-
Notifications
You must be signed in to change notification settings - Fork 867
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove signing for third party libraries in agent release flow (#3611)
- Loading branch information
1 parent
c6980d7
commit d81f18e
Showing
4 changed files
with
299 additions
and
188 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| function Get-Signtool() { | ||
| <# | ||
| .SYNOPSIS | ||
| Function used to get signtool from windows SDK | ||
| #> | ||
|
|
||
| $systemBit = "x64" | ||
| $programFiles = ${Env:ProgramFiles(x86)} | ||
|
|
||
| if((Get-WmiObject Win32_Processor).AddressWidth -ne 64) { | ||
| $systemBit = "x86" | ||
| $programFiles = ${Env:ProgramFiles} | ||
| } | ||
|
|
||
| Write-Host "##[debug]System architecture is $systemBit" | ||
|
|
||
| $signtoolPath = "" | ||
| try { | ||
| $windowsSdkPath=Get-ChildItem "$programFiles\Windows Kits\10\bin\1*" | Select-Object FullName | Sort-Object -Descending { [version](Split-Path $_.FullName -leaf)} | Select-Object -first 1 | ||
|
|
||
| $signtoolPath = "$($windowsSdkPath.FullName)\$systemBit\signtool.exe" | ||
| return $signtoolPath | ||
| } catch { | ||
| Write-Host "##[error]Unbable to get signtool in $signtoolPath" | ||
| exit 1 | ||
| } | ||
| } |
25 changes: 25 additions & 0 deletions
25
.azure-pipelines/scripts/RemoveSignatureForThirdPartyAssemlies.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| <# | ||
| .SYNOPSIS | ||
| Script is used as a start point for the process of removing signature from the third party assemlies | ||
| .PARAMETER LayoutRoot | ||
| Parameter that contains path to the _layout directory for current agent build | ||
| #> | ||
|
|
||
| [CmdletBinding()] | ||
| param( | ||
| [Parameter(Mandatory = $true)] | ||
| [string]$LayoutRoot | ||
| ) | ||
|
|
||
| . $PSScriptRoot\Get-SigntoolPath.ps1 | ||
| . $PSScriptRoot\RemoveSignatureScript.ps1 | ||
|
|
||
| $signtoolPath = Get-Signtool | Select -Last 1 | ||
|
|
||
| if ( ($signToolPath -ne "") -and (Test-Path -Path $signtoolPath) ) { | ||
| Remove-ThirdPartySignatures -SigntoolPath "$signToolPath" -LayoutRoot "$LayoutRoot" | ||
| } else { | ||
| Write-Host "##[error]$signToolPath is not a valid path" | ||
| exit 1 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| function Remove-ThirdPartySignatures() { | ||
| <# | ||
| .SYNOPSIS | ||
| The script is used to perform signature removal of third party assemblies | ||
| .PARAMETER SigntoolPath | ||
| Path to signtool.exe | ||
| .PARAMETER LayoutRoot | ||
| Parameter that contains path to the _layout directory for current agent build | ||
| #> | ||
| [CmdletBinding()] | ||
| param( | ||
| [Parameter(Mandatory = $true)] | ||
| [string]$SigntoolPath, | ||
| [Parameter(Mandatory = $true)] | ||
| [string]$LayoutRoot) | ||
|
|
||
| $failedToUnsign = New-Object Collections.Generic.List[String] | ||
| $succesfullyUnsigned = New-Object Collections.Generic.List[String] | ||
| $filesWithoutSignatures = New-Object Collections.Generic.List[String] | ||
| $filesCounter = 0 | ||
| foreach ($tree in Get-ChildItem -Path "$LayoutRoot" -Include "*.dll","*.exe" -Recurse | select FullName) { | ||
| $filesCounter = $filesCounter + 1 | ||
| try { | ||
| # check that file contain a signature before removal | ||
| $verificationOutput = & "$SigntoolPath" verify /pa "$($tree.FullName)" 2>&1 | Write-Output | ||
| $fileDoesntContainSignature = $false; | ||
|
|
||
| if ($verificationOutput -match "No signature found.") { | ||
| $fileDoesntContainSignature = $true; | ||
| $filesWithoutSignatures.Add("$($tree.FullName)") | ||
| $Error.clear() | ||
| } | ||
|
|
||
| if ($fileDoesntContainSignature -ne $true) { | ||
| $removeOutput = & "$SigntoolPath" remove /s "$($tree.FullName)" 2>&1 | Write-Output | ||
| if ($lastExitcode -ne 0) { | ||
| $failedToUnsign.Add("$($tree.FullName)") | ||
| $Error.clear() | ||
| } else { | ||
| $succesfullyUnsigned.Add("$($tree.FullName)") | ||
| } | ||
| } | ||
| } catch { | ||
| $failedToUnsign.Add("$($tree.FullName)") | ||
| $Error.clear() | ||
| } | ||
| } | ||
|
|
||
| Write-host "Failed to unsign - $($failedtounsign.Count)" | ||
| Write-host "Succesfully unsigned - $($succesfullyUnsigned.Count)" | ||
| Write-host "Files without signature - $($filesWithoutSignatures.Count)" | ||
| foreach ($s in $filesWithoutSignatures) { | ||
| Write-Host "File $s doesn't contain signature" | ||
| } | ||
| foreach ($s in $succesfullyunsigned) { | ||
| Write-Host "Signature succefully removed for $s file" | ||
| } | ||
|
|
||
| if ($failedToUnsign.Count -gt 0) { | ||
| foreach ($f in $failedtounsign) { | ||
| Write-Host "##[error]Something went wrong, failed to process $f file" | ||
| } | ||
| exit 1 | ||
| } | ||
|
|
||
| exit 0 | ||
| } |
Oops, something went wrong.