Compilenix's Blog - Code-Signing via Microsoft Team Foundation Server 2018 Build Agent using PowerShell

RSS Feed | Find Stuff

Code-Signing via Microsoft Team Foundation Server 2018 Build Agent using PowerShell

Here is a brief overview

- There is a git repo on the tfs server.
- The project has a build definition which simply run's a powershell script from the project path
- This script handles the code-signing
- On the Build-Server there is a tfs build agent, running as the local service account "NETWORK SERVICE".
- The code-signing certificate is provided via the Windows Certificate Store

The tfs project build definition:

The PowerShell code to sign .ps1 files:


$Cert = (Get-ChildItem cert:\LocalMachine\My -CodeSigningCert | Where-Object { $_.Subject -eq "CN=Full Name, OU=User, OU=MyDomainUsersOU, DC=example, DC=com" })

Write-Host "Signing using: $($Cert.Thumbprint) / $($Cert.Subject)"
Get-ChildItem -Path "${DistDir}\" -Filter "*.ps1" -Recurse | ForEach-Object {
    $File = $_
    $Signature = (Get-AuthenticodeSignature -FilePath $File.FullName).Status

    If ($Signature -ne "Valid") {
        Set-AuthenticodeSignature -FilePath $File.FullName -Certificate $Cert -HashAlgorithm SHA256 -TimestampServer "http://timestamp.globalsign.com/?signature=sha2"
        #Set-AuthenticodeSignature -FilePath $File.FullName -Certificate $Cert -HashAlgorithm SHA256 | Out-Null
    }
}

The code-signing certificate at the Windows Certificate Store:

My code snippet above asumes the computer-wide personal certificate store, you may want to use the user certificate store of the build agent's execution context. To import you code-signing certificate you may use certuil.exe (docs.microsoft.com).
After the certificate is imported you need to allow the tfs build agent service user (in my case "NETWORK SERVICE") to read that certificate from the Windows certificate store.