[Windows] Add signature validator for MongoDB (#8304)

images/win/scripts/ImageHelpers/InstallHelpers.ps1

@@ -17,7 +17,7 @@ function Install-Binary
         The list of arguments that will be passed to the installer. Required for .exe binaries.
 
     .EXAMPLE
-        Install-Binary -Url "https://go.microsoft.com/fwlink/p/?linkid=2083338" -Name "winsdksetup.exe" -ArgumentList ("/features", "+", "/quiet")
+        Install-Binary -Url "https://go.microsoft.com/fwlink/p/?linkid=2083338" -Name "winsdksetup.exe" -ArgumentList ("/features", "+", "/quiet") -ExpectedSignature "XXXXXXXXXXXXXXXXXXXXXXXXXX"
     #>
 
     Param
@@ -28,7 +28,8 @@ function Install-Binary
         [String] $Name,
         [Parameter(Mandatory, ParameterSetName="LocalPath")]
         [String] $FilePath,
-        [String[]] $ArgumentList
+        [String[]] $ArgumentList,
+        [String] $ExpectedSignature
     )
 
     if ($PSCmdlet.ParameterSetName -eq "LocalPath")
@@ -41,6 +42,19 @@ function Install-Binary
         $filePath = Start-DownloadWithRetry -Url $Url -Name $Name
     }
 
+    if ($PSBoundParameters.ContainsKey('ExpectedSignature'))
+    {
+        if ($ExpectedSignature)
+        {
+            Test-FileSignature -FilePath $filePath -ExpectedThumbprint $ExpectedSignature
+
+        }
+        else
+        {
+            throw "ExpectedSignature parameter is specified, but no signature is provided."
+        }
+    }
+
     # MSI binaries should be installed via msiexec.exe
     $fileExtension = ([System.IO.Path]::GetExtension($Name)).Replace(".", "")
     if ($fileExtension -eq "msi")
@@ -687,3 +701,23 @@ function Get-HashFromGitHubReleaseBody {
     }
     return $result
 }
+function Test-FileSignature {
+    param(
+        [Parameter(Mandatory=$true)]
+        [string]$FilePath,
+        [Parameter(Mandatory=$true)]
+        [string]$ExpectedThumbprint
+    )
+ 
+    $signature = Get-AuthenticodeSignature $FilePath
+ 
+    if ($signature.Status -ne "Valid") {
+        throw "Signature status is not valid. Status: $($signature.Status)"
+    }
+
+    if ($signature.SignerCertificate.Thumbprint.Contains($ExpectedThumbprint) -ne $true) {
+        throw "Signature thumbprint do not match expected"
+    }
+
+    Write-Output "Signature for $FilePath is valid"
+}

images/win/scripts/Installers/Install-MongoDB.ps1

@@ -22,7 +22,7 @@ $installDir = "c:\PROGRA~1\MongoDB"
 $binaryName = "mongodb-windows-x86_64-$LatestVersion-signed.msi"
 $downloadURL = "https://fastdl.mongodb.org/windows/$BinaryName"
 $installArg = "INSTALLLOCATION=$installDir ADDLOCAL=all"
-Install-Binary -Url $downloadURL -Name $binaryName -ArgumentList ("/q","/i","${env:Temp}\$binaryName", $installArg)
+Install-Binary -Url $downloadURL -Name $binaryName -ArgumentList ("/q","/i","${env:Temp}\$binaryName", $installArg) -ExpectedSignature (Get-ToolsetContent).mongodb.signature
 
 
 # Add mongodb to the PATH

images/win/toolsets/toolset-2019.json

@@ -463,7 +463,8 @@
         "version": "5.7"
     },
     "mongodb": {
-        "version": "5.0"
+        "version": "5.0",
+        "signature": "F2D7C28591847BB2CB2B1C2A0C59459FDC728A38"
     },
     "nsis": {
         "version": "3.08"

images/win/toolsets/toolset-2022.json

@@ -399,7 +399,8 @@
         "version": "8.0"
     },
     "mongodb": {
-        "version": "5.0"
+        "version": "5.0",
+        "signature": "F2D7C28591847BB2CB2B1C2A0C59459FDC728A38"
     },
     "nsis": {
         "version": "3.08"