UNPKG

electron-updater/out/windowsExecutableCodeSignatureVerifier.js

Version:

6.21 kBJavaScriptView Raw

1"use strict";
2
3Object.defineProperty(exports, "__esModule", {
4  value: true
5});
6exports.verifySignature = verifySignature;
7
8function _builderUtilRuntime() {
9  const data = require("builder-util-runtime");
10
11  _builderUtilRuntime = function () {
12    return data;
13  };
14
15  return data;
16}
17
18function _child_process() {
19  const data = require("child_process");
20
21  _child_process = function () {
22    return data;
23  };
24
25  return data;
26}
27
28function os() {
29  const data = _interopRequireWildcard(require("os"));
30
31  os = function () {
32    return data;
33  };
34
35  return data;
36}
37
38function _getRequireWildcardCache() { if (typeof WeakMap !== "function") return null; var cache = new WeakMap(); _getRequireWildcardCache = function () { return cache; }; return cache; }
39
40function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
41
42// $certificateInfo = (Get-AuthenticodeSignature 'xxx\yyy.exe'
43// | where {$_.Status.Equals([System.Management.Automation.SignatureStatus]::Valid) -and $_.SignerCertificate.Subject.Contains("CN=siemens.com")})
44// | Out-String ; if ($certificateInfo) { exit 0 } else { exit 1 }
45function verifySignature(publisherNames, unescapedTempUpdateFile, logger) {
46  return new Promise(resolve => {
47    // Escape quotes and backticks in filenames to prevent user from breaking the
48    // arguments and perform a remote command injection.
49    //
50    // Consider example powershell command:
51    // ```powershell
52    // Get-AuthenticodeSignature 'C:\\path\\my-bad-';calc;'filename.exe'
53    // ```
54    // The above would work expected and find the file name, however, it will also execute `;calc;`
55    // command and start the calculator app.
56    //
57    // From Powershell quoting rules:
58    // https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules?view=powershell-7
59    // * Double quotes `"` are treated literally within single-quoted strings;
60    // * Single quotes can be escaped by doubling them: 'don''t' -> don't;
61    // * Backticks can be escaped by doubling them: 'A backtick (``) character';
62    //
63    // Also note that at this point the file has already been written to the disk, thus we are
64    // guaranteed that the path will not contains any illegal characters like <>:"/\|?*
65    // https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file
66    const tempUpdateFile = unescapedTempUpdateFile.replace(/'/g, "''").replace(/`/g, "``"); // https://github.com/electron-userland/electron-builder/issues/2421
67    // https://github.com/electron-userland/electron-builder/issues/2535
68
69    (0, _child_process().execFile)("powershell.exe", ["-NoProfile", "-NonInteractive", "-InputFormat", "None", "-Command", `Get-AuthenticodeSignature '${tempUpdateFile}' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($_)) }`], {
70      timeout: 20 * 1000
71    }, (error, stdout, stderr) => {
72      try {
73        if (error != null || stderr) {
74          handleError(logger, error, stderr);
75          resolve(null);
76          return;
77        }
78
79        const data = parseOut(Buffer.from(stdout, "base64").toString("utf-8"));
80
81        if (data.Status === 0) {
82          const name = (0, _builderUtilRuntime().parseDn)(data.SignerCertificate.Subject).get("CN");
83
84          if (publisherNames.includes(name)) {
85            resolve(null);
86            return;
87          }
88        }
89
90        const result = `publisherNames: ${publisherNames.join(" | ")}, raw info: ` + JSON.stringify(data, (name, value) => name === "RawData" ? undefined : value, 2);
91        logger.warn(`Sign verification failed, installer signed with incorrect certificate: ${result}`);
92        resolve(result);
93      } catch (e) {
94        logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error}. Ignoring signature validation due to unknown error.`);
95        resolve(null);
96        return;
97      }
98    });
99  });
100}
101
102function parseOut(out) {
103  const data = JSON.parse(out);
104  delete data.PrivateKey;
105  delete data.IsOSBinary;
106  delete data.SignatureType;
107  const signerCertificate = data.SignerCertificate;
108
109  if (signerCertificate != null) {
110    delete signerCertificate.Archived;
111    delete signerCertificate.Extensions;
112    delete signerCertificate.Handle;
113    delete signerCertificate.HasPrivateKey; // duplicates data.SignerCertificate (contains RawData)
114
115    delete signerCertificate.SubjectName;
116  }
117
118  delete data.Path;
119  return data;
120}
121
122function handleError(logger, error, stderr) {
123  if (isOldWin6()) {
124    logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error || stderr}. Ignoring signature validation due to unsupported powershell version. Please upgrade to powershell 3 or higher.`);
125    return;
126  }
127
128  try {
129    (0, _child_process().execFileSync)("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", "ConvertTo-Json test"], {
130      timeout: 10 * 1000
131    });
132  } catch (testError) {
133    logger.warn(`Cannot execute ConvertTo-Json: ${testError.message}. Ignoring signature validation due to unsupported powershell version. Please upgrade to powershell 3 or higher.`);
134    return;
135  }
136
137  if (error != null) {
138    throw error;
139  }
140
141  if (stderr) {
142    logger.warn(`Cannot execute Get-AuthenticodeSignature, stderr: ${stderr}. Ignoring signature validation due to unknown stderr.`);
143    return;
144  }
145}
146
147function isOldWin6() {
148  const winVersion = os().release();
149  return winVersion.startsWith("6.") && !winVersion.startsWith("6.3");
150} 
151// __ts-babel@6.0.4
152//# sourceMappingURL=windowsExecutableCodeSignatureVerifier.js.map
\No newline at end of file

1	`"use strict";`
2
3	`Object.defineProperty(exports, "__esModule", {`
4	`value: true`
5	`});`
6	`exports.verifySignature = verifySignature;`
7
8	`function _builderUtilRuntime() {`
9	`const data = require("builder-util-runtime");`
10
11	`_builderUtilRuntime = function () {`
12	`return data;`
13	`};`
14
15	`return data;`
16	`}`
17
18	`function _child_process() {`
19	`const data = require("child_process");`
20
21	`_child_process = function () {`
22	`return data;`
23	`};`
24
25	`return data;`
26	`}`
27
28	`function os() {`
29	`const data = _interopRequireWildcard(require("os"));`
30
31	`os = function () {`
32	`return data;`
33	`};`
34
35	`return data;`
36	`}`
37
38	`function _getRequireWildcardCache() { if (typeof WeakMap !== "function") return null; var cache = new WeakMap(); _getRequireWildcardCache = function () { return cache; }; return cache; }`
39
40	function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } if (obj === null \|\| typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get \|\| desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
41
42	`// $certificateInfo = (Get-AuthenticodeSignature 'xxx\yyy.exe'`
43	`// \| where {$_.Status.Equals([System.Management.Automation.SignatureStatus]::Valid) -and $_.SignerCertificate.Subject.Contains("CN=siemens.com")})`
44	`// \| Out-String ; if ($certificateInfo) { exit 0 } else { exit 1 }`
45	`function verifySignature(publisherNames, unescapedTempUpdateFile, logger) {`
46	`return new Promise(resolve => {`
47	`// Escape quotes and backticks in filenames to prevent user from breaking the`
48	`// arguments and perform a remote command injection.`
49	`//`
50	`// Consider example powershell command:`
51	// ```powershell
52	`// Get-AuthenticodeSignature 'C:\\path\\my-bad-';calc;'filename.exe'`
53	// ```
54	// The above would work expected and find the file name, however, it will also execute `;calc;`
55	`// command and start the calculator app.`
56	`//`
57	`// From Powershell quoting rules:`
58	`// https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules?view=powershell-7`
59	// * Double quotes `"` are treated literally within single-quoted strings;
60	`// * Single quotes can be escaped by doubling them: 'don''t' -> don't;`
61	// * Backticks can be escaped by doubling them: 'A backtick (``) character';
62	`//`
63	`// Also note that at this point the file has already been written to the disk, thus we are`
64	`// guaranteed that the path will not contains any illegal characters like <>:"/\\|?*`
65	`// https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file`
66	const tempUpdateFile = unescapedTempUpdateFile.replace(/'/g, "''").replace(/`/g, "``"); // https://github.com/electron-userland/electron-builder/issues/2421
67	`// https://github.com/electron-userland/electron-builder/issues/2535`
68
69	(0, _child_process().execFile)("powershell.exe", ["-NoProfile", "-NonInteractive", "-InputFormat", "None", "-Command", `Get-AuthenticodeSignature '${tempUpdateFile}' \| ConvertTo-Json -Compress \| ForEach-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($_)) }`], {
70	`timeout: 20 * 1000`
71	`}, (error, stdout, stderr) => {`
72	`try {`
73	`if (error != null \|\| stderr) {`
74	`handleError(logger, error, stderr);`
75	`resolve(null);`
76	`return;`
77	`}`
78
79	`const data = parseOut(Buffer.from(stdout, "base64").toString("utf-8"));`
80
81	`if (data.Status === 0) {`
82	`const name = (0, _builderUtilRuntime().parseDn)(data.SignerCertificate.Subject).get("CN");`
83
84	`if (publisherNames.includes(name)) {`
85	`resolve(null);`
86	`return;`
87	`}`
88	`}`
89
90	const result = `publisherNames: ${publisherNames.join(" \| ")}, raw info: ` + JSON.stringify(data, (name, value) => name === "RawData" ? undefined : value, 2);
91	logger.warn(`Sign verification failed, installer signed with incorrect certificate: ${result}`);
92	`resolve(result);`
93	`} catch (e) {`
94	logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error}. Ignoring signature validation due to unknown error.`);
95	`resolve(null);`
96	`return;`
97	`}`
98	`});`
99	`});`
100	`}`
101
102	`function parseOut(out) {`
103	`const data = JSON.parse(out);`
104	`delete data.PrivateKey;`
105	`delete data.IsOSBinary;`
106	`delete data.SignatureType;`
107	`const signerCertificate = data.SignerCertificate;`
108
109	`if (signerCertificate != null) {`
110	`delete signerCertificate.Archived;`
111	`delete signerCertificate.Extensions;`
112	`delete signerCertificate.Handle;`
113	`delete signerCertificate.HasPrivateKey; // duplicates data.SignerCertificate (contains RawData)`
114
115	`delete signerCertificate.SubjectName;`
116	`}`
117
118	`delete data.Path;`
119	`return data;`
120	`}`
121
122	`function handleError(logger, error, stderr) {`
123	`if (isOldWin6()) {`
124	logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error \|\| stderr}. Ignoring signature validation due to unsupported powershell version. Please upgrade to powershell 3 or higher.`);
125	`return;`
126	`}`
127
128	`try {`
129	`(0, _child_process().execFileSync)("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", "ConvertTo-Json test"], {`
130	`timeout: 10 * 1000`
131	`});`
132	`} catch (testError) {`
133	logger.warn(`Cannot execute ConvertTo-Json: ${testError.message}. Ignoring signature validation due to unsupported powershell version. Please upgrade to powershell 3 or higher.`);
134	`return;`
135	`}`
136
137	`if (error != null) {`
138	`throw error;`
139	`}`
140
141	`if (stderr) {`
142	logger.warn(`Cannot execute Get-AuthenticodeSignature, stderr: ${stderr}. Ignoring signature validation due to unknown stderr.`);
143	`return;`
144	`}`
145	`}`
146
147	`function isOldWin6() {`
148	`const winVersion = os().release();`
149	`return winVersion.startsWith("6.") && !winVersion.startsWith("6.3");`
150	`}`
151	`// __ts-babel@6.0.4`
152	`//# sourceMappingURL=windowsExecutableCodeSignatureVerifier.js.map`
\	No newline at end of file