feat(mssql): add digital signed cert instructions (#478)

shane-borden · Shane Borden · web-flow · commit 08e9b2d30921 · 2025-01-21T10:31:23.000-06:00
* feat: add directions how to digitially sign powershell scripts using self signed cert

* fix: address possible permission error with Azure SQL Database

---------

Co-authored-by: Shane Borden &lt;shaneborden@google.com&gt;
diff --git a/docs/user_guide/sqlserver/collection_scripts.md b/docs/user_guide/sqlserver/collection_scripts.md
@@ -294,9 +294,52 @@ This is recommended if you plan to upload the results to the Migration Center.
 
 !!! IMPORTANT Do not modify the name or the contents of the zip file without consultation from Google.
 
+## Digitially Signing Powershell Scripts (Optional / Only if Necessary)
+
+Occasionally, organizational security policies require that Powershell scripts be digitally signed before they can be executed.  Google will not provide a certificate to do this, however, the customer can create a self-signed certificate and then sign the scripts on their own using the following steps:
+
+    - Create directory to store the certificates
+        - $PSScriptRoot\_Certs\
+
+    - Assign directories to variables
+        - $certExport = "C:\$PSScriptRoot\_Certs\"
+        - $ScriptRepo = "C:\$PSScriptRoot"
+
+    - Create variable params with relevant information to create the self signed certificate
+        $params = @{
+            Subject = 'Google DMA Self Signed PS Code Signing'
+            DnsName = 'Self@google.com'
+            FriendlyName = 'Google DMA Self Signed PS Code Signing'
+            NotAfter = (Get-Date).AddYears(5)
+            Type = 'CodeSigning'  
+            CertStoreLocation = 'cert:\CurrentUser\My' 
+            KeyUsage = 'DigitalSignature'
+            KeyAlgorithm = 'RSA'
+            KeyLength = 2048 
+            HashAlgorithm = 'sha256' 
+            }
+
+    - Create a new self-signed certificate based on the above parameters and send the details to 'newCodeSigningCert' variable for reference later.
+        - New-SelfSignedCertificate @params -OutVariable newCodeSigningCert
+
+    - Export the public key to the file system.
+        - Export-Certificate -Cert "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -FilePath "$($certExport)\CodeSigning.cer"
+
+    - Re-import certificate into Trusted Root otherwise it's not possible to validate any signed scripts.
+        - Import-Certificate -FilePath "$($certExport)\CodeSigning.cer" -Cert Cert:\LocalMachine\root
+
+    - Sign all DMA Scripts
+        - Set-AuthenticodeSignature $ScriptRepo\instanceReview.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+        - Set-AuthenticodeSignature $ScriptRepo\createUserWithSQLAuth.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+        - Set-AuthenticodeSignature $ScriptRepo\createUserWithWindowsAuth.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+        - Set-AuthenticodeSignature $ScriptRepo\dmaCollectorCommonFunctions.psm1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+        - Set-AuthenticodeSignature $ScriptRepo\dmaSQLServerCorrectPerfmonDataset.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+        - Set-AuthenticodeSignature $ScriptRepo\dmaSQLServerHWSpecs.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+        - Set-AuthenticodeSignature $ScriptRepo\dmaSQLServerPerfmonDataset.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+
 ## License
 
-Copyright 2024 Google LLC
+Copyright 2025 Google LLC
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/scripts/collector/sqlserver/README.txt b/scripts/collector/sqlserver/README.txt
@@ -264,9 +264,58 @@ Operating System Versions:
 
 !!! IMPORTANT Do not modify the name or the contents of the zip file without consultation from Google.
 
-5. License
+5. Digitially Signing Powershell Scripts (If Necessary)
 ------------
-Copyright 2024 Google LLC
+
+#### Signing Scripts (Optional)
+
+    Occasionally, organizational security policies require that Powershell scripts be digitally signed
+    before they can be executed.  Google will not provide a certificate to do this, however, the customer
+    can create a self-signed certificate and then sign the scripts on their own using the following steps:
+
+        - Create directory to store the certificates
+            - $PSScriptRoot\_Certs\
+
+        - Assign directories to variables
+            - $certExport = "C:\dma-mssql\_Certs\"
+            - $ScriptRepo = "C:\dma-mssql"
+
+        - Create variable params with relevant information to create the self signed certificate
+            $params = @{
+                Subject = 'Google DMA Self Signed PS Code Signing'
+                DnsName = 'Self@google.com'
+                FriendlyName = 'Google DMA Self Signed PS Code Signing'
+                NotAfter = (Get-Date).AddYears(5)
+                Type = 'CodeSigning'  
+                CertStoreLocation = 'cert:\CurrentUser\My' 
+                KeyUsage = 'DigitalSignature'
+                KeyAlgorithm = 'RSA'
+                KeyLength = 2048 
+                HashAlgorithm = 'sha256' 
+                }
+
+        - Create a new self-signed certificate based on the above parameters and send the details to 'newCodeSigningCert' variable for reference later.
+            - New-SelfSignedCertificate @params -OutVariable newCodeSigningCert
+
+        - Export the public key to the file system.
+            - Export-Certificate -Cert "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -FilePath "$($certExport)\CodeSigning.cer"
+
+        - Re-import certificate into Trusted Root otherwise it's not possible to validate any signed scripts.
+            - Import-Certificate -FilePath "$($certExport)\CodeSigning.cer" -Cert Cert:\LocalMachine\root
+
+        - Sign all DMA Scripts
+            - Set-AuthenticodeSignature $ScriptRepo\instanceReview.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+            - Set-AuthenticodeSignature $ScriptRepo\createUserWithSQLAuth.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+            - Set-AuthenticodeSignature $ScriptRepo\createUserWithWindowsAuth.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+            - Set-AuthenticodeSignature $ScriptRepo\dmaCollectorCommonFunctions.psm1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+            - Set-AuthenticodeSignature $ScriptRepo\dmaSQLServerCorrectPerfmonDataset.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+            - Set-AuthenticodeSignature $ScriptRepo\dmaSQLServerHWSpecs.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+            - Set-AuthenticodeSignature $ScriptRepo\dmaSQLServerPerfmonDataset.ps1 -Certificate (Get-ChildItem "cert:\CurrentUser\My\$($newCodeSigningCert.Thumbprint)" -CodeSigningCert)
+
+
+6. License
+------------
+Copyright 2025 Google LLC
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/scripts/collector/sqlserver/sql/dbServerFeatures.sql b/scripts/collector/sqlserver/sql/dbServerFeatures.sql
@@ -25,6 +25,7 @@ DECLARE @TABLE_PERMISSION_COUNT AS INTEGER
 DECLARE @ROW_COUNT_VAR AS INTEGER
 DECLARE @DMA_SOURCE_ID AS VARCHAR(256)
 DECLARE @DMA_MANUAL_ID AS VARCHAR(256)
+DECLARE @ERROR_NUMBER AS INT
 
 SELECT @PKEY = N'$(pkey)';
 SELECT @CLOUDTYPE = 'NONE';
@@ -149,18 +150,27 @@ BEGIN
             from dqs_service');
         END TRY
     BEGIN CATCH
-        exec('
-        WITH dqs_service as (
-        select count(*) as dqs_count from sys.sql_logins where name like ''##MS_dqs%'')
-        INSERT INTO #FeaturesEnabled
-            SELECT
-                ''DATA QUALITY SERVICES'' as Features,
-                CASE
-                    WHEN dqs_count > 0 THEN 1
-                    ELSE 0
-                END AS Is_EnabledOrUsed,
-                dqs_count as Count
-            from dqs_service');
+        SELECT @ERROR_NUMBER = ERROR_NUMBER()
+        IF @ERROR_NUMBER = 229
+            exec('
+            INSERT INTO #FeaturesEnabled
+                SELECT
+                    ''DATA QUALITY SERVICES'' as Features,
+                    ''0'' as Is_EnabledOrUsed,
+                    ''0'' as Count');
+        ELSE
+            exec('
+            WITH dqs_service as (
+            select count(*) as dqs_count from sys.sql_logins where name like ''##MS_dqs%'')
+            INSERT INTO #FeaturesEnabled
+                SELECT
+                    ''DATA QUALITY SERVICES'' as Features,
+                    CASE
+                        WHEN dqs_count > 0 THEN 1
+                        ELSE 0
+                    END AS Is_EnabledOrUsed,
+                    dqs_count as Count
+                from dqs_service');  
         END CATCH
 END;
 
