From 5abf9ba6702704ce7fcdcec259bb0b0a93138517 Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Thu, 16 Apr 2026 06:54:46 -0700
Subject: [PATCH] Add Trusted Signing config (metadata.json + sign.ps1 wrapper)

Reproducible signing setup for any developer machine. metadata.json
points signtool at the gururmm-signing account / gururmm-public-trust
cert profile. sign.ps1 wraps signtool with the right /dlib + /dmdf +
timestamp flags; uses az login session for authentication.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../signing-config/metadata.json              |  5 ++
 .../signing-config/sign.ps1                   | 48 +++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 projects/msp-tools/guru-rmm/signing-attestation/signing-config/metadata.json
 create mode 100644 projects/msp-tools/guru-rmm/signing-attestation/signing-config/sign.ps1

diff --git a/projects/msp-tools/guru-rmm/signing-attestation/signing-config/metadata.json b/projects/msp-tools/guru-rmm/signing-attestation/signing-config/metadata.json
new file mode 100644
index 0000000..df96d2b
--- /dev/null
+++ b/projects/msp-tools/guru-rmm/signing-attestation/signing-config/metadata.json
@@ -0,0 +1,5 @@
+{
+    "Endpoint": "https://wus2.codesigning.azure.net/",
+    "CodeSigningAccountName": "gururmm-signing",
+    "CertificateProfileName": "gururmm-public-trust"
+}
diff --git a/projects/msp-tools/guru-rmm/signing-attestation/signing-config/sign.ps1 b/projects/msp-tools/guru-rmm/signing-attestation/signing-config/sign.ps1
new file mode 100644
index 0000000..09b648d
--- /dev/null
+++ b/projects/msp-tools/guru-rmm/signing-attestation/signing-config/sign.ps1
@@ -0,0 +1,48 @@
+<#
+.SYNOPSIS
+    Sign a file with Azure Trusted Signing using the GuruRMM cert profile.
+
+.DESCRIPTION
+    Wraps signtool with the right /dlib + /dmdf + timestamp flags. Uses your
+    current az login session to authenticate (DefaultAzureCredential).
+
+.EXAMPLE
+    .\sign.ps1 -File C:\path\to\my.exe
+    .\sign.ps1 -File ".\release\gururmm-agent-windows-x64.exe" -Description "GuruRMM Agent"
+#>
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory)] [string] $File,
+    [string] $Description = "Arizona Computer Guru LLC",
+    [string] $Url = "https://www.azcomputerguru.com",
+    [string] $SignTool = "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe",
+    [string] $Dlib = "C:\tools\trusted-signing\Microsoft.ArtifactSigning.Client.1.0.128\bin\x64\Azure.CodeSigning.Dlib.dll",
+    [string] $Metadata = "$PSScriptRoot\metadata.json",
+    [string] $TimestampUrl = "http://timestamp.acs.microsoft.com",
+    [switch] $Verify
+)
+
+$ErrorActionPreference = "Stop"
+
+if (-not (Test-Path $File))     { throw "File not found: $File" }
+if (-not (Test-Path $SignTool)) { throw "signtool not found: $SignTool" }
+if (-not (Test-Path $Dlib))     { throw "dlib not found: $Dlib" }
+if (-not (Test-Path $Metadata)) { throw "metadata.json not found: $Metadata" }
+
+Write-Host "[INFO] Signing $File ..." -ForegroundColor Cyan
+& $SignTool sign /v /debug `
+    /fd SHA256 `
+    /tr $TimestampUrl /td SHA256 `
+    /d $Description /du $Url `
+    /dlib $Dlib /dmdf $Metadata `
+    $File
+
+if ($LASTEXITCODE -ne 0) { throw "signtool sign failed (exit $LASTEXITCODE)" }
+Write-Host "[OK] Signed." -ForegroundColor Green
+
+if ($Verify) {
+    Write-Host "[INFO] Verifying ..." -ForegroundColor Cyan
+    & $SignTool verify /pa /v $File
+    if ($LASTEXITCODE -ne 0) { throw "signtool verify failed (exit $LASTEXITCODE)" }
+    Write-Host "[OK] Verified." -ForegroundColor Green
+}