add script for signed nupkg bulk validation

travist13 · Jun 10, 2021 · d96e7da · d96e7da
1 parent dae6e8f
commit d96e7da
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 2 deletions.
diff --git a/tools/Validate-SignedNupkg.ps1 b/tools/Validate-SignedNupkg.ps1
@@ -0,0 +1,59 @@
+<#
+.SYNOPSIS
+    Validates signed files. Use this code for manual validation of a folder of nupkg files.
+.DESCRIPTION
+    Recursively validates folder for signed files.
+.NOTES
+    Use this script to check files for valid signatures before release.
+.EXAMPLE
+    .\Validate-SignedNupkg.ps1 -NupkgsPath "C:\MyNupkgs" -ExtractionPath "C:\MyNupkgs\Extracted"
+#>
+
+param
+(
+    [Parameter(Mandatory=$true)]
+    # $NupkgsPath is the path to the folder of .nupkg files.
+    [string] $NupkgsPath,
+    [Parameter(Mandatory=$false)]
+    # $ExtractionPath is the path to extract each nupkg folders separately to. Extracts to $NupkgsPath by default.
+    [string] $ExtractionPath=[System.IO.Path]::Combine($PSScriptRoot, "extracted")
+)
+
+###########
+# EXTRACT
+###########
+$nupkgs = Get-ChildItem -Path $nupkgPath -Filter *.nupkg
+$nupkgs | Out-String
+
+New-Item -Path $extractionPath -ItemType Directory -Force
+
+$nupkgs | ForEach-Object {Expand-Archive -Path $_.FullName -DestinationPath $([System.IO.Path]::Combine($extractionPath,$_.BaseName)) -Force}
+Write-Host -Message "Extracted nupkg modules to ${extractionPath}."
+
+###########
+# VALIDATE
+###########
+
+# Add string of file name to $exclude hashtable to exclude specific files.
+$exclude = @()
+$fileInfos = Get-ChildItem -Path $extractionPath -File -Recurse `
+    | Where-Object { $_.Name -notin $exclude } `
+    | Where-Object { $_.Extension -in @('.dll','.exe','.msi','.cab','.ps1','.psm1','.psd1','.pssc','.ps1xml') }
+
+$filePaths = $fileInfos | ForEach-Object {$_.FullName}
+Write-Host "Scanning files:`n"
+$filePaths | Out-String
+
+$authenticodeStatuses = $filePaths | Get-AuthenticodeSignature
+Write-Host "Statuses of files in the folder ${extractionPath}:`n"
+$authenticodeStatuses | Select-Object -Property Status, Path | Out-String -width 4096
+
+$unsignedFiles = $authenticodeStatuses | Where-Object {$_.Status -eq [System.Management.Automation.SignatureStatus]::NotSigned}
+$unsignedFilesFormatted = $unsignedFiles  | Select-Object -Property Status, Path | Out-String
+
+if ($unsignedFiles)
+{
+    Write-Host "ERROR: These files in ${extractionPath} are unsigned:"
+    $unsignedFilesFormatted | Out-String -width 4096
+    throw "ERROR: The module contains unsigned files."
+}
diff --git a/tools/validate-signing.ps1 b/tools/validate-signing.ps1
@@ -1,6 +1,6 @@
 <#
 .SYNOPSIS
-   Validates signed files.
+   Validates signed files, mainly used for the signing pipeline with multiplier for each module (i.e., runs within the directory of each module folder).
 .DESCRIPTION
    Recursively validates folder for signed files.
 .NOTES
@@ -50,7 +50,7 @@ $exclude = @()
 if (Test-Path -Path $pathToValidate -PathType Container)
 {
     $fileInfos = Get-ChildItem -Path $pathToValidate -File -Recurse `
-        | Where-Object { $_.Name -notin $exclude }
+        | Where-Object { $_.Name -notin $exclude } `
         | Where-Object { $_.Extension -in @('.dll','.exe','.msi','.cab','.ps1','.psm1','.psd1','.pssc','.ps1xml') } `
         | Where-Object { $_.FullName -notlike $(Join-Path -Path "*${moduleName}" -ChildPath "test*") }
 }
@@ -63,6 +63,11 @@ else
     Write-Error -Message "Invalid path: ${pathToValidate}" -Category InvalidArgument
 }
 
+if (!$fileInfos)
+{
+    throw "ERROR: The path ${pathToValidate} contains no valid files to validate according to the filter in this code."
+}
+
 $filePaths = $fileInfos | ForEach-Object {$_.FullName}
 $output = $filePaths | Out-String
 Write-Verbose -Message "Files to be checked: `n${output}" -Verbose