1 | "use strict";
|
2 |
|
3 | Object.defineProperty(exports, "__esModule", {
|
4 | value: true
|
5 | });
|
6 | exports.verifySignature = verifySignature;
|
7 |
|
8 | function _builderUtilRuntime() {
|
9 | const data = require("builder-util-runtime");
|
10 |
|
11 | _builderUtilRuntime = function () {
|
12 | return data;
|
13 | };
|
14 |
|
15 | return data;
|
16 | }
|
17 |
|
18 | function _child_process() {
|
19 | const data = require("child_process");
|
20 |
|
21 | _child_process = function () {
|
22 | return data;
|
23 | };
|
24 |
|
25 | return data;
|
26 | }
|
27 |
|
28 | function os() {
|
29 | const data = _interopRequireWildcard(require("os"));
|
30 |
|
31 | os = function () {
|
32 | return data;
|
33 | };
|
34 |
|
35 | return data;
|
36 | }
|
37 |
|
38 | function _getRequireWildcardCache() { if (typeof WeakMap !== "function") return null; var cache = new WeakMap(); _getRequireWildcardCache = function () { return cache; }; return cache; }
|
39 |
|
40 | function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
|
41 |
|
42 |
|
43 |
|
44 |
|
45 | function verifySignature(publisherNames, unescapedTempUpdateFile, logger) {
|
46 | return new Promise(resolve => {
|
47 |
|
48 |
|
49 |
|
50 |
|
51 |
|
52 |
|
53 |
|
54 |
|
55 |
|
56 |
|
57 |
|
58 |
|
59 |
|
60 |
|
61 |
|
62 |
|
63 |
|
64 |
|
65 |
|
66 | const tempUpdateFile = unescapedTempUpdateFile.replace(/'/g, "''").replace(/`/g, "``");
|
67 |
|
68 |
|
69 | (0, _child_process().execFile)("powershell.exe", ["-NoProfile", "-NonInteractive", "-InputFormat", "None", "-Command", `Get-AuthenticodeSignature '${tempUpdateFile}' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($_)) }`], {
|
70 | timeout: 20 * 1000
|
71 | }, (error, stdout, stderr) => {
|
72 | try {
|
73 | if (error != null || stderr) {
|
74 | handleError(logger, error, stderr);
|
75 | resolve(null);
|
76 | return;
|
77 | }
|
78 |
|
79 | const data = parseOut(Buffer.from(stdout, "base64").toString("utf-8"));
|
80 |
|
81 | if (data.Status === 0) {
|
82 | const name = (0, _builderUtilRuntime().parseDn)(data.SignerCertificate.Subject).get("CN");
|
83 |
|
84 | if (publisherNames.includes(name)) {
|
85 | resolve(null);
|
86 | return;
|
87 | }
|
88 | }
|
89 |
|
90 | const result = `publisherNames: ${publisherNames.join(" | ")}, raw info: ` + JSON.stringify(data, (name, value) => name === "RawData" ? undefined : value, 2);
|
91 | logger.warn(`Sign verification failed, installer signed with incorrect certificate: ${result}`);
|
92 | resolve(result);
|
93 | } catch (e) {
|
94 | logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error}. Ignoring signature validation due to unknown error.`);
|
95 | resolve(null);
|
96 | return;
|
97 | }
|
98 | });
|
99 | });
|
100 | }
|
101 |
|
102 | function parseOut(out) {
|
103 | const data = JSON.parse(out);
|
104 | delete data.PrivateKey;
|
105 | delete data.IsOSBinary;
|
106 | delete data.SignatureType;
|
107 | const signerCertificate = data.SignerCertificate;
|
108 |
|
109 | if (signerCertificate != null) {
|
110 | delete signerCertificate.Archived;
|
111 | delete signerCertificate.Extensions;
|
112 | delete signerCertificate.Handle;
|
113 | delete signerCertificate.HasPrivateKey;
|
114 |
|
115 | delete signerCertificate.SubjectName;
|
116 | }
|
117 |
|
118 | delete data.Path;
|
119 | return data;
|
120 | }
|
121 |
|
122 | function handleError(logger, error, stderr) {
|
123 | if (isOldWin6()) {
|
124 | logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error || stderr}. Ignoring signature validation due to unsupported powershell version. Please upgrade to powershell 3 or higher.`);
|
125 | return;
|
126 | }
|
127 |
|
128 | try {
|
129 | (0, _child_process().execFileSync)("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", "ConvertTo-Json test"], {
|
130 | timeout: 10 * 1000
|
131 | });
|
132 | } catch (testError) {
|
133 | logger.warn(`Cannot execute ConvertTo-Json: ${testError.message}. Ignoring signature validation due to unsupported powershell version. Please upgrade to powershell 3 or higher.`);
|
134 | return;
|
135 | }
|
136 |
|
137 | if (error != null) {
|
138 | throw error;
|
139 | }
|
140 |
|
141 | if (stderr) {
|
142 | logger.warn(`Cannot execute Get-AuthenticodeSignature, stderr: ${stderr}. Ignoring signature validation due to unknown stderr.`);
|
143 | return;
|
144 | }
|
145 | }
|
146 |
|
147 | function isOldWin6() {
|
148 | const winVersion = os().release();
|
149 | return winVersion.startsWith("6.") && !winVersion.startsWith("6.3");
|
150 | }
|
151 |
|
152 |
|
\ | No newline at end of file |