Based on one of my older posts about PowerShell script signing with Azure DevOps I recently implemented a PowerShell script signing workflow with GitHub actions I wanted to share with the community.
For this post the following prerequisites are required:
- Code signing certificate in PFX format
- GitHub account
Add variables to GitHub actions
Because GitHub variables can only be of string content we need to get the contents of the pfx file as base64 encoded string:
$pfxCertFilePath = "~\Downloads\CodeSigningCertificate.pfx" $pfxContent = Get-Content $pfxCertFilePath -Encoding Byte [System.Convert]::ToBase64String($pfxContent) | Set-Clipboard
GitHub action variables
Add two variables as actions secrets:
BASE64_PFX: Base 64 encoded string of the PFX (automatically copied into your clipboard with the above commands)
PFX_PASSWORD: Password for the private key of the pfx file
GitHub action workflow
Place the following workflow file within your git repository:
.github/workflows/SignPowerShell.yaml whereas the name of the YAML file can be freely chosen.
The GitHub workflow is picked up on any push actions to the repository, this might not be what you actually want and can be easy adjusted with a different trigger type.
The signed PowerShell scripts are published as pipeline artifact and a zip file with all signed scripts can be downloaded:
Doing PowerShell script signing is quite easy with GitHub actions and this example workflow should get you started and can be easily augmented with additional steps like creating a release or other publishing.