{{ message }}
Tags: Devolutions/psign
Tags
Add portable AKV signing for PowerShell scripts (#29) ## Summary - extend `--mode portable sign --azure-key-vault-*` to support PowerShell Authenticode script targets such as `.psd1` - route non-PE Azure Key Vault signing through `psign-portable-core`, including certificate-version and authority plumbing - add CLI regression coverage and update docs that previously described this path as PE-only ## Validation - `cargo fmt --all` - `cargo clippy --workspace --all-targets --locked` - `cargo test --locked --test cli_pe_digest mode_portable_sign_uses_azure_key_vault_for_psd1 --quiet` - `cargo test --locked --test cli_pe_digest mode_portable_sign_uses_azure_key_vault_for_pe --quiet` - `bash scripts/linux-portable-validation.sh` ## Notes - `cargo test --workspace --locked` still reproduces the pre-existing unrelated `tests/fixture_vector_manifest.rs` failure for `tests/fixtures/msix-minimal/AppxManifest.xml` size mismatch. --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Bump version to 0.6.0 (#27) ## Summary - Bump all psign workspace crate versions from 0.5.1 to 0.6.0 - Update Cargo.lock package metadata for local crates - Update NuGet tool, PowerShell module, README packaging example, and release workflow example versions ## Validation - `cargo fmt --all` - `cargo clippy --workspace --all-targets --locked` - `cargo metadata --format-version 1 --locked --quiet` - `cargo test --workspace --locked --exclude psign` Note: `cargo test --workspace --locked` reaches existing local WinVerifyTrust corpus failures with `0x800B010A` in `psign --test corpus_sign_verify`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bump version to 0.5.1 (#22) ## Summary - Bump the root psign package and workspace crate versions to 0.5.1 - Update Cargo.lock and release/package documentation examples for 0.5.1 ## Validation - cargo fmt --all - cargo metadata --locked --format-version 1 - cargo test --workspace --locked --quiet - cargo clippy --workspace --all-targets --locked --quiet Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add portable file catalog cmdlets (#19) ## Summary - add portable `New-PsignFileCatalog` and `Test-PsignFileCatalog` PowerShell cmdlets - expose catalog create/test operations through `psign-portable-core` and `psign-portable-ffi` - support recursive directory catalogs, detailed validation, skipped files, signature reporting, and 0.5.0 version metadata ## Validation - `cargo fmt --all` - `cargo clippy --workspace --all-targets --locked` - `cargo test --workspace --locked` - `Invoke-Pester -Path '.\PowerShell\tests\PsignFileCatalog.Cmdlets.Tests.ps1' -CI` - `cargo metadata --format-version 1 --locked --quiet` - `Test-ModuleManifest '.\PowerShell\Devolutions.Psign\Devolutions.Psign.psd1'` --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign PowerShell module release payload (#14) ## Summary - sign the staged PowerShell module payload before packaging/publishing - route portable cloud signing through `psign-portable-core` for Azure Key Vault and Artifact Signing providers - build PowerShell module native libraries with cloud-signing features and keep release ZIPs transport-only ## Validation - `cargo fmt --all` - `cargo check --locked -q -p psign-portable-core` - `cargo check --locked -q -p psign-portable-core --features azure-kv-sign,artifact-signing-rest` - `cargo check --locked -q -p psign-portable-ffi --features azure-kv-sign,artifact-signing-rest` - `cargo clippy --locked -q -p psign-portable-core --all-targets -- -D warnings` - `cargo clippy --locked -q -p psign-portable-core --features azure-kv-sign,artifact-signing-rest --all-targets -- -D warnings` - `cargo clippy --locked -q -p psign-portable-ffi --features azure-kv-sign,artifact-signing-rest --all-targets -- -D warnings` - `cargo test --locked -q -p psign-portable-core --features azure-kv-sign,artifact-signing-rest` - `cargo test --locked -q -p psign-sip-digest` - `cargo test --workspace --locked` - PowerShell parser checks for `PowerShell/package.ps1`, `PowerShell/sign-module.ps1`, `PowerShell/build.ps1` - `pwsh -NoLogo -NoProfile -File .\PowerShell\package.ps1 -Configuration Release -SkipNativeBuild -OutputDirectory .\artifacts\powershell-smoke` - release dry-run with signing: https://github.com/Devolutions/psign/actions/runs/26410077854 --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Expand PowerShell module coverage and bump 0.3.0 (#9) ## Summary - migrate the PowerShell module test entrypoint to a Pester-based suite while preserving the existing smoke coverage - add PowerShell module coverage for package-native signing and inspection of NuGet, SNuGet, VSIX, ClickOnce manifests, App Installer companions, and recursive module trees - bump the repo, PowerShell module, and package/tool release metadata to `0.3.0` ## Details - keep the existing `PowerShell/tests/Invoke-PortableSignatureTests.ps1` CI entrypoint, but make it build once and run Pester tests - preserve the previous end-to-end smoke script as a legacy smoke test under Pester - add new Pester assertions for: - Azure Key Vault parameter validation - mixed signing-source rejection - `-OutputPath` / `-Content` validation - `.nupkg` / `.snupkg` signing and `.signature.p7s` inspection - `.vsix` signing and OPC signature-part inspection - `.manifest`, `.application`, and `.vsto` ClickOnce XMLDSig signing and inspection - `.appinstaller` detached companion `.p7` generation and inspection - recursive module-directory discovery of the new signable extensions - update PowerShell module docs to reflect the expanded recursive behavior and test coverage ## Validation - `pwsh -File .\PowerShell\tests\Invoke-PortableSignatureTests.ps1 -Configuration Release` - `cargo test -p psign-portable-core -p psign-portable-ffi --locked` - `cargo fmt --all --check` - `cargo clippy --workspace --all-targets --locked --quiet` - `cargo test --workspace --locked` --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Avoid blocked Rust toolchain action (#6) ## Summary - Replace `dtolnay/rust-toolchain@stable` in non-release workflows with direct `rustup` install steps - Match the existing Devolutions workflow pattern used by multi-pwsh, pinget, and psign release builds - Keep existing allowed GitHub and cache actions unchanged ## Context Recent workflow runs failed at startup because `dtolnay/rust-toolchain@stable` is not permitted by the Devolutions GitHub Actions allowlist. ## Validation - Confirmed `dtolnay/rust-toolchain` no longer appears under `.github/workflows` - Ran `git diff --check` --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
