Skip to content

Update signature script for strong name and authenticode #4462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 6, 2017
Merged

Update signature script for strong name and authenticode #4462

merged 3 commits into from
Sep 6, 2017

Conversation

cormacpayne
Copy link
Member

Description

Remove all CheckStrongNameSignature.ps1 script and replace it with CheckSignature.ps1 script that will check for strong name signature for dll files and authenticode signature for dll, ps1 and psm1 files.

This checklist is used to make sure that common guidelines for a pull request are followed. You can find a more complete discussion of PowerShell cmdlet best practices here.

General Guidelines

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.
  • The pull request does not introduce breaking changes (unless a major version change occurs in the assembly and module).

Testing Guidelines

  • Pull request includes test coverage for the included changes.
  • PowerShell scripts used in tests should do any necessary setup as part of the test or suite setup, and should not use hard-coded values for locations or existing resources.

Cmdlet Signature Guidelines

  • New cmdlets that make changes or have side effects should implement ShouldProcess and have SupportShouldProcess=true specified in the cmdlet attribute. You can find more information on ShouldProcess here.
  • Cmdlet specifies OutputType attribute if any output is produced - if the cmdlet produces no output, it should implement a PassThru parameter.

Cmdlet Parameter Guidelines

  • Parameter types should not expose types from the management library - complex parameter types should be defined in the module.
  • Complex parameter types are discouraged - a parameter type should be simple types as often as possible. If complex types are used, they should be shallow and easily creatable from a constructor or another cmdlet.
  • Cmdlet parameter sets should be mutually exclusive - each parameter set must have at least one mandatory parameter not in other parameter sets.

@cormacpayne
Copy link
Member Author

Sign job: http://azuresdkci.cloudapp.net/view/1-AzurePowerShell/job/powershell-sign/1246/
On-demand: http://azuresdkci.cloudapp.net/view/1-AzurePowerShell/job/powershell-demand/1841/

markcowl
markcowl requested changes Aug 14, 2017
View reviewed changes
tools/CheckSignature.ps1
function Check-StrongName {
[CmdletBinding()]
param([Parameter(ValueFromPipeline=$true)][string]$path)
$output = & "sn.exe" -vf $path
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should check for the existence of sn.exe on the path and fail fast if it is not found at the beginning of the Check-All script.

tools/CheckSignature.ps1 Outdated
}
elseif ($PSCmdlet.ParameterSetName -eq "GalleryInstall")
{
$path = "$($env:ProgramFiles)\WindowsPowerShell\Modules"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably use $PSModulePath entries to determine where to search

tools/CheckSignature.ps1 Outdated

if ($PSCmdlet.ParameterSetName -eq "MsiInstall")
{
$path = "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be different on a 32-bit system (this variable is not defined, in that case). We should check for existence of the variable, or bitness of the OS before proceeding

@markcowl
Copy link
Member

markcowl commented Aug 14, 2017
edited
Loading

@cormacpayne Used this to check the current release candidate in both installation types and it was really slick, excellent work! A few suggestions to make this work over all environments.

@markcowl markcowl assigned cormacpayne and unassigned markcowl Aug 14, 2017
@cormacpayne cormacpayne changed the base branch from release-4.3.1 to preview August 18, 2017 17:39
@cormacpayne cormacpayne assigned markcowl and unassigned cormacpayne Aug 23, 2017
@cormacpayne
Copy link
Member Author

Sign-job: http://azuresdkci.cloudapp.net/job/powershell-sign/1287/

markcowl
markcowl previously approved these changes Aug 25, 2017
View reviewed changes
tools/CheckSignature.ps1

$invalidList = @()

$files = Get-ChildItem $path\* -Include *.dll -Recurse | Where-Object { $_.FullName -like "*Azure*" }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the future, it would be useful to factor out this file test iterator into its own function, so that you're calling it twice here, rather than duplicating the code.

@cormacpayne
Copy link
Member Author

Sign job: http://azuresdkci.cloudapp.net/view/1-AzurePowerShell/job/powershell-sign/1293/

markcowl
markcowl requested changes Aug 25, 2017
View reviewed changes
Copy link
Member

@markcowl markcowl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Failures are not being bubbled up, otherwise, lgtm

build.proj Outdated
@@ -381,7 +381,7 @@
<Output TaskParameter="AuthCodeSignTaskErrorsDetected" PropertyName="AuthTaskFailed" />
</VerifyAuthenticodeSignatureTask>

<Exec Command="&quot;$(PowerShellCommand)&quot; -NonInteractive -NoLogo -NoProfile -Command &quot;. $(LibraryToolsFolder)\CheckStrongNameSignature.ps1 &quot;"/>
<Exec Command="&quot;$(PowerShellCommand)&quot; -NonInteractive -NoLogo -NoProfile -Command &quot;. $(LibraryToolsFolder)\CheckSignature.ps1 -CustomPath $(LibrarySourceFolder)\Package\$(Configuration) &quot;"/>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to ensure that execution continues but marks this as an error, right now it looks like errors are not being bubbled up to fail the ci job. We may need to change the setting of this task and look at the erroractionpreference in powershell (or explicitly throw an exception.

@markcowl markcowl assigned cormacpayne and unassigned markcowl Aug 25, 2017
@cormacpayne
Copy link
Member Author

Sign job: http://azuresdkci.cloudapp.net/view/1-AzurePowerShell/job/powershell-sign/1297/
On-demand: http://azuresdkci.cloudapp.net/view/1-AzurePowerShell/job/powershell-demand/1857/

@cormacpayne cormacpayne merged commit 9965641 into Azure:preview Sep 6, 2017
@cormacpayne cormacpayne deleted the signature-script branch November 9, 2017 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markcowl markcowl markcowl approved these changes

Assignees

@cormacpayne cormacpayne

Labels
needs-revision
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cormacpayne @markcowl @azuresdkci @msftclas