Name
Sign-JS7Workflow.ps1
SYNOPSIS
Digitally signs JS7 workflows and related files for secure deployment in a JS7 environment operated for security level "high"
SYNTAX
Sign-JS7Workflow.ps1 [[-File] <String>] [[-Dir] <String>] [[-Keystore] <String>] [[-Key] <String>] [[-Cert] <String>] [[-Credentials] <PSCredential>] [-AskForCredentials] [[-Thumbprint] <String>] [[-LogDir] <String>] [-ShowLogs] [-WhatIf] [-Confirm] [<CommonParameters>]
DESCRIPTION
JS7 can be operated in environments for security level "high". This includes to have workflows digitally signed outside of JOC Cockpit in order not to have the private key within reach of JOC Cockpit.
Digital signing includes
* to export scheduling objects with the option "for signing". This will create a .tar.gz/.zip archive file holding
related scheduling objects which is available with the user's computer that connected to JOC Cockpit
** to optionally transfer the export .tar.gz/.zip archive file to a secure machine
* to digitally sign exported workflow files and job resouce filess
** to extract the .tar.gz/.zip archive file
** to create signature files, for example *.workflow.json.sig for workflow files *.workflow.json
* to create or update a .tar.gz/.zip archive file that includes both the original workflow files and newly created signature files
* to import and to deploy the .tar.gz/.zip archive file that holds the original workflows and the signature files
** JOC Cockpit offers the operation to "Import and Deploy" .tar.gz/.zip archives from a single step
The Sign-JS7Workflow.ps1 script can be used with PowerShell 5.1, 7.x on Liux and Windows.
PARAMETERS
File
-File <String>
Specifies the path to a *.workflow.json or *.jobresource.json file to be signed.
If this argument is omitted then the -Dir argument will be used to look up workflow files.
| Required? | false |
| Position? | 1 |
| Default value | |
| Accept pipeline input? | true (ByValue, ByPropertyName) |
| Accept wildcard characters? | false |
Dir
-Dir <String>
Specifies the path to a directory holding *.workflow.json or *.jobresource.json files to be signed. Any sub-directories will be traversed recursively.
By default the current directory is used.
| Required? | false |
| Position? | 2 |
| Default value | . |
| Accept pipeline input? | true (ByValue, ByPropertyName) |
| Accept wildcard characters? | false |
Keystore
-Keystore <String>
Specifies the path to a keystore file that holds the private key and certificate used for signing.
The argument can be populated from the JS7_SIGN_KEYSTORE environment variable.
Only one of the -Keystore and -Key arguments can be used. If both arguments are omitted then the Windows Certificate Store will be used.
| Required? | false |
| Position? | 3 |
| Default value | $env:JS7_SIGN_KEYSTORE |
| Accept pipeline input? | true (ByValue, ByPropertyName) |
| Accept wildcard characters? | false |
Key
-Key <String>
Specifies the path to the key file that holds the private key used for signing.
The argument can be populated from the JS7_SIGN_KEY environment variable.
Only one of the -Key and -Keystore arguments can be used. If both arguments are omitted then the Windows Certificate Store will be used.
| Required? | false |
| Position? | 4 |
| Default value | $env:JS7_SIGN_KEY |
| Accept pipeline input? | true (ByValue, ByPropertyName) |
| Accept wildcard characters? | false |
Cert
-Cert <String>
Specifies the path to the certificate file used for signing.
The argument can be populated from the JS7_SIGN_CERT environment variable.
Only one of the -Cert and -Keystore arguments can be used. If both arguments are omitted then the Windows Certificate Store will be used.
| Required? | false |
| Position? | 5 |
| Default value | $env:JS7_SIGN_CERT |
| Accept pipeline input? | true (ByValue, ByPropertyName) |
| Accept wildcard characters? | false |
Credentials
-Credentials <PSCredential>
Optionally specifies a PowerShell credentials object that holds the password used for access to the key file or keystore.
| Required? | false |
| Position? | 6 |
| Default value | |
| Accept pipeline input? | true (ByPropertyName) |
| Accept wildcard characters? | false |
AskForCredentials
-AskForCredentials <SwitchParameter>
Optionally prompts for user input of the password used to acess the key file or keystore. The alias argument -P is available.
| Required? | false |
| Position? | named |
| Default value | False |
| Accept pipeline input? | true (ByPropertyName) |
| Accept wildcard characters? | false |
Thumbprint
-Thumbprint <String>
Optionally specifies the thumbprint of the code signing certificate to be used. A thumbprint identifies a certificate.
It is required to specify the thumbprint if more than one code signing certificate is available from the indicated keystore or Windows Certificate Store.
| Required? | false |
| Position? | 7 |
| Default value | |
| Accept pipeline input? | true (ByPropertyName) |
| Accept wildcard characters? | false |
LogDir
-LogDir <String>
| Required? | false |
| Position? | 8 |
| Default value | |
| Accept pipeline input? | true (ByPropertyName) |
| Accept wildcard characters? | false |
ShowLogs
-ShowLogs <SwitchParameter>
| Required? | false |
| Position? | named |
| Default value | False |
| Accept pipeline input? | true (ByPropertyName) |
| Accept wildcard characters? | false |
WhatIf
-WhatIf <SwitchParameter>
| Required? | false |
| Position? | named |
| Default value | |
| Accept pipeline input? | false |
| Accept wildcard characters? | false |
Confirm
-Confirm <SwitchParameter>
| Required? | false |
| Position? | named |
| Default value | |
| Accept pipeline input? | false |
| Accept wildcard characters? | false |
EXAMPLES
-------------------------- EXAMPLE 1 --------------------------
PS > ./Sign-JS7Workflow.ps1 -Keystore /mnt/releases/certificates/release-signing/release-signing.p12 -P
Signs all *.workflow.json and *.jobresource.json files in the current directory and sub-directories using the code signing certificate from the indicated keystore asking for its password
-------------------------- EXAMPLE 2 --------------------------
PS > ./Sign-JS7Workflow.ps1 -Key ./js7.key -Cert ./js7.crt
Signs all *.workflow.json and *.jobresource.json files in the current directory and sub-directories using the code signing certificate from the indicated keystore
-------------------------- EXAMPLE 3 --------------------------
PS > ./Sign-JS7Workflow.ps1
Signs all *.workflow.json and *.jobresource.json files in the current directory and sub-directories using the code signing certificate available with the Windows Certificate Store
-------------------------- EXAMPLE 4 --------------------------
PS > ./Sign-JS7Workflow.ps1 -Dir C:\some\folder
Signs the all *.workflow.json and *.jobresource.json files in the indicated directory and sub-directories using the code signing certificate available with the Windows Certificate Store
-------------------------- EXAMPLE 5 --------------------------
PS > ./Sign-JS7Workflow.ps1 -File ./test.workflow.json
Signs the indicated file using the code signing certificate available with the Windows Certificate Store
-------------------------- EXAMPLE 6 --------------------------
PS > ./Sign-JS7Workflow.ps1 -File ./test.workflow.json -Thumbprint 'EF64BFA6BC3EF6585F64E3DEC1CD67334DDBDF3F'
Signs the indicated workflow file using the code signing certificate available with the Windows Certificate Store that is identified by the thumbprint
-------------------------- EXAMPLE 7 --------------------------
PS > ./Sign-JS7Workflow.ps1 -File ./test.workflow.json -Thumbprint '2B03EA68F103E80D83228ABCF88A3B448CC8B257'
Signs the indicated workflow file using the code signing certificate available with the Windows Certificate store that is identified by the thumbprint
-------------------------- EXAMPLE 8 --------------------------
PS > ./Sign-JS7Workflow.ps1 -File ./test.workflow.json -Keystore P:\releases\certificates\release-signing\release-signing.p12 -AskForCredentials
Signs the indicated workflow file using the code signing certificate available from the indicated keystore
Overview
Content Tools