Chocolatey auto deploy

Author: MichaelGrafnetter

.github/README.md

@@ -134,6 +134,7 @@ The online version of [PowerShell Get-Help documentation](../Documentation/Power
 
 I have also published a series of articles about the DSInternals module on [my blog](https://www.dsinternals.com/en/). Here are a few of them:
 
+- [Juicing ntds.dit Files to the Last Drop](https://specterops.io/blog/2025/08/14/juicing-ntds-dit-files-last-drop-dsinternals-powershell-active-directory-offline-attacks/)
 - [New Offline Capabilities in DSInternals 4.11](https://www.dsinternals.com/en/dsinternals-v4.11/)
 - [Cross-Forest Duplicate Password Discovery](https://www.dsinternals.com/en/cross-forest-duplicate-password-discovery/)
 - [CQLabs – Extracting Roamed Private Keys from Active Directory](https://cqureacademy.com/blog/extracting-roamed-private-keys)

.github/workflows/autobuild.yml

@@ -31,8 +31,8 @@ jobs:
     - name: Setup .NET
       uses: actions/setup-dotnet@v4
       with:
-        # .NET SDK 9 is used for build. Platform-specific IJW hosts from .NET SDK 8 are used when building C++/CLI projects. 
-        dotnet-version: | 
+        # .NET SDK 9 is used for build. Platform-specific IJW hosts from .NET SDK 8 are used when building C++/CLI projects.
+        dotnet-version: |
           8.0.x
           9.0.x
         cache: true
@@ -58,7 +58,7 @@ jobs:
       shell: powershell
       working-directory: Build/bin/DSInternals.PowerShell/Debug
       run: New-FileCatalog -CatalogVersion 2 -Path DSInternals -CatalogFilePath .\DSInternals\DSInternals.cat
-    
+
     - name: Create Managed NuGet Packages
       working-directory: Src
       run: |
@@ -113,9 +113,20 @@ jobs:
       with:
         name: DSInternals_v${{ steps.get-module-version.outputs.version }}_debug
         path: Build/bin/DSInternals.PowerShell/Debug
-        
+
     - name: Upload NuGet Packages as Artifacts
       uses: actions/upload-artifact@v4
       with:
         name: NuGet_v${{ steps.get-module-version.outputs.version }}_debug
         path: Build/package/debug/*nupkg
+
+    - name: Create Chocolatey Package
+      shell: pwsh
+      run: |
+        choco pack Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec --version=${{ steps.get-module-version.outputs.version }} --output-directory=Build/package/Chocolatey --execution-timeout=60 --confirm configuration=Debug
+
+    - name: Upload Chocolatey Package as Artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: Chocolatey_v${{ steps.get-module-version.outputs.version }}_debug
+        path: Build/package/Chocolatey/*.nupkg

.github/workflows/release.yml

@@ -50,6 +50,7 @@ jobs:
     timeout-minutes: 10
     outputs:
       nuget-artifact-id: ${{ steps.upload-nuget.outputs.artifact-id }}
+      chocolatey-artifact-id: ${{ steps.upload-chocolatey.outputs.artifact-id }}
       powershell-artifact-id: ${{ steps.upload-powershell.outputs.artifact-id }}
       powershell-module-version: ${{ steps.get-module-info.outputs.version }}
       powershell-module-release-notes: ${{ steps.get-module-info.outputs.release-notes }}
@@ -79,12 +80,12 @@ jobs:
       uses: microsoft/setup-msbuild@v2
       with:
         msbuild-architecture: x64 # default is x86
-    
+
     - name: Setup .NET
       uses: actions/setup-dotnet@v4
       with:
-        # .NET SDK 9 is used for build. Platform-specific IJW hosts from .NET SDK 8 are used when building C++/CLI projects. 
-        dotnet-version: | 
+        # .NET SDK 9 is used for build. Platform-specific IJW hosts from .NET SDK 8 are used when building C++/CLI projects.
+        dotnet-version: |
           8.0.x
           9.0.x
         cache: true
@@ -127,7 +128,7 @@ jobs:
         client-id: ${{ secrets.SIGNING_CLIENT_ID }}
         tenant-id: ${{ secrets.SIGNING_TENANT_ID }}
         allow-no-subscriptions: true
-    
+
     - name: Sign Binaries and Scripts
       shell: cmd
       if: ${{ inputs.certificate_sign }}
@@ -184,12 +185,12 @@ jobs:
       shell: powershell
       working-directory: Build/bin/DSInternals.PowerShell/Release
       run: New-FileCatalog -CatalogVersion 2 -Path DSInternals -CatalogFilePath .\DSInternals\DSInternals.cat
-    
+
     - name: Create Managed NuGet Packages
       working-directory: Src
       run: |
         dotnet pack DSInternals.DotNetSdk.slnf --configuration Release --no-build
-    
+
     - name: Create Mixed NuGet Package
       working-directory: Src
       run: |
@@ -218,27 +219,54 @@ jobs:
         [hashtable] $manifest = Import-PowerShellDataFile -Path ./Src/DSInternals.PowerShell/DSInternals.psd1
         [string] $version = $manifest.ModuleVersion
         [string] $releaseNotes = $manifest.PrivateData.PSData.ReleaseNotes
-        
+
         echo "version=$version" >> $env:GITHUB_OUTPUT
 
         echo 'release-notes<<EOF' >> $env:GITHUB_OUTPUT
         echo $releaseNotes >> $env:GITHUB_OUTPUT
         echo 'EOF' >> $env:GITHUB_OUTPUT
 
+    - name: Create Chocolatey Package
+      shell: pwsh
+      run: |
+        choco pack Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec --version=${{ steps.get-module-info.outputs.version }} --output-directory=Build/package/Chocolatey --execution-timeout=60 --confirm configuration=Release
+
+    - name: Sign Chocolatey Package
+      shell: cmd
+      if: ${{ inputs.certificate_sign }}
+      run: >
+        sign code azure-key-vault
+        *.nupkg
+        --base-directory "${{ github.workspace }}/Build/package/Chocolatey"
+        --azure-key-vault-url "${{ secrets.SIGNING_KEY_VAULT_URL }}"
+        --azure-key-vault-certificate "${{ secrets.SIGNING_KEY_VAULT_CERTIFICATE }}"
+        --azure-credential-type azure-cli
+        --file-digest SHA256
+        --timestamp-digest SHA256
+        --timestamp-url "http://timestamp.acs.microsoft.com"
+        --verbosity Information
+
     - name: Upload PowerShell Module as Artifact
       uses: actions/upload-artifact@v4
       id: upload-powershell
       with:
         name: DSInternals_v${{ steps.get-module-info.outputs.version }}
         path: Build/bin/DSInternals.PowerShell/Release
-        
+
     - name: Upload NuGet Packages as Artifacts
       uses: actions/upload-artifact@v4
       id: upload-nuget
       with:
         name: NuGet_v${{ steps.get-module-info.outputs.version }}
         path: Build/package/release/*nupkg
 
+    - name: Upload Chocolatey Package as Artifact
+      uses: actions/upload-artifact@v4
+      id: upload-chocolatey
+      with:
+        name: Chocolatey_v${{ steps.get-module-info.outputs.version }}
+        path: Build/package/Chocolatey/*.nupkg
+
     - name: Run PowerShell Desktop Tests
       working-directory: Scripts
       shell: powershell
@@ -301,7 +329,7 @@ jobs:
     steps:
     - name: Checkout Repository
       uses: actions/checkout@v4
-    
+
     - name: Download PowerShell Module
       uses: actions/download-artifact@v5
       with:
@@ -321,7 +349,7 @@ jobs:
       run: |
         @'
         ### Notable Changes
-        
+
         ${{ needs.build.outputs.powershell-module-release-notes }}
 
         See the [Changelog](https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/CHANGELOG.md) for a more detailed list of new features.
@@ -330,11 +358,28 @@ jobs:
 
         - The module is available in the [PowerShell Gallery](https://www.powershellgallery.com/packages/DSInternals).
         - As an alternative, the attached `DSInternals_v${{ needs.build.outputs.powershell-module-version }}.zip` file can be used for [offline module installation](https://github.com/MichaelGrafnetter/DSInternals#offline-module-distribution).
-        
+        - The module is also available as a [Chocolatey package](https://community.chocolatey.org/packages/dsinternals-psmodule).
+
         ### NuGet Packages
 
         Official binary packages are available in the [NuGet Gallery](https://www.nuget.org/profiles/DSInternals).
         '@ > release-notes.md
         gh release create v${{ needs.build.outputs.powershell-module-version }} ./*.zip --draft --latest --title "DSInternals PowerShell Module ${{ needs.build.outputs.powershell-module-version }}" --notes-file release-notes.md
 
-  # TODO: chocolatey
+  chocolatey:
+    name: 'Publish to Chocolatey Gallery'
+    if: ${{ inputs.publish_chocolatey }}
+    runs-on: windows-2025
+    needs: build
+    steps:
+      - name: Download Chocolatey Package
+        uses: actions/download-artifact@v5
+        with:
+          artifact-ids: ${{ needs.build.outputs.chocolatey-artifact-id }}
+
+      - name: Publish Chocolatey Package
+        shell: pwsh
+        env:
+          CHOCOLATEY_APIKEY: ${{ secrets.CHOCOLATEY_APIKEY }}
+        run: |
+          choco push *.nupkg --source='https://push.chocolatey.org/' --api-key=$env:CHOCOLATEY_APIKEY

Scripts/Pack-Chocolatey.ps1

@@ -3,7 +3,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>DSInternals-PSModule</id>
-    <version>6.1.1</version>
+    <version>$version$</version>
     <packageSourceUrl>https://github.com/MichaelGrafnetter/DSInternals/tree/master/Src/DSInternals.PowerShell/Chocolatey</packageSourceUrl>
     <owners>MichaelGrafnetter</owners>
     <title>DSInternals PowerShell Module</title>
@@ -40,17 +40,16 @@ Features exposed through these tools are not supported by Microsoft. Improper us
 * Resolved issues with parsing LAPS passwords and key credentials.
     </releaseNotes>
     <dependencies>
-      <!-- Windows Management Framework 3+. For OS prior to Windows 8 and Windows Server 2012. -->
-      <dependency id="powershell" version="3.0.20121027" />
+      <!-- Windows Management Framework 5.1+. For OS prior to Windows 10 and Windows Server 2016. -->
+      <dependency id="powershell" version="5.1.14409.1005" />
       <!-- Universal C Runtime. For RTM OS prior to Windows 10 and Windows Server 2016. -->
       <dependency id="kb2999226" version="1.0.20181019" />
-      <!-- .NET Framework 4.7.2+. For RTM OS prior to Windows 10 1703 and Windows Server 1709. -->
-      <dependency id="dotnetfx" version="4.7.2.0"  />
+      <!-- .NET Framework 4.8+. For RTM OS prior to Windows 10 1903 and Windows Server 1903. -->
+      <dependency id="dotnetfx" version="4.8.0.20220524"  />
     </dependencies>
   </metadata>
   <files>
     <file src="tools\**" target="tools" />
-    <file src="..\..\..\Build\bin\DSInternals.PowerShell\Release\DSInternals\**" target="DSInternals" />
-    <file src="..\..\..\Build\bin\DSInternals.PowerShell\Release\DSInternals.cat" target="tools\DSInternals.cat" />
+    <file src="..\..\..\Build\bin\DSInternals.PowerShell\$configuration$\DSInternals\**" target="DSInternals" />
   </files>
 </package>

Scripts/Publish-Chocolatey.ps1

@@ -1,11 +1,7 @@
 VERIFICATION
 
 This is the official DSInternals PowerShell Module Chocolatey package.
-
 The package is self-contained and contains the same files as the GitHub ZIP release (https://github.com/MichaelGrafnetter/DSInternals/releases).
 
-File integrity can be checked against the catalog file using the following PowerShell 5 command:
-
-Test-FileCatalog -CatalogFilePath tools\DSInternals.cat -Path DSInternals -Detailed
-
-Note that the catalog file is not digitally signed (for now).
+All binary and script files should be digitally signed.
+Module integrity can be checked using the bundled "Integrity.Tests.ps1" script.

Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec

@@ -3,22 +3,22 @@ $ErrorActionPreference = 'Stop'
 
 # Check PowerShell Version
 # Note: The #requires statement is not used in order to provide a custom message.
-if ($PSVersionTable.PSVersion -lt [Version]'3.0')
+if ($PSVersionTable.PSVersion -lt [Version]'5.1')
 {
-    throw 'The minimum required version of PowerShell is 3. Please upgrade by running the "choco install powershell" command first.'
+    throw 'The minimum required version of PowerShell is 5.1. Please upgrade by running the "choco install powershell" command first.'
 }
 
 # Copy Files
-$toolsDir = Split-Path -Parent ($MyInvocation.MyCommand.Definition)
-$sourceDir = Join-Path -Path $toolsDir -ChildPath '..\DSInternals' -Resolve
-$destinationDir = Join-Path -Path $PSHOME -ChildPath 'Modules\DSInternals'
-robocopy $sourceDir $destinationDir /MIR /MOVE /NJS /NJH /NDL /NFL /NS /NP
+[string] $rootDir = Split-Path -Parent -Path $PSScriptRoot
+[string] $sourceDir = Join-Path -Path $rootDir -ChildPath 'DSInternals' -Resolve
+[string] $destinationDir = Join-Path -Path $PSHOME -ChildPath 'Modules\DSInternals'
+robocopy.exe $sourceDir $destinationDir /MIR /MOVE /NJS /NJH /NDL /NFL /NS /NP
 
 # Cleanup
 Remove-Item -Path $sourceDir -Recurse -Force -ErrorAction SilentlyContinue
 
 # Create Start Menu Link
-$psPath = (Get-Command -Name 'powershell.exe').Path
-$psArguments = '-NoExit -Command "& { Import-Module -Name DSInternals; Get-Help -Name about_DSInternals }"'
-$shortcutPath = Join-Path -Path $env:ProgramData -ChildPath 'Microsoft\Windows\Start Menu\Programs\DSInternals PowerShell Module.lnk'
+[string] $psPath = (Get-Command -Name 'powershell.exe').Path
+[string] $psArguments = '-NoExit -Command "& { Import-Module -Name DSInternals; Get-Help -Name about_DSInternals }"'
+[string] $shortcutPath = Join-Path -Path $env:ProgramData -ChildPath 'Microsoft\Windows\Start Menu\Programs\DSInternals PowerShell Module.lnk'
 Install-ChocolateyShortcut -ShortcutFilePath $shortcutPath -TargetPath $psPath -Arguments $psArguments -WorkingDirectory "$env:SystemDrive\"

Src/DSInternals.PowerShell/Chocolatey/tools/VERIFICATION.txt

@@ -1,9 +1,9 @@
 $ErrorActionPreference = 'Stop'
 
 # Remove Module Files
-$destinationDir = Join-Path -Path $PSHOME -ChildPath 'Modules\DSInternals'
+[string] $destinationDir = Join-Path -Path $PSHOME -ChildPath 'Modules\DSInternals'
 Remove-Item -Path $destinationDir -Recurse -Force -ErrorAction SilentlyContinue
 
 # Remove Start Menu Link
-$shortcutPath = Join-Path -Path $env:ProgramData -ChildPath 'Microsoft\Windows\Start Menu\Programs\DSInternals PowerShell Module.lnk'
+[string] $shortcutPath = Join-Path -Path $env:ProgramData -ChildPath 'Microsoft\Windows\Start Menu\Programs\DSInternals PowerShell Module.lnk'
 Remove-Item -Path $shortcutPath -Force -ErrorAction SilentlyContinue

Src/DSInternals.PowerShell/Chocolatey/tools/chocolateyinstall.ps1

@@ -4,7 +4,7 @@
 #>
 #Requires -Version 5.1
 #Requires -Modules @{ ModuleName = 'Pester'; ModuleVersion = '5.0' }
- 
+
 Describe 'Chocolatey Package' {
     BeforeAll {
         # Get the manifest paths
@@ -20,11 +20,6 @@ Describe 'Chocolatey Package' {
         $chocolateySpec.package.metadata.description.Length | Should -BeLessOrEqual 4000 -Because 'package upload would fail otherwise.'
     }
 
-    # Now compare the shared values
-    It 'has the same version as the module' {
-        $chocolateySpec.package.metadata.version | Should -Be $moduleManifest.ModuleVersion
-    }
-
     It 'has the same release notes as the module' {
         # Remove line breaks and backticks (markdown code sections) from the release notes.
         [string] $normalizedChocolateyReleaseNotes = $chocolateySpec.package.metadata.releaseNotes.Replace("`r`n","`n").Replace('`','').Trim()