[Windows] Add signature validation (#8390)

images/win/scripts/ImageHelpers/ImageHelpers.psm1

@@ -57,4 +57,5 @@ Export-ModuleMember -Function @(
     'Get-ModuleVersionAsJob'
     'Use-ChecksumComparison'
     'Get-HashFromGitHubReleaseBody'
+    'Test-FileSignature'
 )

images/win/scripts/ImageHelpers/InstallHelpers.ps1

@@ -29,7 +29,7 @@ function Install-Binary
         [Parameter(Mandatory, ParameterSetName="LocalPath")]
         [String] $FilePath,
         [String[]] $ArgumentList,
-        [String] $ExpectedSignature
+        [String[]] $ExpectedSignature
     )
 
     if ($PSCmdlet.ParameterSetName -eq "LocalPath")
@@ -47,14 +47,13 @@ function Install-Binary
         if ($ExpectedSignature)
         {
             Test-FileSignature -FilePath $filePath -ExpectedThumbprint $ExpectedSignature
-
         }
         else
         {
             throw "ExpectedSignature parameter is specified, but no signature is provided."
         }
     }
-
+ 
     # MSI binaries should be installed via msiexec.exe
     $fileExtension = ([System.IO.Path]::GetExtension($Name)).Replace(".", "")
     if ($fileExtension -eq "msi")
@@ -722,18 +721,27 @@ function Test-FileSignature {
         [Parameter(Mandatory=$true)]
         [string]$FilePath,
         [Parameter(Mandatory=$true)]
-        [string]$ExpectedThumbprint
+        [string[]]$ExpectedThumbprint
     )
- 
+
     $signature = Get-AuthenticodeSignature $FilePath
- 
+
     if ($signature.Status -ne "Valid") {
         throw "Signature status is not valid. Status: $($signature.Status)"
     }
-
-    if ($signature.SignerCertificate.Thumbprint.Contains($ExpectedThumbprint) -ne $true) {
-        throw "Signature thumbprint do not match expected"
+    
+    foreach ($thumbprint in $ExpectedThumbprint) {
+        if ($signature.SignerCertificate.Thumbprint.Contains($thumbprint)) {
+            Write-Output "Signature for $FilePath is valid"
+            $signatureMatched = $true
+            return
+        }
     }
 
-    Write-Output "Signature for $FilePath is valid"
+    if ($signatureMatched) {
+        Write-Output "Signature for $FilePath is valid"
+    }
+    else {
+        throw "Signature thumbprint do not match expected."
+    }
 }

images/win/scripts/ImageHelpers/VisualStudioHelpers.ps1

@@ -28,7 +28,8 @@ Function Install-VisualStudio {
         [Parameter(Mandatory)] [String] $Edition,
         [Parameter(Mandatory)] [String] $Channel,
         [Parameter(Mandatory)] [String[]] $RequiredComponents,
-        [String] $ExtraArgs = ""
+        [String] $ExtraArgs = "",
+        [Parameter(Mandatory)] [String] $SignatureThumbprint
     )
 
     $bootstrapperUrl = "https://aka.ms/vs/${Version}/${Channel}/vs_${Edition}.exe"
@@ -40,6 +41,9 @@ Function Install-VisualStudio {
     $BootstrapperName = [IO.Path]::GetFileName($BootstrapperUrl)
     $bootstrapperFilePath = Start-DownloadWithRetry -Url $BootstrapperUrl -Name $BootstrapperName
 
+    # Verify that the bootstrapper is signed by Microsoft
+    Test-FileSignature -FilePath $bootstrapperFilePath -ExpectedThumbprint $SignatureThumbprint
+
     try {
         Write-Host "Enable short name support on Windows needed for Xamarin Android AOT, defaults appear to have been changed in Azure VMs"
         $shortNameEnableProcess = Start-Process -FilePath fsutil.exe -ArgumentList ('8dot3name', 'set', '0') -Wait -PassThru
@@ -124,4 +128,4 @@ function Get-VisualStudioComponents {
     (Get-VisualStudioInstance).Packages | Where-Object type -in 'Component', 'Workload' |
     Sort-Object Id, Version | Select-Object @{n = 'Package'; e = {$_.Id}}, Version |
     Where-Object { $_.Package -notmatch "[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}" }
-}
+}