1 | "use strict";
|
2 | Object.defineProperty(exports, "__esModule", { value: true });
|
3 | exports.verifySignature = void 0;
|
4 | const builder_util_runtime_1 = require("builder-util-runtime");
|
5 | const child_process_1 = require("child_process");
|
6 | const os = require("os");
|
7 |
|
8 |
|
9 |
|
10 | function verifySignature(publisherNames, unescapedTempUpdateFile, logger) {
|
11 | return new Promise(resolve => {
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 |
|
19 |
|
20 |
|
21 |
|
22 |
|
23 |
|
24 |
|
25 |
|
26 |
|
27 |
|
28 |
|
29 |
|
30 |
|
31 | const tempUpdateFile = unescapedTempUpdateFile.replace(/'/g, "''").replace(/`/g, "``");
|
32 |
|
33 |
|
34 | child_process_1.execFile("powershell.exe", [
|
35 | "-NoProfile",
|
36 | "-NonInteractive",
|
37 | "-InputFormat",
|
38 | "None",
|
39 | "-Command",
|
40 | `Get-AuthenticodeSignature '${tempUpdateFile}' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($_)) }`,
|
41 | ], {
|
42 | timeout: 20 * 1000,
|
43 | }, (error, stdout, stderr) => {
|
44 | try {
|
45 | if (error != null || stderr) {
|
46 | handleError(logger, error, stderr);
|
47 | resolve(null);
|
48 | return;
|
49 | }
|
50 | const data = parseOut(Buffer.from(stdout, "base64").toString("utf-8"));
|
51 | if (data.Status === 0) {
|
52 | const name = builder_util_runtime_1.parseDn(data.SignerCertificate.Subject).get("CN");
|
53 | if (publisherNames.includes(name)) {
|
54 | resolve(null);
|
55 | return;
|
56 | }
|
57 | }
|
58 | const result = `publisherNames: ${publisherNames.join(" | ")}, raw info: ` + JSON.stringify(data, (name, value) => (name === "RawData" ? undefined : value), 2);
|
59 | logger.warn(`Sign verification failed, installer signed with incorrect certificate: ${result}`);
|
60 | resolve(result);
|
61 | }
|
62 | catch (e) {
|
63 | logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error}. Ignoring signature validation due to unknown error.`);
|
64 | resolve(null);
|
65 | return;
|
66 | }
|
67 | });
|
68 | });
|
69 | }
|
70 | exports.verifySignature = verifySignature;
|
71 | function parseOut(out) {
|
72 | const data = JSON.parse(out);
|
73 | delete data.PrivateKey;
|
74 | delete data.IsOSBinary;
|
75 | delete data.SignatureType;
|
76 | const signerCertificate = data.SignerCertificate;
|
77 | if (signerCertificate != null) {
|
78 | delete signerCertificate.Archived;
|
79 | delete signerCertificate.Extensions;
|
80 | delete signerCertificate.Handle;
|
81 | delete signerCertificate.HasPrivateKey;
|
82 |
|
83 | delete signerCertificate.SubjectName;
|
84 | }
|
85 | delete data.Path;
|
86 | return data;
|
87 | }
|
88 | function handleError(logger, error, stderr) {
|
89 | if (isOldWin6()) {
|
90 | logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error || stderr}. Ignoring signature validation due to unsupported powershell version. Please upgrade to powershell 3 or higher.`);
|
91 | return;
|
92 | }
|
93 | try {
|
94 | child_process_1.execFileSync("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", "ConvertTo-Json test"], { timeout: 10 * 1000 });
|
95 | }
|
96 | catch (testError) {
|
97 | logger.warn(`Cannot execute ConvertTo-Json: ${testError.message}. Ignoring signature validation due to unsupported powershell version. Please upgrade to powershell 3 or higher.`);
|
98 | return;
|
99 | }
|
100 | if (error != null) {
|
101 | throw error;
|
102 | }
|
103 | if (stderr) {
|
104 | logger.warn(`Cannot execute Get-AuthenticodeSignature, stderr: ${stderr}. Ignoring signature validation due to unknown stderr.`);
|
105 | return;
|
106 | }
|
107 | }
|
108 | function isOldWin6() {
|
109 | const winVersion = os.release();
|
110 | return winVersion.startsWith("6.") && !winVersion.startsWith("6.3");
|
111 | }
|
112 |
|
\ | No newline at end of file |