From 3863c9dacb11f61c98e40a45365aeb51065e1242 Mon Sep 17 00:00:00 2001
From: Nathan Gerhart <nathan@devresults.com>
Date: Tue, 4 Mar 2025 09:48:53 -0700
Subject: [PATCH 1/4] GitHub Actions: fail build if code signing fails

---
 .github/workflows/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 3e51586..87cb463 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -33,7 +33,7 @@ jobs:
           $encodedBytes = [System.Convert]::FromBase64String($env:PFX_CONTENT);
           Set-Content $pfxPath -Value $encodedBytes -AsByteStream;
           $cert = Import-PfxCertificate -FilePath ./cert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Password
-          Set-AuthenticodeSignature InstanceExport.ps1 $cert
+          Set-AuthenticodeSignature InstanceExport.ps1 $cert -ErrorAction Stop
         shell: pwsh
       - name: Create Release
         if: startsWith(github.ref, 'refs/tags/')

From 1e0592e0680c2b70bc72e3e32fa71bd539328b5e Mon Sep 17 00:00:00 2001
From: Nathan Gerhart <nathan@devresults.com>
Date: Tue, 4 Mar 2025 09:54:49 -0700
Subject: [PATCH 2/4] GitHub Actions: fail build if code signature is invalid

---
 .github/workflows/main.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 87cb463..acf189a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -33,7 +33,8 @@ jobs:
           $encodedBytes = [System.Convert]::FromBase64String($env:PFX_CONTENT);
           Set-Content $pfxPath -Value $encodedBytes -AsByteStream;
           $cert = Import-PfxCertificate -FilePath ./cert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Password
-          Set-AuthenticodeSignature InstanceExport.ps1 $cert -ErrorAction Stop
+          $sig = Set-AuthenticodeSignature InstanceExport.ps1 $cert -ErrorAction Stop
+          if ($sig.Status -ne 'Valid') { throw $sig.StatusMessage }
         shell: pwsh
       - name: Create Release
         if: startsWith(github.ref, 'refs/tags/')

From 1404c6c039e5655b6a6da6e78d0f89129ab8fa12 Mon Sep 17 00:00:00 2001
From: Nathan Gerhart <nathan@devresults.com>
Date: Tue, 4 Mar 2025 11:30:06 -0700
Subject: [PATCH 3/4] GitHub Actions: import root certificate

This should help with the signing process, because the code signing certificate can now be trusted :crossed-fingers:
---
 .github/workflows/main.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index acf189a..626e222 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -25,14 +25,22 @@ jobs:
         env:
           PFX_PWORD: ${{ secrets.PFX_PWORD }}
           PFX_CONTENT: ${{ secrets.BASE64_PFX_CONTENT }}
+          ROOT_CONTENT: ${{ secrets.BASE64_ROOT_CONTENT }}
         run: |
           cd ./InstanceExport/PowerShell;
+
+          $rootPath = Join-Path -Path ./ -ChildPath "root.cer";
+          $encodedBytes = [System.Convert]::FromBase64String($env:ROOT_CONTENT);
+          Set-Content $rootPath -Value $encodedBytes -AsByteStream;
+          Import-Certificate -FilePath ./root.cer -CertStoreLocation Cert:\LocalMachine\Root
+
           $PWord = $env:PFX_PWORD;
           $Password = ConvertTo-SecureString -String $PWord -AsPlainText -Force;
           $pfxPath = Join-Path -Path ./ -ChildPath "cert.pfx";
           $encodedBytes = [System.Convert]::FromBase64String($env:PFX_CONTENT);
           Set-Content $pfxPath -Value $encodedBytes -AsByteStream;
           $cert = Import-PfxCertificate -FilePath ./cert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Password
+
           $sig = Set-AuthenticodeSignature InstanceExport.ps1 $cert -ErrorAction Stop
           if ($sig.Status -ne 'Valid') { throw $sig.StatusMessage }
         shell: pwsh

From fee1f8aeef732fa7e909c9ec76fd1faaf631d3b6 Mon Sep 17 00:00:00 2001
From: Nathan Gerhart <nathan@devresults.com>
Date: Tue, 4 Mar 2025 13:36:19 -0700
Subject: [PATCH 4/4] README: update link to signed export script

---
 InstanceExport/PowerShell/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/InstanceExport/PowerShell/README.md b/InstanceExport/PowerShell/README.md
index da63a61..58ada57 100644
--- a/InstanceExport/PowerShell/README.md
+++ b/InstanceExport/PowerShell/README.md
@@ -4,7 +4,7 @@ At DevResults we value the concept that your data belongs to _you_, and you have
 
 In order to use it, you should:
 
-1. Download the [InstanceExport.ps1](https://raw.githubusercontent.com/DevResults/DevResultsTools/main/InstanceExport/PowerShell/InstanceExport.ps1) PowerShell script available in this repo to your machine. One way to do this is to right click the link to the file name in the previous sentence and choose "Save link as..." to produce a save dialog box.
+1. Download the [InstanceExport.ps1](https://github.com/DevResults/DevResultsTools/releases/download/1.0.2/InstanceExport.ps1) PowerShell script.
 
 2. Reach out to us at help@devresults.com to request an Instance Export Manifest.