azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Trusted Signing config (metadata.json + sign.ps1 wrapper)

Browse Source 
Reproducible signing setup for any developer machine. metadata.json
points signtool at the gururmm-signing account / gururmm-public-trust
cert profile. sign.ps1 wraps signtool with the right /dlib + /dmdf +
timestamp flags; uses az login session for authentication.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-04-16 06:54:46 -07:00
parent f01d9d5538
commit 5abf9ba670
2 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
projects/msp-tools/guru-rmm/signing-attestation/signing-config/metadata.json Normal file
View File

@@ -0,0 +1,5 @@
{
"Endpoint": "https://wus2.codesigning.azure.net/",
"CodeSigningAccountName": "gururmm-signing",
"CertificateProfileName": "gururmm-public-trust"
}

48
projects/msp-tools/guru-rmm/signing-attestation/signing-config/sign.ps1 Normal file
View File

@@ -0,0 +1,48 @@
<#
.SYNOPSIS
Sign a file with Azure Trusted Signing using the GuruRMM cert profile.
.DESCRIPTION
Wraps signtool with the right /dlib + /dmdf + timestamp flags. Uses your
current az login session to authenticate (DefaultAzureCredential).
.EXAMPLE
.\sign.ps1 -File C:\path\to\my.exe
.\sign.ps1 -File ".\release\gururmm-agent-windows-x64.exe" -Description "GuruRMM Agent"
#>
[CmdletBinding()]
param(
[Parameter(Mandatory)] [string] $File,
[string] $Description = "Arizona Computer Guru LLC",
[string] $Url = "https://www.azcomputerguru.com",
[string] $SignTool = "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe",
[string] $Dlib = "C:\tools\trusted-signing\Microsoft.ArtifactSigning.Client.1.0.128\bin\x64\Azure.CodeSigning.Dlib.dll",
[string] $Metadata = "$PSScriptRoot\metadata.json",
[string] $TimestampUrl = "http://timestamp.acs.microsoft.com",
[switch] $Verify
)
$ErrorActionPreference = "Stop"
if (-not (Test-Path $File)) { throw "File not found: $File" }
if (-not (Test-Path $SignTool)) { throw "signtool not found: $SignTool" }
if (-not (Test-Path $Dlib)) { throw "dlib not found: $Dlib" }
if (-not (Test-Path $Metadata)) { throw "metadata.json not found: $Metadata" }
Write-Host "[INFO] Signing $File ..." -ForegroundColor Cyan
& $SignTool sign /v /debug `
/fd SHA256 `
/tr $TimestampUrl /td SHA256 `
/d $Description /du $Url `
/dlib $Dlib /dmdf $Metadata `
$File
if ($LASTEXITCODE -ne 0) { throw "signtool sign failed (exit $LASTEXITCODE)" }
Write-Host "[OK] Signed." -ForegroundColor Green
if ($Verify) {
Write-Host "[INFO] Verifying ..." -ForegroundColor Cyan
& $SignTool verify /pa /v $File
if ($LASTEXITCODE -ne 0) { throw "signtool verify failed (exit $LASTEXITCODE)" }
Write-Host "[OK] Verified." -ForegroundColor Green
}