Validate authenticode signature using the certificate Subject (#12474)

* Use cerificate subject to verify authenticode signature * Use function instead of script variables * Switch all places to using Get-MicrosoftPublisher * Remove SignatureThumbprint * Use common subject for the Edge driver
2026-01-04 17:18:52 +08:00 · 2025-06-30 21:33:57 -04:00
parent 0790ef6e2a
commit 7eede67cd0
25 changed files with 72 additions and 103 deletions
--- a/images/windows/scripts/build/Install-AWSTools.ps1
+++ b/images/windows/scripts/build/Install-AWSTools.ps1
@@ -11,7 +11,7 @@ Install-ChocoPackage awscli
 Install-Binary `
    -Url "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/SessionManagerPluginSetup.exe" `
    -InstallArgs ("/silent", "/install") `
-    -ExpectedSignature "CFC0CE0547A698E5F3FA78F819654CE016D76464"
+    -ExpectedSubject 'CN="Amazon Web Services, Inc.", OU=AWS Systems Manager, O="Amazon Web Services, Inc.", L=Seattle, S=Washington, C=US, SERIALNUMBER=4152954, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US'
 $env:Path = $env:Path + ";$env:ProgramFiles\Amazon\SessionManagerPlugin\bin"

 # Install AWS SAM CLI
--- a/images/windows/scripts/build/Install-AzureCli.ps1
+++ b/images/windows/scripts/build/Install-AzureCli.ps1
@@ -15,7 +15,7 @@ New-Item -ItemType 'Directory' -Path $azureCliExtensionPath | Out-Null

 Install-Binary -Type MSI `
    -Url 'https://aka.ms/installazurecliwindowsx64' `
-    -ExpectedSignature '245D262748012A4FE6CE8BA6C951A4C4AFBC3E5D'
+    -ExpectedSubject $(Get-MicrosoftPublisher)

 Update-Environment

--- a/images/windows/scripts/build/Install-BizTalkBuildComponent.ps1
+++ b/images/windows/scripts/build/Install-BizTalkBuildComponent.ps1
@@ -4,7 +4,6 @@
 ################################################################################

 $downloadUrl = "https://aka.ms/BuildComponentSetup.EN"
-$signatureThumbprint = "8740DF4ACB749640AD318E4BE842F72EC651AD80"

 Write-Host "Downloading BizTalk Project Build Component archive..."
 $zipFile = Invoke-DownloadWithRetry $downloadUrl
@@ -19,10 +18,10 @@ Write-Host "Installing BizTalk Project Build Component..."
 Install-Binary `
    -LocalPath "$setupPath\Bootstrap.msi" `
    -ExtraInstallArgs ("/l*v", "$setupPath\bootstrap.log") `
-    -ExpectedSignature $signatureThumbprint
+    -ExpectedSubject $(Get-MicrosoftPublisher)
 Install-Binary `
    -LocalPath "$setupPath\BuildComponentSetup.msi" `
    -ExtraInstallArgs ("/l*v", "$setupPath\buildComponentSetup.log") `
-    -ExpectedSignature $signatureThumbprint
+    -ExpectedSubject $(Get-MicrosoftPublisher)

 Invoke-PesterTests -TestFile "BizTalk" -TestName "BizTalk Build Component Setup"
--- a/images/windows/scripts/build/Install-Chocolatey.ps1
+++ b/images/windows/scripts/build/Install-Chocolatey.ps1
@@ -13,9 +13,8 @@ Add-MachinePathItem 'C:\ProgramData\Chocolatey\bin'
 Update-Environment

 # Verify and run choco installer
-$signatureThumbprint = "B009C875F4E10FFBC62B785BAF4FC4D6BC2D5711"
 $installScriptPath = Invoke-DownloadWithRetry 'https://chocolatey.org/install.ps1'
-Test-FileSignature -Path $installScriptPath -ExpectedThumbprint $signatureThumbprint
+Test-FileSignature -Path $installScriptPath -ExpectedSubject 'CN="Chocolatey Software, Inc", O="Chocolatey Software, Inc", L=Topeka, S=Kansas, C=US'
 Invoke-Expression $installScriptPath

 # Turn off confirmation
--- a/images/windows/scripts/build/Install-Chrome.ps1
+++ b/images/windows/scripts/build/Install-Chrome.ps1
@@ -6,7 +6,7 @@
 # Download and install latest Chrome browser
 Install-Binary `
    -Url 'https://dl.google.com/tag/s/dl/chrome/install/googlechromestandaloneenterprise64.msi' `
-    -ExpectedSignature '607A3EDAA64933E94422FC8F0C80388E0590986C'
+    -ExpectedSubject 'CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US, SERIALNUMBER=3582691, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US'

 # Prepare firewall rules
 Write-Host "Adding the firewall rule for Google update blocking..."
--- a/images/windows/scripts/build/Install-CloudFoundryCli.ps1
+++ b/images/windows/scripts/build/Install-CloudFoundryCli.ps1
@@ -20,7 +20,6 @@ Expand-7ZipArchive -Path $cloudFoundryArchPath -DestinationPath $cloudFoundryCli
 Add-MachinePathItem $cloudFoundryCliPath

 # Validate cf signature
-$cloudFoundrySignatureThumbprint = "2C6B2F1562698503A6E4A25F2DF058E12E23A190"
-Test-FileSignature -Path "$cloudFoundryCliPath\cf.exe" -ExpectedThumbprint $cloudFoundrySignatureThumbprint
+Test-FileSignature -Path "$cloudFoundryCliPath\cf.exe" -ExpectedSubject 'CN="LF Projects, LLC", O="LF Projects, LLC", L=Wilmington, S=Delaware, C=US'

 Invoke-PesterTests -TestFile "CLI.Tools" -TestName "CloudFoundry CLI"
--- a/images/windows/scripts/build/Install-DACFx.ps1
+++ b/images/windows/scripts/build/Install-DACFx.ps1
@@ -5,6 +5,6 @@

 Install-Binary -Type MSI `
    -Url 'https://aka.ms/dacfx-msi' `
-    -ExpectedSignature '8F985BE8FD256085C90A95D3C74580511A1DB975'
+    -ExpectedSubject $(Get-MicrosoftPublisher)

 Invoke-PesterTests -TestFile "Tools" -TestName "DACFx"
--- a/images/windows/scripts/build/Install-EdgeDriver.ps1
+++ b/images/windows/scripts/build/Install-EdgeDriver.ps1
@@ -27,13 +27,7 @@ Write-Host "Expand Microsoft Edge WebDriver archive..."
 Expand-7ZipArchive -Path $archivePath -DestinationPath $edgeDriverPath

 #Validate the EdgeDriver signature
-$signatureThumbprint = @(
-                         "7920AC8FB05E0FFFE21E8FF4B4F03093BA6AC16E",
-                         "0BD8C56733FDCC06F8CB919FF5A200E39B1ACF71",
-                         "F6EECCC7FF116889C2D5466AE7243D7AA7698689",
-                         "6ACE61BAE3F09F4DD2697806D73E022CBFE70EB4"
-                        )
-Test-FileSignature -Path "$edgeDriverPath\msedgedriver.exe" -ExpectedThumbprint $signatureThumbprint
+Test-FileSignature -Path "$edgeDriverPath\msedgedriver.exe" -ExpectedSubject $(Get-MicrosoftPublisher)

 Write-Host "Setting the environment variables..."
 [Environment]::SetEnvironmentVariable("EdgeWebDriver", $EdgeDriverPath, "Machine")
--- a/images/windows/scripts/build/Install-Firefox.ps1
+++ b/images/windows/scripts/build/Install-Firefox.ps1
@@ -53,8 +53,7 @@ Write-Host "Expand Gecko WebDriver archive..."
 Expand-7ZipArchive -Path $geckoDriverArchPath -DestinationPath $geckoDriverPath

 # Validate Gecko WebDriver signature
-$geckoDriverSignatureThumbprint = "6663D5C4FDAF9EFD5F823A26C9C410DC9928C44A"
-Test-FileSignature -Path "$geckoDriverPath/geckodriver.exe" -ExpectedThumbprint $geckoDriverSignatureThumbprint
+Test-FileSignature -Path "$geckoDriverPath/geckodriver.exe" -ExpectedSubject 'CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=San Francisco, S=California, C=US'

 Write-Host "Setting the environment variables..."
 Add-MachinePathItem -PathItem $geckoDriverPath
--- a/images/windows/scripts/build/Install-GoogleCloudCLI.ps1
+++ b/images/windows/scripts/build/Install-GoogleCloudCLI.ps1
@@ -7,6 +7,6 @@
 Install-Binary `
  -Url 'https://dl.google.com/dl/cloudsdk/channels/rapid/GoogleCloudSDKInstaller.exe' `
  -InstallArgs @("/S", "/allusers", "/noreporting") `
-  -ExpectedSignature '607A3EDAA64933E94422FC8F0C80388E0590986C'
+  -ExpectedSubject 'CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US, SERIALNUMBER=3582691, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US'

 Invoke-PesterTests -TestFile "Tools" -TestName "GoogleCloudCLI"
--- a/images/windows/scripts/build/Install-MongoDB.ps1
+++ b/images/windows/scripts/build/Install-MongoDB.ps1
@@ -24,7 +24,7 @@ $latestVersion = $minorVersions[0]
 Install-Binary `
    -Url "https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-$latestVersion-signed.msi" `
    -ExtraInstallArgs @('TARGETDIR=C:\PROGRA~1\MongoDB ADDLOCAL=ALL') `
-    -ExpectedSignature $toolsetContent.mongodb.signature
+    -ExpectedSubject 'CN="MONGODB, INC.", O="MONGODB, INC.", L=New York, S=New York, C=US'

 # Add mongodb to the PATH
 $mongoPath = (Get-CimInstance Win32_Service -Filter "Name LIKE 'mongodb'").PathName
@@ -51,7 +51,7 @@ if (Test-IsWin25) {
    Install-Binary -Type MSI `
        -Url $mongoshDownloadUrl `
        -ExtraInstallArgs @('ALLUSERS=1') `
-        -ExpectedSignature 'A5BBE2A6DA1D2A6E057EF870267E6A91E4D56BAA'
+        -ExpectedSubject 'CN="MongoDB, Inc.", O="MongoDB, Inc.", L=New York, S=New York, C=US'
 }

 Invoke-PesterTests -TestFile "Databases" -TestName "MongoDB"
--- a/images/windows/scripts/build/Install-MysqlCli.ps1
+++ b/images/windows/scripts/build/Install-MysqlCli.ps1
@@ -30,7 +30,7 @@ $mysqlVersionUrl = "https://cdn.mysql.com/Downloads/MySQL-${mysqlVersionMajorMin

 Install-Binary `
    -Url $mysqlVersionUrl `
-    -ExpectedSignature (Get-ToolsetContent).mysql.signature
+    -ExpectedSubject 'CN="Oracle America, Inc.", O="Oracle America, Inc.", L=Redwood City, S=California, C=US, SERIALNUMBER=2101822, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US'

 # Adding mysql in system environment path
 $mysqlPath = $(Get-ChildItem -Path "C:\PROGRA~1\MySQL" -Directory)[0].FullName
--- a/images/windows/scripts/build/Install-PostgreSQL.ps1
+++ b/images/windows/scripts/build/Install-PostgreSQL.ps1
@@ -66,7 +66,7 @@ $installerArgs = @("--install_runtimes 0", "--superpassword root", "--enable_acl
 Install-Binary `
    -Url $installerUrl `
    -InstallArgs $installerArgs `
-    -ExpectedSignature (Get-ToolsetContent).postgresql.signature `
+    -ExpectedSubject 'CN=EnterpriseDB Corporation, O=EnterpriseDB Corporation, S=Massachusetts, C=US' `
    -InstallerLogPath "$env:TEMP\**\install-postgresql.log"

 # Get Path to pg_ctl.exe
--- a/images/windows/scripts/build/Install-SQLOLEDBDriver.ps1
+++ b/images/windows/scripts/build/Install-SQLOLEDBDriver.ps1
@@ -6,4 +6,4 @@
 Install-Binary -Type MSI `
    -Url "https://go.microsoft.com/fwlink/?linkid=2242656" `
    -ExtraInstallArgs @("ADDLOCAL=ALL", "IACCEPTMSOLEDBSQLLICENSETERMS=YES") `
-    -ExpectedSignature '6E78B3DCE2998F6C2457C3E54DA90A01034916AE'
+    -ExpectedSubject $(Get-MicrosoftPublisher)
--- a/images/windows/scripts/build/Install-SQLPowerShellTools.ps1
+++ b/images/windows/scripts/build/Install-SQLPowerShellTools.ps1
@@ -4,17 +4,16 @@
 ################################################################################

 $baseUrl = "https://download.microsoft.com/download/B/1/7/B1783FE9-717B-4F78-A39A-A2E27E3D679D/ENU/x64"
-$signatureThumbrint = "9ACA9419E53D3C9E56396DD2335FF683A8B0B8F3"

 # install required MSIs
 Install-Binary `
    -Url "${baseUrl}/SQLSysClrTypes.msi" `
-    -ExpectedSignature $signatureThumbrint
+    -ExpectedSubject $(Get-MicrosoftPublisher)

 Install-Binary `
    -Url "${baseUrl}/SharedManagementObjects.msi" `
-    -ExpectedSignature $signatureThumbrint
+    -ExpectedSubject $(Get-MicrosoftPublisher)

 Install-Binary `
    -Url "${baseUrl}/PowerShellTools.msi" `
-    -ExpectedSignature $signatureThumbrint
+    -ExpectedSubject $(Get-MicrosoftPublisher)
--- a/images/windows/scripts/build/Install-VisualStudio.ps1
+++ b/images/windows/scripts/build/Install-VisualStudio.ps1
@@ -11,8 +11,7 @@ if (Test-IsWin19) {
        -Edition $vsToolset.edition `
        -Channel $vsToolset.channel `
        -RequiredComponents $vsToolset.workloads `
-        -ExtraArgs "--allWorkloads --includeRecommended --remove Component.CPython3.x64" `
-        -SignatureThumbprint $vsToolset.signature
+        -ExtraArgs "--allWorkloads --includeRecommended --remove Component.CPython3.x64"
 }

 if ( (Test-IsWin22) -or (Test-IsWin25) ) {
@@ -23,8 +22,7 @@ if ( (Test-IsWin22) -or (Test-IsWin25) ) {
        -Channel $vsToolset.channel `
        -InstallChannel $vsToolset.installChannel `
        -RequiredComponents $vsToolset.workloads `
-        -ExtraArgs "--allWorkloads --includeRecommended --remove Component.CPython3.x64" `
-        -SignatureThumbprint $vsToolset.signature
+        -ExtraArgs "--allWorkloads --includeRecommended --remove Component.CPython3.x64"
 }

 # Find the version of VS installed for this instance
@@ -46,13 +44,13 @@ if (Test-IsWin19) {
    Install-Binary -Type EXE `
        -Url 'https://go.microsoft.com/fwlink/p/?LinkId=838916' `
        -InstallArgs @("/q", "/norestart", "/ceip off", "/features OptionId.WindowsSoftwareDevelopmentKit") `
-        -ExpectedSignature 'C91545B333C52C4465DE8B90A3FAF4E1D9C58DFA'
+        -ExpectedSubject 'CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'

    # Install Windows 11 SDK version 10.0.22621.0
    Install-Binary -Type EXE `
        -Url 'https://go.microsoft.com/fwlink/p/?linkid=2196241' `
        -InstallArgs @("/q", "/norestart", "/ceip off", "/features OptionId.UWPManaged OptionId.UWPCPP OptionId.UWPLocalized OptionId.DesktopCPPx86 OptionId.DesktopCPPx64 OptionId.DesktopCPParm64") `
-        -ExpectedSignature 'E4C5C5FCDB68B930EE4E19BC25D431EF6D864C51'
+        -ExpectedSubject $(Get-MicrosoftPublisher)
 }

 if (Test-IsWin22) {
@@ -60,7 +58,7 @@ if (Test-IsWin22) {
    Install-Binary -Type EXE `
    -Url 'https://go.microsoft.com/fwlink/p/?LinkID=2033908' `
    -InstallArgs @("/q", "/norestart", "/ceip off", "/features OptionId.UWPManaged OptionId.UWPCPP OptionId.UWPLocalized OptionId.DesktopCPPx86 OptionId.DesktopCPPx64 OptionId.DesktopCPParm64") `
-    -ExpectedSignature '7535269B94C1FEA4A5EF6D808E371DA242F27936'
+    -ExpectedSubject $(Get-MicrosoftPublisher)
 }

 if (-not (Test-IsWin19)) {
@@ -68,7 +66,7 @@ if (-not (Test-IsWin19)) {
     Install-Binary -Type EXE `
        -Url 'https://go.microsoft.com/fwlink/?linkid=2286561' `
        -InstallArgs @("/q", "/norestart", "/ceip off", "/features OptionId.UWPManaged OptionId.UWPCPP OptionId.UWPLocalized OptionId.DesktopCPPx86 OptionId.DesktopCPPx64 OptionId.DesktopCPParm64") `
-        -ExpectedSignature '573EF451A68C33FB904346D44551BEF3BB5BBF68'
+        -ExpectedSubject $(Get-MicrosoftPublisher)
 }

 Invoke-PesterTests -TestFile "VisualStudio"
--- a/images/windows/scripts/build/Install-WDK.ps1
+++ b/images/windows/scripts/build/Install-WDK.ps1
@@ -9,15 +9,13 @@ if (Test-IsWin19) {
    Install-Binary -Type EXE `
        -Url 'https://go.microsoft.com/fwlink/?linkid=2173743' `
        -InstallArgs @("/features", "+", "/quiet") `
-        -ExpectedSignature '44796EB5BD439B4BFB078E1DC2F8345AE313CBB1'
+        -ExpectedSubject $(Get-MicrosoftPublisher)

    $wdkUrl = "https://go.microsoft.com/fwlink/?linkid=2166289"
-    $wdkSignatureThumbprint = "914A09C2E02C696AF394048BCB8D95449BCD5B9E"
    $wdkExtensionPath = "C:\Program Files (x86)\Windows Kits\10\Vsix\VS2019\WDK.vsix"
 } elseif (Test-IsWin22) {
    # SDK is available through Visual Studio
    $wdkUrl = "https://go.microsoft.com/fwlink/?linkid=2294834"
-    $wdkSignatureThumbprint = "7920AC8FB05E0FFFE21E8FF4B4F03093BA6AC16E"
 } else {
    throw "Invalid version of Visual Studio is found. Either 2019 or 2022 are required"
 }
@@ -26,7 +24,7 @@ if (Test-IsWin19) {
 Install-Binary -Type EXE `
    -Url $wdkUrl `
    -InstallArgs @("/features", "+", "/quiet") `
-    -ExpectedSignature $wdkSignatureThumbprint
+    -ExpectedSubject $(Get-MicrosoftPublisher)

 if (Test-IsWin19){
    # Need to install the VSIX to get the build targets when running VSBuild
--- a/images/windows/scripts/build/Install-WebPlatformInstaller.ps1
+++ b/images/windows/scripts/build/Install-WebPlatformInstaller.ps1
@@ -5,6 +5,6 @@

 Install-Binary -Type MSI `
    -Url 'https://go.microsoft.com/fwlink/?LinkId=287166' `
-    -ExpectedSignature 'C3A3D43788E7ABCD287CB4F5B6583043774F99D2'
+    -ExpectedSubject $(Get-MicrosoftPublisher)

 Invoke-PesterTests -TestFile "Tools" -TestName "WebPlatformInstaller"
--- a/images/windows/scripts/build/Install-WinAppDriver.ps1
+++ b/images/windows/scripts/build/Install-WinAppDriver.ps1
@@ -11,6 +11,6 @@ $downloadUrl = Resolve-GithubReleaseAssetUrl `

 Install-Binary `
    -Url $downloadUrl `
-    -ExpectedSignature '2485A7AFA98E178CB8F30C9838346B514AEA4769'
+    -ExpectedSubject $(Get-MicrosoftPublisher)

 Invoke-PesterTests -TestFile "WinAppDriver" -TestName "WinAppDriver"