Thanks @danielrudrich this was really helpful to get set up with trusted signing in GitLab CI - I could not get it to work with signtool.
Here is my modification of the script:
- "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12"
- |
If(-not(Get-InstalledModule TrustedSigning -ErrorAction silentlycontinue))
{
Install-Module TrustedSigning -Confirm:$False -Force
}
- $params = @{}
- $params["Endpoint"] = $AZURE_ENDPOINT
- $params["CertificateProfileName"] = $AZURE_CERT_PROFILE_NAME
- $params["CodeSigningAccountName"] = $AZURE_CODE_SIGNING_ACCOUNT_NAME
- $params["FilesFolder"] = "<path\to\executables>"
- $params["FilesFolderFilter"] = "exe"
- $params["FilesFolderRecurse"] = $true # Useful if you have a top level folder with multiple executables to sign
- $params["FileDigest"] = "SHA256"
- $params["TimestampRfc3161"] = "http://timestamp.acs.microsoft.com"
- $params["TimestampDigest"] = "SHA256"
- Invoke-TrustedSigning @params