Add windows signing for pwsh.exe (PowerShell#24219)

adityapatwardhan · web-flow · commit 04672bfdd648 · 2024-09-03T14:20:47.000-07:00
* Add windows signing for pwsh.exe

* Use CP code for signing pwsh.exe

* Fix typo

* Update signing cert

* Add signing test
diff --git a/.pipelines/templates/obp-file-signing.yml b/.pipelines/templates/obp-file-signing.yml
@@ -84,6 +84,31 @@ steps:
     files_to_sign: '**\*.psd1;**\*.psm1;**\*.ps1xml;**\*.ps1;**\*.dll;**\*.exe;**\pwsh'
     search_root: $(Pipeline.Workspace)/toBeSigned
 
+- task: onebranch.pipeline.signing@1
+  displayName: Sign pwsh.exe with Windows cert
+  inputs:
+    command: 'sign'
+    cp_code: '203'
+    files_to_sign: '**\pwsh.exe'
+    search_root: $(Pipeline.Workspace)/toBeSigned
+
+- pwsh: |
+    if (Test-Path $(Pipeline.Workspace)/toBeSigned/pwsh.exe) {
+      Write-Verbose -Verbose "pwsh.exe is found, verifying signature"
+      $signature = Get-AuthenticodeSignature -FilePath $(Pipeline.Workspace)/toBeSigned/pwsh.exe
+      if ($signature.SignerCertificate.Issuer -notmatch '^CN=Microsoft Windows Production.*') {
+        Write-Error -ErrorAction Stop "pwsh.exe is not signed by Microsoft"
+      }
+      else {
+        Write-Verbose -Verbose "pwsh.exe is signed by Microsoft"
+      }
+    }
+    else {
+      Write-Verbose -Verbose "pwsh.exe is not found, skipping"
+    }
+
+  displayName: 'Verify windows signature'
+
 - pwsh : |
     Get-ChildItem -Path env:
   displayName: Capture environment
