|
| 1 | +--- |
| 2 | +title: "PowerShellBuild v0.8.0: Authenticode Signing & New Documentation" |
| 3 | +description: "PowerShellBuild v0.8.0 brings Authenticode code-signing support for PowerShell modules, and comprehensive docs are now available on the psake docs site." |
| 4 | +date: 2026-02-21T18:00:00.000Z |
| 5 | +slug: powershellbuild-v0.8.0-signing-and-docs |
| 6 | +authors: |
| 7 | + - heyitsgilbert |
| 8 | +tags: |
| 9 | + - announcement |
| 10 | + - release |
| 11 | + - powershell |
| 12 | + - build-automation |
| 13 | + - psake |
| 14 | + - deployment |
| 15 | +keywords: |
| 16 | + - PowerShellBuild |
| 17 | + - Authenticode |
| 18 | + - code signing |
| 19 | + - certificate |
| 20 | + - PowerShell module signing |
| 21 | + - build automation |
| 22 | + - psake |
| 23 | +draft: false |
| 24 | +fmContentType: blog |
| 25 | +--- |
| 26 | + |
| 27 | +Two exciting updates to share today: **PowerShellBuild v0.8.0** has been released with built-in Authenticode code-signing support, and we've added a comprehensive [PowerShellBuild documentation section](/docs/powershellbuild/introduction) right here on the psake docs site. |
| 28 | + |
| 29 | +<!-- truncate --> |
| 30 | + |
| 31 | +## PowerShellBuild Docs Are Now on the psake Site |
| 32 | + |
| 33 | +If you've been looking for guidance on using PowerShellBuild to streamline your PowerShell module builds, you no longer need to piece things together from the README alone. The psake docs site now has a dedicated **PowerShellBuild** section covering: |
| 34 | + |
| 35 | +- [**Introduction**](/docs/powershellbuild/introduction) — What PowerShellBuild is and how it relates to psake |
| 36 | +- [**Getting Started**](/docs/powershellbuild/getting-started) — Installation and first-build walkthrough |
| 37 | +- [**Configuration**](/docs/powershellbuild/configuration) — Deep dive into `$PSBPreference` and how to customize every aspect of your build |
| 38 | +- [**Task Reference**](/docs/powershellbuild/task-reference) — Complete listing of all available tasks and their dependencies |
| 39 | +- [**Real-World Example**](/docs/powershellbuild/real-world-example) — A practical end-to-end project setup |
| 40 | + |
| 41 | +## What's New in v0.8.0 — Authenticode Signing |
| 42 | + |
| 43 | +The headline feature in [PowerShellBuild v0.8.0](https://github.com/psake/PowerShellBuild/releases/tag/v0.8.0) is full Authenticode code-signing support for PowerShell modules. This was a highly requested capability, and it's now baked right into the standard build pipeline. |
| 44 | + |
| 45 | +### Three New Public Functions |
| 46 | + |
| 47 | +**`Get-PSBuildCertificate`** resolves a code-signing `X509Certificate2` from five different sources: |
| 48 | + |
| 49 | +- **Auto** — Automatically detects from environment variables or the certificate store |
| 50 | +- **Windows certificate store** — With optional thumbprint filtering |
| 51 | +- **Base64-encoded PFX** — From environment variables, ideal for CI/CD pipelines |
| 52 | +- **PFX file on disk** — With optional password protection |
| 53 | +- **Pre-resolved certificate object** — For custom providers like Azure Key Vault |
| 54 | + |
| 55 | +**`Invoke-PSBuildModuleSigning`** signs your module files (`.psd1`, `.psm1`, `.ps1`) with Authenticode signatures. It supports configurable timestamp servers and hash algorithms including SHA256, SHA384, and SHA512. |
| 56 | + |
| 57 | +**`New-PSBuildFileCatalog`** creates Windows catalog (`.cat`) files that record cryptographic hashes of your module's contents for tamper detection. |
| 58 | + |
| 59 | +### Four New Build Tasks |
| 60 | + |
| 61 | +| Task | Description | |
| 62 | +|------|-------------| |
| 63 | +| `SignModule` | Signs module files with Authenticode | |
| 64 | +| `BuildCatalog` | Creates a Windows catalog file | |
| 65 | +| `SignCatalog` | Signs the catalog file | |
| 66 | +| `Sign` | Meta-task that orchestrates the full signing pipeline | |
| 67 | + |
| 68 | +These tasks slot into the existing build pipeline with proper dependency ordering: **Build → SignModule → BuildCatalog → SignCatalog**. |
| 69 | + |
| 70 | +## Certificate Sources |
| 71 | + |
| 72 | +PowerShellBuild supports four ways to supply a certificate, listed here in order of common use: |
| 73 | + |
| 74 | +**1. Automatic (CI/CD) — Base64 PFX in an env var** |
| 75 | + |
| 76 | +```powershell |
| 77 | +# Store your PFX as a base64 secret (e.g. GitHub Actions secret SIGNCERTIFICATE) |
| 78 | +# PowerShellBuild picks it up automatically when Sign.Enabled = $true |
| 79 | +$PSBPreference.Sign.Enabled = $true |
| 80 | +# CertificateSource defaults to 'Auto' — done |
| 81 | +``` |
| 82 | + |
| 83 | +**2. Local dev — certificate store** |
| 84 | + |
| 85 | +```powershell |
| 86 | +$PSBPreference.Sign.Enabled = $true |
| 87 | +$PSBPreference.Sign.CertificateSource = 'Store' |
| 88 | +# picks first valid, unexpired code-signing cert in Cert:\CurrentUser\My |
| 89 | +
|
| 90 | +# Or pin to a specific one by thumbprint: |
| 91 | +$PSBPreference.Sign.CertificateSource = 'Thumbprint' |
| 92 | +$PSBPreference.Sign.Thumbprint = 'AB12CD34EF...' |
| 93 | +``` |
| 94 | + |
| 95 | +**3. PFX file on disk** |
| 96 | + |
| 97 | +```powershell |
| 98 | +$PSBPreference.Sign.Enabled = $true |
| 99 | +$PSBPreference.Sign.CertificateSource = 'PfxFile' |
| 100 | +$PSBPreference.Sign.PfxFilePath = './codesign.pfx' |
| 101 | +$PSBPreference.Sign.PfxFilePassword = (Read-Host -AsSecureString 'Password') |
| 102 | +``` |
| 103 | + |
| 104 | +**4. Pre-resolved object (Azure Key Vault, HSM, etc.)** |
| 105 | + |
| 106 | +```powershell |
| 107 | +# Get the cert however you like, then hand it directly: |
| 108 | +$cert = Get-AzKeyVaultCertificate -VaultName 'MyVault' -Name 'CodeSignCert' | |
| 109 | + Get-AzKeyVaultSecret | ... # your Key Vault retrieval logic |
| 110 | +
|
| 111 | +$PSBPreference.Sign.Enabled = $true |
| 112 | +$PSBPreference.Sign.Certificate = $cert # bypasses CertificateSource entirely |
| 113 | +``` |
| 114 | + |
| 115 | +All of these go in your `Properties {}` block (psake) or before dot-sourcing (Invoke-Build), before the task file is loaded. To also sign before publishing: |
| 116 | + |
| 117 | +```powershell |
| 118 | +$PSBPublishDependency = @('Sign') |
| 119 | +``` |
| 120 | + |
| 121 | +All signing operations include platform checks (Windows-only) with appropriate warnings, and verbose logging throughout makes troubleshooting straightforward. |
| 122 | + |
| 123 | +## Get Started |
| 124 | + |
| 125 | +- **Read the docs:** Check out the [PowerShellBuild documentation](/docs/powershellbuild/introduction) for a complete walkthrough |
| 126 | +- **Upgrade:** `Install-Module PowerShellBuild -RequiredVersion 0.8.0` |
| 127 | +- **Release notes:** [v0.8.0 on GitHub](https://github.com/psake/PowerShellBuild/releases/tag/v0.8.0) |
| 128 | +- **Feedback:** Open an issue on [GitHub](https://github.com/psake/PowerShellBuild/issues) — we'd love to hear how you're using the signing tasks |
0 commit comments