Sign PowerShell module release payload#14
Merged
Marc-André Moreau (mamoreau-devolutions) merged 6 commits intoMay 25, 2026
Merged
Conversation
Use the built Devolutions.Psign module during release packaging to sign the staged module manifest, script module, format file, and managed assemblies before PowerShell Gallery packaging. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Build psign-portable-ffi with the azure-kv-sign feature in release artifacts so the packaged PowerShell module can sign its own payload during dry-run and release packaging. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Use the release-built psign-tool for Azure Key Vault signing of the staged PowerShell module payload, then verify the signed files through the built module. This avoids the module API's current lack of direct Key Vault signing support and keeps the release ZIP as an unsigned transport archive. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add portable cloud-signing providers to psign-portable-core so Set-PsignSignature can sign PE and PowerShell-class script payloads through Azure Key Vault or Artifact Signing. Build the PowerShell module native libraries with those features and remove the temporary psign-tool module-signing fallback. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Treat NotTrusted as an intact Authenticode signature during module payload verification so test-environment Key Vault certificates can exercise the signing flow without requiring a trusted root on the runner. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Route MSIX signing through the shared portable signing provider so Artifact Signing and Key Vault cover that format too. Let the PowerShell module package signing helper use either Azure Key Vault or Artifact Signing parameters. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Marc-André Moreau (mamoreau-devolutions)
requested a review
from a team
as a code owner
Marc-André Moreau (mamoreau-devolutions)
merged commit 87abcf8
into
master
49 checks passed
Marc-André Moreau (mamoreau-devolutions)
deleted the
mamoreau-devolutions/module-signing-plan
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
psign-portable-corefor Azure Key Vault and Artifact Signing providersValidation
cargo fmt --allcargo check --locked -q -p psign-portable-corecargo check --locked -q -p psign-portable-core --features azure-kv-sign,artifact-signing-restcargo check --locked -q -p psign-portable-ffi --features azure-kv-sign,artifact-signing-restcargo clippy --locked -q -p psign-portable-core --all-targets -- -D warningscargo clippy --locked -q -p psign-portable-core --features azure-kv-sign,artifact-signing-rest --all-targets -- -D warningscargo clippy --locked -q -p psign-portable-ffi --features azure-kv-sign,artifact-signing-rest --all-targets -- -D warningscargo test --locked -q -p psign-portable-core --features azure-kv-sign,artifact-signing-restcargo test --locked -q -p psign-sip-digestcargo test --workspace --lockedPowerShell/package.ps1,PowerShell/sign-module.ps1,PowerShell/build.ps1pwsh -NoLogo -NoProfile -File .\PowerShell\package.ps1 -Configuration Release -SkipNativeBuild -OutputDirectory .\artifacts\powershell-smoke