[Windows] Add signature validator for MongoDB (#8304)

2025-12-20 06:29:50 +00:00 · 2023-09-22 10:52:16 +02:00
parent c0a84fc9dd
commit 55ce401f7f
4 changed files with 41 additions and 5 deletions
--- a/images/win/scripts/ImageHelpers/InstallHelpers.ps1
+++ b/images/win/scripts/ImageHelpers/InstallHelpers.ps1
@@ -17,7 +17,7 @@ function Install-Binary
        The list of arguments that will be passed to the installer. Required for .exe binaries.

    .EXAMPLE
-        Install-Binary -Url "https://go.microsoft.com/fwlink/p/?linkid=2083338" -Name "winsdksetup.exe" -ArgumentList ("/features", "+", "/quiet")
+        Install-Binary -Url "https://go.microsoft.com/fwlink/p/?linkid=2083338" -Name "winsdksetup.exe" -ArgumentList ("/features", "+", "/quiet") -ExpectedSignature "XXXXXXXXXXXXXXXXXXXXXXXXXX"
    #>

    Param
@@ -28,7 +28,8 @@ function Install-Binary
        [String] $Name,
        [Parameter(Mandatory, ParameterSetName="LocalPath")]
        [String] $FilePath,
-        [String[]] $ArgumentList
+        [String[]] $ArgumentList,
+        [String] $ExpectedSignature
    )

    if ($PSCmdlet.ParameterSetName -eq "LocalPath")
@@ -41,6 +42,19 @@ function Install-Binary
        $filePath = Start-DownloadWithRetry -Url $Url -Name $Name
    }

+    if ($PSBoundParameters.ContainsKey('ExpectedSignature'))
+    {
+        if ($ExpectedSignature)
+        {
+            Test-FileSignature -FilePath $filePath -ExpectedThumbprint $ExpectedSignature
+
+        }
+        else
+        {
+            throw "ExpectedSignature parameter is specified, but no signature is provided."
+        }
+    }
+
    # MSI binaries should be installed via msiexec.exe
    $fileExtension = ([System.IO.Path]::GetExtension($Name)).Replace(".", "")
    if ($fileExtension -eq "msi")
@@ -687,3 +701,23 @@ function Get-HashFromGitHubReleaseBody {
    }
    return $result
 }
+function Test-FileSignature {
+    param(
+        [Parameter(Mandatory=$true)]
+        [string]$FilePath,
+        [Parameter(Mandatory=$true)]
+        [string]$ExpectedThumbprint
+    )
+ 
+    $signature = Get-AuthenticodeSignature $FilePath
+ 
+    if ($signature.Status -ne "Valid") {
+        throw "Signature status is not valid. Status: $($signature.Status)"
+    }
+
+    if ($signature.SignerCertificate.Thumbprint.Contains($ExpectedThumbprint) -ne $true) {
+        throw "Signature thumbprint do not match expected"
+    }
+
+    Write-Output "Signature for $FilePath is valid"
+}