forked from PowerShell/PowerShell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Sign-Package.ps1
127 lines (91 loc) · 4.34 KB
/
Sign-Package.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.
# Utility to generate a self-signed certificate and sign a given package such as PowerShell.zip/appx/msi
[CmdletBinding()]
param (
#Path to package - Ex: PowerShell.msi, PowerShell.appx
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $PackageFilePath
)
# function to generate a self-signed certificate
# customize parameters to makecert.exe to control certificate life time and other options
function New-SelfSignedCertificate
{
[CmdletBinding()]
param (
#Path to save generated Certificate
[ValidateNotNullOrEmpty()]
[string] $CertificateFilePath = "$pwd\PowerShell.cer",
#Path to save generated pvk file
[ValidateNotNullOrEmpty()]
[string] $PvkFilePath = "$env:Temp\PowerShell.pvk"
)
$makecertBinPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64\MakeCert.exe"
Write-Verbose "Windows 10 SDK needed - https://go.microsoft.com/fwlink/p/?LinkID=822845 - Ensure MakeCert.exe is present @ $makecertBinPath"
if (-not (Test-Path $makecertBinPath))
{
throw "$makecertBinPath is required to generate a self-signed certificate"
}
Remove-Item $CertificateFilePath -Force -ErrorAction Ignore
Remove-Item $PvkFilePath -Force -ErrorAction Ignore
& $makecertBinPath -r -h 0 -n "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" -eku 1.3.6.1.5.5.7.3.3 -pe -sv $PvkFilePath $CertificateFilePath | Write-Verbose
Write-Verbose "Self-Signed Cert generated @ $CertificateFilePath"
return $CertificateFilePath
}
# Convert private pvk file format to pfx format to be consumed by signtool.exe
function ConvertTo-Pfx
{
[CmdletBinding()]
param (
#Path to Certificate file
[ValidateNotNullOrEmpty()]
[string] $CertificateFilePath = "$pwd\PowerShell.cer",
#Path to pvk file
[ValidateNotNullOrEmpty()]
[string] $PvkFilePath = "$env:Temp\PowerShell.pvk",
#Path to generated pfx file
[ValidateNotNullOrEmpty()]
[string] $PfxFilePath = "$env:Temp\PowerShell.pfx"
)
$pvk2pfxBinPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64\pvk2pfx.exe"
Write-Verbose "Windows 10 SDK needed - https://go.microsoft.com/fwlink/p/?LinkID=822845 - Ensure pvk2pfx.exe is present @ $pvk2pfxBinPath"
if (-not (Test-Path $pvk2pfxBinPath))
{
throw "$pvk2pfxBinPath is required to convert pvk file to pfx file - one of the prerequisites to sign a package!"
}
Remove-Item $PfxFilePath -Force -ErrorAction Ignore
& $pvk2pfxBinPath /pvk $PvkFilePath /spc $CertificateFilePath /pfx $PfxFilePath /f | Write-Verbose
Write-Verbose "Pfx file generated @ $PfxFilePath"
return $PfxFilePath
}
# Sign a given package
# this function needs the proprietary pfx file
function Sign-Package
{
[CmdletBinding()]
param (
#Path to package - Ex: PowerShell.msi, PowerShell.appx
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $PackageFilePath,
#Path to generated pfx file to sign the package
[ValidateNotNullOrEmpty()]
[string] $PfxFilePath = "$env:Temp\PowerShell.pfx"
)
$signtoolBinPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64\SignTool.exe"
Write-Verbose "Windows 10 SDK needed - https://go.microsoft.com/fwlink/p/?LinkID=822845 - Ensure SignTool.exe is present @ $signtoolBinPath"
if (-not (Test-Path $signtoolBinPath))
{
throw "$signtoolBinPath is required to sign the package!"
}
& $signtoolBinPath sign -f $PfxFilePath -fd SHA256 -v $PackageFilePath | Write-Verbose
Write-Verbose "Authenticode signing successful for $PackageFilePath"
return $PackageFilePath
}
$certificate = New-SelfSignedCertificate -Verbose
ConvertTo-Pfx -Verbose
$signedPackage = Sign-Package -PackageFilePath $PackageFilePath -Verbose
Write-Output "Signed Package is available @ `'$signedPackage`'"
Write-Output "On Windows Full SKU - Import the self-signed certificate `'$certificate`' to TrustedStore (Import-Certificate) prior to installing the package"
Write-Output "On Windows Nano - Use `'$env:Windir\System32\Certoc.exe -AddStore TrustedPeople <Certificate>`' to import the self-signed certificate `'$certificate`' to TrustedStore"