From 55ce401f7ff74f46fc03aeb4b7e1058c1af0c8b7 Mon Sep 17 00:00:00 2001 From: sergei-pyshnoi <121864472+sergei-pyshnoi@users.noreply.github.com> Date: Fri, 22 Sep 2023 10:52:16 +0200 Subject: [PATCH] [Windows] Add signature validator for MongoDB (#8304) --- .../scripts/ImageHelpers/InstallHelpers.ps1 | 38 ++++++++++++++++++- .../scripts/Installers/Install-MongoDB.ps1 | 2 +- images/win/toolsets/toolset-2019.json | 3 +- images/win/toolsets/toolset-2022.json | 3 +- 4 files changed, 41 insertions(+), 5 deletions(-) diff --git a/images/win/scripts/ImageHelpers/InstallHelpers.ps1 b/images/win/scripts/ImageHelpers/InstallHelpers.ps1 index 58f2b6f2..e5499625 100644 --- a/images/win/scripts/ImageHelpers/InstallHelpers.ps1 +++ b/images/win/scripts/ImageHelpers/InstallHelpers.ps1 @@ -17,7 +17,7 @@ function Install-Binary The list of arguments that will be passed to the installer. Required for .exe binaries. .EXAMPLE - Install-Binary -Url "https://go.microsoft.com/fwlink/p/?linkid=2083338" -Name "winsdksetup.exe" -ArgumentList ("/features", "+", "/quiet") + Install-Binary -Url "https://go.microsoft.com/fwlink/p/?linkid=2083338" -Name "winsdksetup.exe" -ArgumentList ("/features", "+", "/quiet") -ExpectedSignature "XXXXXXXXXXXXXXXXXXXXXXXXXX" #> Param @@ -28,7 +28,8 @@ function Install-Binary [String] $Name, [Parameter(Mandatory, ParameterSetName="LocalPath")] [String] $FilePath, - [String[]] $ArgumentList + [String[]] $ArgumentList, + [String] $ExpectedSignature ) if ($PSCmdlet.ParameterSetName -eq "LocalPath") @@ -41,6 +42,19 @@ function Install-Binary $filePath = Start-DownloadWithRetry -Url $Url -Name $Name } + if ($PSBoundParameters.ContainsKey('ExpectedSignature')) + { + if ($ExpectedSignature) + { + Test-FileSignature -FilePath $filePath -ExpectedThumbprint $ExpectedSignature + + } + else + { + throw "ExpectedSignature parameter is specified, but no signature is provided." + } + } + # MSI binaries should be installed via msiexec.exe $fileExtension = ([System.IO.Path]::GetExtension($Name)).Replace(".", "") if ($fileExtension -eq "msi") @@ -687,3 +701,23 @@ function Get-HashFromGitHubReleaseBody { } return $result } +function Test-FileSignature { + param( + [Parameter(Mandatory=$true)] + [string]$FilePath, + [Parameter(Mandatory=$true)] + [string]$ExpectedThumbprint + ) + + $signature = Get-AuthenticodeSignature $FilePath + + if ($signature.Status -ne "Valid") { + throw "Signature status is not valid. Status: $($signature.Status)" + } + + if ($signature.SignerCertificate.Thumbprint.Contains($ExpectedThumbprint) -ne $true) { + throw "Signature thumbprint do not match expected" + } + + Write-Output "Signature for $FilePath is valid" +} \ No newline at end of file diff --git a/images/win/scripts/Installers/Install-MongoDB.ps1 b/images/win/scripts/Installers/Install-MongoDB.ps1 index c7697810..0387aa26 100644 --- a/images/win/scripts/Installers/Install-MongoDB.ps1 +++ b/images/win/scripts/Installers/Install-MongoDB.ps1 @@ -22,7 +22,7 @@ $installDir = "c:\PROGRA~1\MongoDB" $binaryName = "mongodb-windows-x86_64-$LatestVersion-signed.msi" $downloadURL = "https://fastdl.mongodb.org/windows/$BinaryName" $installArg = "INSTALLLOCATION=$installDir ADDLOCAL=all" -Install-Binary -Url $downloadURL -Name $binaryName -ArgumentList ("/q","/i","${env:Temp}\$binaryName", $installArg) +Install-Binary -Url $downloadURL -Name $binaryName -ArgumentList ("/q","/i","${env:Temp}\$binaryName", $installArg) -ExpectedSignature (Get-ToolsetContent).mongodb.signature # Add mongodb to the PATH diff --git a/images/win/toolsets/toolset-2019.json b/images/win/toolsets/toolset-2019.json index ab5693d4..0837e56a 100644 --- a/images/win/toolsets/toolset-2019.json +++ b/images/win/toolsets/toolset-2019.json @@ -463,7 +463,8 @@ "version": "5.7" }, "mongodb": { - "version": "5.0" + "version": "5.0", + "signature": "F2D7C28591847BB2CB2B1C2A0C59459FDC728A38" }, "nsis": { "version": "3.08" diff --git a/images/win/toolsets/toolset-2022.json b/images/win/toolsets/toolset-2022.json index d04cd0a3..51894eed 100644 --- a/images/win/toolsets/toolset-2022.json +++ b/images/win/toolsets/toolset-2022.json @@ -399,7 +399,8 @@ "version": "8.0" }, "mongodb": { - "version": "5.0" + "version": "5.0", + "signature": "F2D7C28591847BB2CB2B1C2A0C59459FDC728A38" }, "nsis": { "version": "3.08"