[Windows] Add signature validator for MongoDB (#8304)

2025-12-20 06:35:47 +00:00 · 2023-09-22 10:52:16 +02:00
parent c0a84fc9dd
commit 55ce401f7f
4 changed files with 41 additions and 5 deletions
--- a/images/win/scripts/ImageHelpers/InstallHelpers.ps1
+++ b/images/win/scripts/ImageHelpers/InstallHelpers.ps1
@@ -17,7 +17,7 @@ function Install-Binary
        The list of arguments that will be passed to the installer. Required for .exe binaries.
    .EXAMPLE
-        Install-Binary -Url "https://go.microsoft.com/fwlink/p/?linkid=2083338" -Name "winsdksetup.exe" -ArgumentList ("/features", "+", "/quiet")
+        Install-Binary -Url "https://go.microsoft.com/fwlink/p/?linkid=2083338" -Name "winsdksetup.exe" -ArgumentList ("/features", "+", "/quiet") -ExpectedSignature "XXXXXXXXXXXXXXXXXXXXXXXXXX"
    #>
    Param
@@ -28,7 +28,8 @@ function Install-Binary
        [String] $Name,
        [Parameter(Mandatory, ParameterSetName="LocalPath")]
        [String] $FilePath,
-        [String[]] $ArgumentList
+        [String[]] $ArgumentList,
        [String] $ExpectedSignature
    )
    if ($PSCmdlet.ParameterSetName -eq "LocalPath")
@@ -41,6 +42,19 @@ function Install-Binary
        $filePath = Start-DownloadWithRetry -Url $Url -Name $Name
    }
    if ($PSBoundParameters.ContainsKey('ExpectedSignature'))
    {
        if ($ExpectedSignature)
        {
            Test-FileSignature -FilePath $filePath -ExpectedThumbprint $ExpectedSignature
        }
        else
        {
            throw "ExpectedSignature parameter is specified, but no signature is provided."
        }
    }
    # MSI binaries should be installed via msiexec.exe
    $fileExtension = ([System.IO.Path]::GetExtension($Name)).Replace(".", "")
    if ($fileExtension -eq "msi")
@@ -687,3 +701,23 @@ function Get-HashFromGitHubReleaseBody {
    }
    return $result
 }
 function Test-FileSignature {
    param(
        [Parameter(Mandatory=$true)]
        [string]$FilePath,
        [Parameter(Mandatory=$true)]
        [string]$ExpectedThumbprint
    )
    $signature = Get-AuthenticodeSignature $FilePath
    if ($signature.Status -ne "Valid") {
        throw "Signature status is not valid. Status: $($signature.Status)"
    }
    if ($signature.SignerCertificate.Thumbprint.Contains($ExpectedThumbprint) -ne $true) {
        throw "Signature thumbprint do not match expected"
    }
    Write-Output "Signature for $FilePath is valid"
 }
--- a/images/win/scripts/Installers/Install-MongoDB.ps1
+++ b/images/win/scripts/Installers/Install-MongoDB.ps1
@@ -22,7 +22,7 @@ $installDir = "c:\PROGRA~1\MongoDB"
 $binaryName = "mongodb-windows-x86_64-$LatestVersion-signed.msi"
 $downloadURL = "https://fastdl.mongodb.org/windows/$BinaryName"
 $installArg = "INSTALLLOCATION=$installDir ADDLOCAL=all"
-Install-Binary -Url $downloadURL -Name $binaryName -ArgumentList ("/q","/i","${env:Temp}\$binaryName", $installArg)
+Install-Binary -Url $downloadURL -Name $binaryName -ArgumentList ("/q","/i","${env:Temp}\$binaryName", $installArg) -ExpectedSignature (Get-ToolsetContent).mongodb.signature
 # Add mongodb to the PATH
--- a/images/win/toolsets/toolset-2019.json
+++ b/images/win/toolsets/toolset-2019.json
@@ -463,7 +463,8 @@
        "version": "5.7"
    },
    "mongodb": {
-        "version": "5.0"
+        "version": "5.0",
        "signature": "F2D7C28591847BB2CB2B1C2A0C59459FDC728A38"
    },
    "nsis": {
        "version": "3.08"
--- a/images/win/toolsets/toolset-2022.json
+++ b/images/win/toolsets/toolset-2022.json
@@ -399,7 +399,8 @@
        "version": "8.0"
    },
    "mongodb": {
-        "version": "5.0"
+        "version": "5.0",
        "signature": "F2D7C28591847BB2CB2B1C2A0C59459FDC728A38"
    },
    "nsis": {
        "version": "3.08"