Merged
Conversation
We haven't really thought about creating a release for the repository. This is a first attempt to properly handle it using github actions
Changing to upload-artifact@v3 as an attempt to use Node16 and get rid of warning in Github actions. Also trying to only include in the release the InstanceExport.ps1 file and not the entire repo
I followed instructions on Connectors repo and PR DevResults/Connectors#16 to generate a self-signed certificate for codesigning the power shell script. Stored it as a secret in the repo and used it in github actions to generate a signed script.
I've added another secret in the repo with the password for the PFX certificate. Like that we will have the Import-PfxCertificate cmdlet working properly.
We will be using this to versioning the script and replace -1.0.0-dev- by the version we will be deploying and -githubsha- will be the github-sha value of the commit.
I followed a similar approach from NG did in DevResults/Connectors@597834c on Connectors repo and what I was reading about versioning a power shell script as a prerelease https://learn.microsoft.com/en-us/powershell/scripting/gallery/concepts/script-prerelease-support?view=powershell-7.3
fredrodlima
added
the
discuss
Based in PR#16 of PowerBI connector, we are changing the version for the github.ref_name (tag) value
fredrodlima
added
the
tech/powershell
bigdogwillfeed
approved these changes
Mar 9, 2023
Member
bigdogwillfeed
left a comment
bigdogwillfeed
left a comment
There was a problem hiding this comment.
Sorry for the long delay on this.
This signs the instance export script and is trusted once the DevResultsRoot certificate is trusted as a root CA. Nice 👍🏼
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Solves
Asana Update InstanceExport script to be digitally signed
When I was on-call and investigating the 8093 FD ticket where the client was having issues to export their instance data in a mac. I tried to help but even with a Windows machine they were reporting seen errors. In my investigation I found that one of the problems that users could have is that our PS script is not currently digitally signed. This PR tries to cover this bit of the process so they should only be prompted to trust the script and with the signature we have in place in our script if they would like to.
Description
I first started by NG's suggestion on taking a look what he have done for
Connectorsrepo and PowerBI connector release. You can also take a look if you are curious about the steps in the #16 PR. I've follow the steps in my local machine to install theDevResultsRootcertificate and place it in the trust providers store.Then, I've created a
New-SelfSignCertificatewith a password, usedExport-PfxCertificateto create a.pfxfile in my local machine and used the[convert]::ToBase64String((Get-Content -path ".\spc.pfx" -Encoding byte))to convert it to a base 64 string so we could add it to the repo secrets. Then, I created to secrets in theDevResultsToolsrepo onePFX_PWORDwith the password for install the pfx andBASE64_PFX_CONTENTto be able to use it in the git hub actions file.In parallel with the steps already mentioned I've created a
main.ymlfile in the repo to handle the build for each commit we push in the repo. I had to perform a couple of tries before achieving the version I'm submitting here for inspection and as well my little misunderstandings about certificates were also a factor of doubting that I was going in the right direction. As a result, right now we have a ci building and publishing the artifact as a zip file namedPowerShell.DevResultTools.InstanceExportand that brings inside only theInstanceExport.ps1file with a<#PSScriptInfofor general info and versioning of the script and a# SIG # Begin signature blockthat will be the signature for the certificate we have created.Please note, that in order to proper trust the signed code clients will need to perform a previous step for properly running it and they should receive a similar screen when they would like to run the script for export an Instance. I tried to describe the steps you need to do in the How To Test section so we can update the instructions in the repo for users be able to properly handle it themselves when they need it.
How To Test
0 - Create a new directory in your machine
1 - Download the last build artifact and save it in your new directory
2 - Extract the files in the directory
3 - Open a new Power Shell terminal as an admin
4 - Run the command
Get-ExecutionPolicy5 - See if you get the
RemoteSignedoutput6 - If not, please run the following command
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned7 - Try to run the script using a PowerShell Admin terminal (prompt)
8 - See if you get the following message:
.\InstanceExport.ps1: File C:\InstanceExport\InstanceExport.ps1 cannot be loaded. A certificate chain could not be built to a trusted root authority..it means that you don't have theDevResults PowerShell Signing Certificatecertificate installed to validate the script signature10 - Download the
DevResultsInstanceExport.cerfile onG:\Shared Drives\Engineering\Azure Certificates11 - Install the certificate in your machine making sure to install it in the
Trusted Root Certificate Authoritiesstore choosing:You will probably will be looking at a screen like this
12 - Click on Next and then on Finish to install it.
13 - Open
Certificates Manager(certmgr) and check that theDevResultsRootcertificate was installed in theTrusted Root Certification Authoritiesstore like the image below14 - Try to run the script again in the PowerShell terminal
15 - See if you get the following message:
Do you want to run software from this untrusted publisher? File C:\InstanceExport\InstanceExport.ps1 is published by CN=DevResults PowerShell Signing Certificate and is not trusted on your system. Only run scripts from trusted publishers. [V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is "D"):16 - Choose option
[R] Run once17 - Check that you are able to run the script (and get data exported for an instance if you have a manifest.json file already)
18 - Check again your
Certificates Manager(certmgr) and look inTrusted Publisher19 - It should be empty or have already existing trusted publishers but not
DevResults PowerShell Signing Certificate20 - Run the script again and when prompted the same question choose now option
[A] Always Run21 - Check that you are able to run the script just fine (and get data exported for an instance if you have a manifest.json file already)
22 - Check again your
Certificates Manager(certmgr) and look inTrusted Publisherstore and you will see theDevResults PowerShell Signing Certificate23 - (Optional) Get a
manifest.jsonusing DevResults API and export an instance data for tests. I've usedengineeringinstance on my tests.Verifications:
Submitter:
DeleteAllDatastored procedureData Reviewer:
Engineer Reviewer: