     - name: Capture PowerShell Module
       uses: actions/upload-artifact@v3
@@ -144,7 +143,7 @@ jobs:
     needs:
     - build
     - test
-    runs-on: windows-latest
+    runs-on: ubuntu-latest
     steps:
     - name: Restore Built PowerShell Module
       uses: actions/download-artifact@v3

diff --git a/Ctypes.build.ps1 b/Ctypes.build.ps1
@@ -83,27 +83,36 @@ task CopyToRelease {
 }
 
 task Sign {
-    $certPath = $env:PSMODULE_SIGNING_CERT
-    $certPassword = $env:PSMODULE_SIGNING_CERT_PASSWORD
-    if (-not $certPath -or -not $certPassword) {
+    if (-not $env:AZURE_KEYVAULT_CREDENTIALS) {
         return
     }
 
-    [byte[]]$certBytes = [System.Convert]::FromBase64String($env:PSMODULE_SIGNING_CERT)
-    $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($certBytes, $certPassword)
+    $credInfo = ConvertFrom-Json -InputObject $env:AZURE_KEYVAULT_CREDENTIALS
+    $vaultName = $credInfo.vaultName
+    $vaultCert = $credInfo.vaultCert
+
+    $env:AZURE_CLIENT_ID = $credInfo.clientId
+    $env:AZURE_CLIENT_SECRET = $credInfo.clientSecret
+    $env:AZURE_TENANT_ID = $credInfo.tenantId
+    $key = Get-OpenAuthenticodeAzKey -Vault $vaultName -Certificate $vaultCert
+    $env:AZURE_CLIENT_ID = ''
+    $env:AZURE_CLIENT_SECRET = ''
+    $env:AZURE_TENANT_ID = ''
+
     $signParams = @{
-        Certificate     = $cert
-        TimestampServer = 'http://timestamp.digicert.com'
-        HashAlgorithm   = 'SHA256'
+        Key = $key
+        TimeStampServer = 'http://timestamp.digicert.com'
+        HashAlgorithm = 'SHA256'
     }
 
     Get-ChildItem -LiteralPath $ReleasePath -Recurse -ErrorAction SilentlyContinue |
-        Where-Object Extension -In ".ps1", ".psm1", ".psd1", ".ps1xml", ".dll" |
+        Where-Object {
+            $_.Extension -in ".ps1", ".psm1", ".psd1", ".ps1xml" -or (
+                $_.Extension -eq ".dll" -and $_.BaseName -like "$ModuleName*"
+            )
+        } |
         ForEach-Object -Process {
-            $result = Set-AuthenticodeSignature -LiteralPath $_.FullName @signParams
-            if ($result.Status -ne "Valid") {
-                throw "Failed to sign $($_.FullName) - Status: $($result.Status) Message: $($result.StatusMessage)"
-            }
+            Set-OpenAuthenticodeSignature -LiteralPath $_.FullName @signParams
         }
 }
 

diff --git a/build.ps1 b/build.ps1
@@ -21,7 +21,14 @@ end {
         $targetPath = [IO.Path]::Combine($modulePath, $req.Key)
 
         if (Test-Path -LiteralPath $targetPath) {
-            Import-Module -Name $targetPath -Force -ErrorAction Stop
+            try {
+                Import-Module -Name $targetPath -Force -ErrorAction Stop
+            }
+            catch {
+                if ($req.Key -ne 'OpenAuthenticode') {
+                    throw
+                }
+            }
             continue
         }
 
@@ -48,7 +55,14 @@ end {
             $ProgressPreference = $oldProgress
         }
 
-        Import-Module -Name $targetPath -Force -ErrorAction Stop
+        try {
+            Import-Module -Name $targetPath -Force -ErrorAction Stop
+        }
+        catch {
+            if ($req.Key -ne 'OpenAuthenticode') {
+                throw
+            }
+        }
     }
 
     $dotnetTools = @(dotnet tool list --global) -join "`n"

diff --git a/requirements-dev.psd1 b/requirements-dev.psd1
@@ -1,6 +1,7 @@
 @{
-    InvokeBuild      = '5.10.1'
-    Pester           = '5.4.0'
+    InvokeBuild      = '5.10.4'
+    OpenAuthenticode = '0.2.0'
+    Pester           = '5.4.1'
     platyPS          = '0.14.2'
     PSScriptAnalyzer = '1.21.0'
 }
diff --git a/tools/PesterTest.ps1 b/tools/PesterTest.ps1
@@ -23,7 +23,14 @@ $ErrorActionPreference = 'Stop'
 
 $requirements = Import-PowerShellDataFile ([IO.Path]::Combine($PSScriptRoot, '..', 'requirements-dev.psd1'))
 foreach ($req in $requirements.GetEnumerator()) {
-    Import-Module -Name ([IO.Path]::Combine($PSScriptRoot, 'Modules', $req.Key))
+    try {
+        Import-Module -Name ([IO.Path]::Combine($PSScriptRoot, 'Modules', $req.Key))
+    }
+    catch {
+        if ($req.Key -ne 'OpenAuthenticode') {
+            throw
+        }
+    }
 }
 
 [PSCustomObject]$PSVersionTable |