PowerShell/tools/Sign-Package.ps1

# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

# Utility to generate a self-signed certificate and sign a given package such as PowerShell.zip/appx/msi

[CmdletBinding()]
param (
        #Path to package - Ex: PowerShell.msi, PowerShell.appx
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $PackageFilePath

)

# function to generate a self-signed certificate
# customize parameters to makecert.exe to control certificate life time and other options
function New-SelfSignedCertificate
{
    [CmdletBinding()]
    param (

        #Path to save generated Certificate
        [ValidateNotNullOrEmpty()]
        [string] $CertificateFilePath = "$PWD\PowerShell.cer",

        #Path to save generated pvk file
        [ValidateNotNullOrEmpty()]
        [string] $PvkFilePath = "$env:Temp\PowerShell.pvk"

    )

    $makecertBinPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64\MakeCert.exe"

    Write-Verbose "Windows 10 SDK needed - https://go.microsoft.com/fwlink/p/?LinkID=822845 - Ensure MakeCert.exe is present @ $makecertBinPath"
    if (-not (Test-Path $makecertBinPath))
    {
        throw "$makecertBinPath is required to generate a self-signed certificate"
    }

    Remove-Item $CertificateFilePath -Force -ErrorAction Ignore
    Remove-Item $PvkFilePath -Force -ErrorAction Ignore

    & $makecertBinPath -r -h 0 -n "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" -eku 1.3.6.1.5.5.7.3.3 -pe -sv $PvkFilePath $CertificateFilePath | Write-Verbose

    Write-Verbose "Self-Signed Cert generated @ $CertificateFilePath"

    return $CertificateFilePath
}

# Convert private pvk file format to pfx format to be consumed by signtool.exe
function ConvertTo-Pfx
{
    [CmdletBinding()]
    param (

        #Path to Certificate file
        [ValidateNotNullOrEmpty()]
        [string] $CertificateFilePath = "$PWD\PowerShell.cer",

        #Path to pvk file
        [ValidateNotNullOrEmpty()]
        [string] $PvkFilePath = "$env:Temp\PowerShell.pvk",

        #Path to generated pfx file
        [ValidateNotNullOrEmpty()]
        [string] $PfxFilePath = "$env:Temp\PowerShell.pfx"
    )

    $pvk2pfxBinPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64\pvk2pfx.exe"

    Write-Verbose "Windows 10 SDK needed - https://go.microsoft.com/fwlink/p/?LinkID=822845 - Ensure pvk2pfx.exe is present @ $pvk2pfxBinPath"
    if (-not (Test-Path $pvk2pfxBinPath))
    {
        throw "$pvk2pfxBinPath is required to convert pvk file to pfx file - one of the prerequisites to sign a package!"
    }

    Remove-Item $PfxFilePath -Force -ErrorAction Ignore

    & $pvk2pfxBinPath /pvk $PvkFilePath /spc $CertificateFilePath /pfx $PfxFilePath /f | Write-Verbose

    Write-Verbose "Pfx file generated @ $PfxFilePath"

    return $PfxFilePath
}

# Sign a given package
# this function needs the proprietary pfx file
function Sign-Package
{
    [CmdletBinding()]
    param (

        #Path to package - Ex: PowerShell.msi, PowerShell.appx
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $PackageFilePath,

        #Path to generated pfx file to sign the package
        [ValidateNotNullOrEmpty()]
        [string] $PfxFilePath = "$env:Temp\PowerShell.pfx"

    )

    $signtoolBinPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64\SignTool.exe"

    Write-Verbose "Windows 10 SDK needed - https://go.microsoft.com/fwlink/p/?LinkID=822845 - Ensure SignTool.exe is present @ $signtoolBinPath"
    if (-not (Test-Path $signtoolBinPath))
    {
        throw "$signtoolBinPath is required to sign the package!"
    }

    & $signtoolBinPath sign -f $PfxFilePath -fd SHA256 -v $PackageFilePath | Write-Verbose

    Write-Verbose "Authenticode signing successful for $PackageFilePath"

    return $PackageFilePath
}

$certificate = New-SelfSignedCertificate -Verbose
ConvertTo-Pfx -Verbose
$signedPackage = Sign-Package -PackageFilePath $PackageFilePath -Verbose

Write-Output "Signed Package is available @ `'$signedPackage`'"

Write-Output "On Windows Full SKU - Import the self-signed certificate `'$certificate`' to TrustedStore (Import-Certificate) prior to installing the package"

Write-Output "On Windows Nano - Use `'$env:Windir\System32\Certoc.exe -AddStore TrustedPeople <Certificate>`' to import the self-signed certificate `'$certificate`' to TrustedStore"
Update copyright notice to latest guidance (#12190) 2020-03-25 02:08:37 +08:00			`# Copyright (c) Microsoft Corporation.`
Update copyright and license headers (#6134) Based on standard practices, we need to have a copyright and license notice at the top of each source file. Removed existing copyrights and updated/added copyright notices for .h, .cpp, .cs, .ps1, and .psm1 files. Updated module manifests for consistency to have Author = "PowerShell" and Company = "Microsoft Corporation". Removed multiple line breaks. Separate PR coming to update contribution document for new source files: #6140 Manually reviewed each change. Fix #6073 2018-02-14 01:23:53 +08:00			`# Licensed under the MIT License.`

			`# Utility to generate a self-signed certificate and sign a given package such as PowerShell.zip/appx/msi`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00
			`[CmdletBinding()]`
			`param (`
Remove trailing whitespace (#3001) 2017-01-17 05:31:14 +08:00			`#Path to package - Ex: PowerShell.msi, PowerShell.appx`
			`[Parameter(Mandatory = $true)]`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`[ValidateNotNullOrEmpty()]`
			`[string] $PackageFilePath`

			`)`

			`# function to generate a self-signed certificate`
			`# customize parameters to makecert.exe to control certificate life time and other options`
			`function New-SelfSignedCertificate`
			`{`
			`[CmdletBinding()]`
			`param (`
Remove trailing whitespace (#3001) 2017-01-17 05:31:14 +08:00
			`#Path to save generated Certificate`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`[ValidateNotNullOrEmpty()]`
Correct case of $PWD special variable 2020-01-14 03:24:10 +08:00			`[string] $CertificateFilePath = "$PWD\PowerShell.cer",`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00
			`#Path to save generated pvk file`
			`[ValidateNotNullOrEmpty()]`
Update Sign-Package.ps1 to reflect prerequisites, remove the phrase 'Open' (#1816) * Update Sign-Package.ps1 * Updated based on CR comments 2016-08-19 06:42:42 +08:00			`[string] $PvkFilePath = "$env:Temp\PowerShell.pvk"`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00
			`)`

			`$makecertBinPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64\MakeCert.exe"`

Update Sign-Package.ps1 to reflect prerequisites, remove the phrase 'Open' (#1816) * Update Sign-Package.ps1 * Updated based on CR comments 2016-08-19 06:42:42 +08:00			`Write-Verbose "Windows 10 SDK needed - https://go.microsoft.com/fwlink/p/?LinkID=822845 - Ensure MakeCert.exe is present @ $makecertBinPath"`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`if (-not (Test-Path $makecertBinPath))`
			`{`
			`throw "$makecertBinPath is required to generate a self-signed certificate"`
			`}`

			`Remove-Item $CertificateFilePath -Force -ErrorAction Ignore`
			`Remove-Item $PvkFilePath -Force -ErrorAction Ignore`

			`& $makecertBinPath -r -h 0 -n "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" -eku 1.3.6.1.5.5.7.3.3 -pe -sv $PvkFilePath $CertificateFilePath \| Write-Verbose`
Remove trailing whitespace (#3001) 2017-01-17 05:31:14 +08:00
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`Write-Verbose "Self-Signed Cert generated @ $CertificateFilePath"`

			`return $CertificateFilePath`
			`}`

			`# Convert private pvk file format to pfx format to be consumed by signtool.exe`
			`function ConvertTo-Pfx`
			`{`
			`[CmdletBinding()]`
			`param (`
Remove trailing whitespace (#3001) 2017-01-17 05:31:14 +08:00
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`#Path to Certificate file`
			`[ValidateNotNullOrEmpty()]`
Correct case of $PWD special variable 2020-01-14 03:24:10 +08:00			`[string] $CertificateFilePath = "$PWD\PowerShell.cer",`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00
			`#Path to pvk file`
			`[ValidateNotNullOrEmpty()]`
Update Sign-Package.ps1 to reflect prerequisites, remove the phrase 'Open' (#1816) * Update Sign-Package.ps1 * Updated based on CR comments 2016-08-19 06:42:42 +08:00			`[string] $PvkFilePath = "$env:Temp\PowerShell.pvk",`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00
			`#Path to generated pfx file`
			`[ValidateNotNullOrEmpty()]`
Update Sign-Package.ps1 to reflect prerequisites, remove the phrase 'Open' (#1816) * Update Sign-Package.ps1 * Updated based on CR comments 2016-08-19 06:42:42 +08:00			`[string] $PfxFilePath = "$env:Temp\PowerShell.pfx"`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`)`

			`$pvk2pfxBinPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64\pvk2pfx.exe"`

Update Sign-Package.ps1 to reflect prerequisites, remove the phrase 'Open' (#1816) * Update Sign-Package.ps1 * Updated based on CR comments 2016-08-19 06:42:42 +08:00			`Write-Verbose "Windows 10 SDK needed - https://go.microsoft.com/fwlink/p/?LinkID=822845 - Ensure pvk2pfx.exe is present @ $pvk2pfxBinPath"`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`if (-not (Test-Path $pvk2pfxBinPath))`
			`{`
Update Sign-Package.ps1 to reflect prerequisites, remove the phrase 'Open' (#1816) * Update Sign-Package.ps1 * Updated based on CR comments 2016-08-19 06:42:42 +08:00			`throw "$pvk2pfxBinPath is required to convert pvk file to pfx file - one of the prerequisites to sign a package!"`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`}`
Remove trailing whitespace (#3001) 2017-01-17 05:31:14 +08:00
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`Remove-Item $PfxFilePath -Force -ErrorAction Ignore`

			`& $pvk2pfxBinPath /pvk $PvkFilePath /spc $CertificateFilePath /pfx $PfxFilePath /f \| Write-Verbose`

			`Write-Verbose "Pfx file generated @ $PfxFilePath"`

			`return $PfxFilePath`
			`}`

			`# Sign a given package`
Remove trailing whitespace (#3001) 2017-01-17 05:31:14 +08:00			`# this function needs the proprietary pfx file`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`function Sign-Package`
			`{`
			`[CmdletBinding()]`
Remove trailing whitespace (#3001) 2017-01-17 05:31:14 +08:00			`param (`

			`#Path to package - Ex: PowerShell.msi, PowerShell.appx`
			`[Parameter(Mandatory = $true)]`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`[ValidateNotNullOrEmpty()]`
			`[string] $PackageFilePath,`
Remove trailing whitespace (#3001) 2017-01-17 05:31:14 +08:00
Update Sign-Package.ps1 to reflect prerequisites, remove the phrase 'Open' (#1816) * Update Sign-Package.ps1 * Updated based on CR comments 2016-08-19 06:42:42 +08:00			`#Path to generated pfx file to sign the package`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`[ValidateNotNullOrEmpty()]`
Update Sign-Package.ps1 to reflect prerequisites, remove the phrase 'Open' (#1816) * Update Sign-Package.ps1 * Updated based on CR comments 2016-08-19 06:42:42 +08:00			`[string] $PfxFilePath = "$env:Temp\PowerShell.pfx"`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00
			`)`

			`$signtoolBinPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64\SignTool.exe"`

Update Sign-Package.ps1 to reflect prerequisites, remove the phrase 'Open' (#1816) * Update Sign-Package.ps1 * Updated based on CR comments 2016-08-19 06:42:42 +08:00			`Write-Verbose "Windows 10 SDK needed - https://go.microsoft.com/fwlink/p/?LinkID=822845 - Ensure SignTool.exe is present @ $signtoolBinPath"`
Utility to generate a self-signed certificate and sign a given package such as OpenPowerShell.zip/appx/msi 2016-06-07 00:54:25 +08:00			`if (-not (Test-Path $signtoolBinPath))`
			`{`
			`throw "$signtoolBinPath is required to sign the package!"`
			`}`

			`& $signtoolBinPath sign -f $PfxFilePath -fd SHA256 -v $PackageFilePath \| Write-Verbose`

			`Write-Verbose "Authenticode signing successful for $PackageFilePath"`

			`return $PackageFilePath`
			`}`

			`$certificate = New-SelfSignedCertificate -Verbose`
			`ConvertTo-Pfx -Verbose`
			`$signedPackage = Sign-Package -PackageFilePath $PackageFilePath -Verbose`

			Write-Output "Signed Package is available @ `'$signedPackage`'"

			Write-Output "On Windows Full SKU - Import the self-signed certificate `'$certificate`' to TrustedStore (Import-Certificate) prior to installing the package"

Update Sign-Package.ps1 to reflect prerequisites, remove the phrase 'Open' (#1816) * Update Sign-Package.ps1 * Updated based on CR comments 2016-08-19 06:42:42 +08:00			Write-Output "On Windows Nano - Use `'$env:Windir\System32\Certoc.exe -AddStore TrustedPeople <Certificate>`' to import the self-signed certificate `'$certificate`' to TrustedStore"