feat(powershell): comprehensive portable Authenticode cmdlet suite

Cargo.toml

@@ -30,7 +30,7 @@ repository = "https://github.com/Devolutions/psign"
 
 [package]
 name = "psign"
-version = "0.3.0"
+version = "0.4.0"
 edition = "2024"
 description = "Rust port of the Windows SDK signtool.exe (Authenticode sign/verify/timestamp) with portable digest helpers."
 license.workspace = true

PowerShell/Devolutions.Psign/Devolutions.Psign.Format.ps1xml

@@ -0,0 +1,194 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Configuration>
+  <ViewDefinitions>
+
+    <!-- Test-PsignModule result: summary list -->
+    <View>
+      <Name>PsignModuleValidationResult</Name>
+      <ViewSelectedBy>
+        <TypeName>Devolutions.Psign.PowerShell.Models.PsignModuleValidationResult</TypeName>
+      </ViewSelectedBy>
+      <ListControl>
+        <ListEntries>
+          <ListEntry>
+            <ListItems>
+              <ListItem><PropertyName>ModuleName</PropertyName></ListItem>
+              <ListItem><PropertyName>ModulePath</PropertyName></ListItem>
+              <ListItem><PropertyName>Policy</PropertyName></ListItem>
+              <ListItem><PropertyName>Valid</PropertyName></ListItem>
+              <ListItem><PropertyName>Summary</PropertyName></ListItem>
+              <ListItem><Label>Passed</Label><PropertyName>PassedCount</PropertyName></ListItem>
+              <ListItem><Label>Failed</Label><PropertyName>FailedCount</PropertyName></ListItem>
+              <ListItem><Label>Skipped</Label><PropertyName>SkippedCount</PropertyName></ListItem>
+            </ListItems>
+          </ListEntry>
+        </ListEntries>
+      </ListControl>
+    </View>
+
+    <!-- Test-PsignModule per-file result table -->
+    <View>
+      <Name>PsignModuleFileResult</Name>
+      <ViewSelectedBy>
+        <TypeName>Devolutions.Psign.PowerShell.Models.PsignModuleFileResult</TypeName>
+      </ViewSelectedBy>
+      <TableControl>
+        <TableHeaders>
+          <TableColumnHeader><Label>File</Label><Width>40</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Role</Label><Width>18</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Required</Label><Width>8</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Status</Label><Width>12</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Pass</Label><Width>5</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Signer</Label><Width>30</Width></TableColumnHeader>
+        </TableHeaders>
+        <TableRowEntries>
+          <TableRowEntry>
+            <TableColumnItems>
+              <TableColumnItem><PropertyName>RelativePath</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>Role</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>RequiredByPolicy</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>Status</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>Passes</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>SignerSubject</PropertyName></TableColumnItem>
+            </TableColumnItems>
+          </TableRowEntry>
+        </TableRowEntries>
+      </TableControl>
+    </View>
+
+    <!-- Protect-PsignModule result -->
+    <View>
+      <Name>PsignModuleSigningResult</Name>
+      <ViewSelectedBy>
+        <TypeName>Devolutions.Psign.PowerShell.Cmdlets.PsignModuleSigningResult</TypeName>
+      </ViewSelectedBy>
+      <ListControl>
+        <ListEntries>
+          <ListEntry>
+            <ListItems>
+              <ListItem><PropertyName>ModuleName</PropertyName></ListItem>
+              <ListItem><PropertyName>ModulePath</PropertyName></ListItem>
+              <ListItem><Label>Total Files</Label><PropertyName>TotalFiles</PropertyName></ListItem>
+              <ListItem><PropertyName>Succeeded</PropertyName></ListItem>
+              <ListItem><PropertyName>Failed</PropertyName></ListItem>
+            </ListItems>
+          </ListEntry>
+        </ListEntries>
+      </ListControl>
+    </View>
+
+    <!-- Protect-PsignModule per-file sign result -->
+    <View>
+      <Name>PsignModuleFileSignResult</Name>
+      <ViewSelectedBy>
+        <TypeName>Devolutions.Psign.PowerShell.Cmdlets.PsignModuleFileSignResult</TypeName>
+      </ViewSelectedBy>
+      <TableControl>
+        <TableHeaders>
+          <TableColumnHeader><Label>File</Label><Width>40</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Role</Label><Width>18</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Status</Label><Width>12</Width></TableColumnHeader>
+          <TableColumnHeader><Label>OK</Label><Width>5</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Error</Label><Width>40</Width></TableColumnHeader>
+        </TableHeaders>
+        <TableRowEntries>
+          <TableRowEntry>
+            <TableColumnItems>
+              <TableColumnItem><PropertyName>RelativePath</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>Role</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>Status</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>Success</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>ErrorMessage</PropertyName></TableColumnItem>
+            </TableColumnItems>
+          </TableRowEntry>
+        </TableRowEntries>
+      </TableControl>
+    </View>
+
+    <!-- Unprotect-PsignSignature result -->
+    <View>
+      <Name>PsignUnprotectResult</Name>
+      <ViewSelectedBy>
+        <TypeName>Devolutions.Psign.PowerShell.Cmdlets.PsignUnprotectResult</TypeName>
+      </ViewSelectedBy>
+      <TableControl>
+        <TableHeaders>
+          <TableColumnHeader><Label>Path</Label><Width>50</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Removed</Label><Width>8</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Bytes</Label><Width>8</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Message</Label><Width>30</Width></TableColumnHeader>
+        </TableHeaders>
+        <TableRowEntries>
+          <TableRowEntry>
+            <TableColumnItems>
+              <TableColumnItem><PropertyName>Path</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>SignatureRemoved</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>BytesRemoved</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>Message</PropertyName></TableColumnItem>
+            </TableColumnItems>
+          </TableRowEntry>
+        </TableRowEntries>
+      </TableControl>
+    </View>
+
+    <!-- Get-PsignSignature / Set-PsignSignature table -->
+    <View>
+      <Name>PortableSignature_Table</Name>
+      <ViewSelectedBy>
+        <TypeName>Devolutions.Psign.PowerShell.Models.PortableSignature</TypeName>
+      </ViewSelectedBy>
+      <TableControl>
+        <TableHeaders>
+          <TableColumnHeader><Label>Path</Label><Width>40</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Status</Label><Width>14</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Type</Label><Width>14</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Signer</Label><Width>40</Width></TableColumnHeader>
+          <TableColumnHeader><Label>Timestamp</Label><Width>20</Width></TableColumnHeader>
+        </TableHeaders>
+        <TableRowEntries>
+          <TableRowEntry>
+            <TableColumnItems>
+              <TableColumnItem><ScriptBlock>if ($_.SourcePathOrExtension) { $_.SourcePathOrExtension } else { Split-Path $_.Path -Leaf }</ScriptBlock></TableColumnItem>
+              <TableColumnItem><PropertyName>Status</PropertyName></TableColumnItem>
+              <TableColumnItem><PropertyName>SignatureType</PropertyName></TableColumnItem>
+              <TableColumnItem><ScriptBlock>if ($_.SignerCertificate) { $_.SignerCertificate.Subject -replace '^CN=','' -replace ',.*$','' } else { '' }</ScriptBlock></TableColumnItem>
+              <TableColumnItem><ScriptBlock>if ($_.TimestampSigningTime) { $_.TimestampSigningTime.ToString('yyyy-MM-dd HH:mm') } else { '' }</ScriptBlock></TableColumnItem>
+            </TableColumnItems>
+          </TableRowEntry>
+        </TableRowEntries>
+      </TableControl>
+    </View>
+
+    <!-- Get-PsignSignature / Set-PsignSignature detailed list -->
+    <View>
+      <Name>PortableSignature_List</Name>
+      <ViewSelectedBy>
+        <TypeName>Devolutions.Psign.PowerShell.Models.PortableSignature</TypeName>
+      </ViewSelectedBy>
+      <ListControl>
+        <ListEntries>
+          <ListEntry>
+            <ListItems>
+              <ListItem><PropertyName>Path</PropertyName></ListItem>
+              <ListItem><PropertyName>Status</PropertyName></ListItem>
+              <ListItem><PropertyName>StatusMessage</PropertyName></ListItem>
+              <ListItem><PropertyName>SignatureType</PropertyName></ListItem>
+              <ListItem><Label>Format</Label><PropertyName>Format</PropertyName></ListItem>
+              <ListItem><Label>SignerCertificate</Label><ScriptBlock>if ($_.SignerCertificate) { "[Subject]`n  $($_.SignerCertificate.Subject)`n[Issuer]`n  $($_.SignerCertificate.Issuer)`n[Thumbprint]`n  $($_.SignerCertificate.Thumbprint)`n[Not Before]`n  $($_.SignerCertificate.NotBefore)`n[Not After]`n  $($_.SignerCertificate.NotAfter)" }</ScriptBlock></ListItem>
+              <ListItem><Label>TimeStamperCertificate</Label><ScriptBlock>if ($_.TimeStamperCertificate) { "[Subject]`n  $($_.TimeStamperCertificate.Subject)" }</ScriptBlock></ListItem>
+              <ListItem><PropertyName>TimestampSigningTime</PropertyName></ListItem>
+              <ListItem><PropertyName>DigestAlgorithm</PropertyName></ListItem>
+              <ListItem><PropertyName>SignatureCount</PropertyName></ListItem>
+              <ListItem><PropertyName>EmbeddedCertificateCount</PropertyName></ListItem>
+              <ListItem><Label>TrustStatus</Label><PropertyName>PortableTrustStatus</PropertyName></ListItem>
+              <ListItem><PropertyName>IsOSBinary</PropertyName></ListItem>
+              <ListItem><PropertyName>SubjectAlternativeName</PropertyName></ListItem>
+              <ListItem><Label>Diagnostics</Label><ScriptBlock>if ($_.PortableDiagnostics.Count -gt 0) { $_.PortableDiagnostics -join "`n" }</ScriptBlock></ListItem>
+            </ListItems>
+          </ListEntry>
+        </ListEntries>
+      </ListControl>
+    </View>
+
+  </ViewDefinitions>
+</Configuration>

PowerShell/Devolutions.Psign/Devolutions.Psign.psd1

@@ -1,6 +1,6 @@
 @{
     RootModule = 'Devolutions.Psign.psm1'
-    ModuleVersion = '0.3.0'
+    ModuleVersion = '0.4.0'
     GUID = 'e6e50e4b-bf25-4ed6-a343-49f904e79f8f'
     Author = 'Devolutions'
     CompanyName = 'Devolutions'
@@ -9,9 +9,19 @@
     CompatiblePSEditions = @('Core')
     PowerShellVersion = '7.4'
     NestedModules = @('lib/net8.0/Devolutions.Psign.PowerShell.dll')
-    CmdletsToExport = @('Get-PortableSignature', 'Set-PortableSignature')
+    FormatsToProcess = @('Devolutions.Psign.Format.ps1xml')
+    CmdletsToExport = @(
+        'Get-PsignSignature',
+        'Set-PsignSignature',
+        'Test-PsignModule',
+        'Protect-PsignModule',
+        'Unprotect-PsignSignature'
+    )
     FunctionsToExport = @()
-    AliasesToExport = @()
+    AliasesToExport = @(
+        'Get-PortableSignature',
+        'Set-PortableSignature'
+    )
     PrivateData = @{
         PSData = @{
             Tags = @('Authenticode', 'CodeSigning', 'Portable', 'psign')

PowerShell/Devolutions.Psign/Devolutions.Psign.psm1

@@ -1 +1,71 @@
 # Binary cmdlets are loaded through the module manifest's NestedModules entry.
+
+# Argument completers for common parameters
+
+Register-ArgumentCompleter -CommandName Get-PsignSignature, Get-PortableSignature, Set-PsignSignature, Set-PortableSignature, Protect-PsignModule -ParameterName Thumbprint -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    $baseDir = if ($fakeBoundParameters.ContainsKey('CertStoreDirectory')) {
+        $fakeBoundParameters['CertStoreDirectory']
+    } elseif ($env:PSIGN_CERT_STORE) {
+        $env:PSIGN_CERT_STORE
+    } else {
+        Join-Path ([Environment]::GetFolderPath('UserProfile')) '.psign' 'cert-store'
+    }
+    $scope = if ($fakeBoundParameters.ContainsKey('MachineStore') -and $fakeBoundParameters['MachineStore']) { 'LocalMachine' } else { 'CurrentUser' }
+    $store = if ($fakeBoundParameters.ContainsKey('StoreName')) { $fakeBoundParameters['StoreName'] } else { 'MY' }
+    $storeDir = Join-Path $baseDir $scope $store
+    if (Test-Path $storeDir) {
+        Get-ChildItem -Path $storeDir -Filter '*.der' | ForEach-Object {
+            $thumb = $_.BaseName
+            if ($thumb -like "$wordToComplete*") {
+                $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($_.FullName)
+                $subject = $cert.Subject -replace '^CN=','' -replace ',.*$',''
+                $cert.Dispose()
+                [System.Management.Automation.CompletionResult]::new(
+                    $thumb, "$thumb ($subject)", 'ParameterValue', $subject)
+            }
+        }
+    }
+}
+
+Register-ArgumentCompleter -CommandName Set-PsignSignature, Set-PortableSignature, Protect-PsignModule -ParameterName StoreName -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    @('MY', 'Root', 'CA', 'Trust', 'Disallowed') | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+        [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+    }
+}
+
+Register-ArgumentCompleter -CommandName Set-PsignSignature, Set-PortableSignature, Protect-PsignModule -ParameterName HashAlgorithm -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    @('Sha256', 'Sha384', 'Sha512') | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+        [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+    }
+}
+
+Register-ArgumentCompleter -CommandName Set-PsignSignature, Set-PortableSignature, Protect-PsignModule -ParameterName IncludeChain -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    @('Signer', 'NotRoot', 'All') | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+        [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+    }
+}
+
+Register-ArgumentCompleter -CommandName Set-PsignSignature, Set-PortableSignature, Protect-PsignModule -ParameterName TimestampHashAlgorithm -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    @('Sha1', 'Sha256', 'Sha384', 'Sha512') | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+        [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+    }
+}
+
+Register-ArgumentCompleter -CommandName Get-PsignSignature, Get-PortableSignature -ParameterName RevocationMode -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    @('Off', 'BestEffort', 'Require') | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+        [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+    }
+}
+
+Register-ArgumentCompleter -CommandName Test-PsignModule -ParameterName Policy -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    @('AllSigned', 'RemoteSigned') | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+        [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+    }
+}