Skip to content

Commit

Permalink
fix: verify LiteralPath of update file during windows signature verif…
Browse files Browse the repository at this point in the history
…ication (#8295)
  • Loading branch information
mmaietta authored Jul 5, 2024
1 parent 4a4023c commit ac2e6a2
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 1 deletion.
5 changes: 5 additions & 0 deletions .changeset/nervous-carrots-begin.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"electron-updater": patch
---

fix: verify LiteralPath of update file during windows signature verification
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import { parseDn } from "builder-util-runtime"
import { execFile, execFileSync } from "child_process"
import * as os from "os"
import { Logger } from "./main"
import * as path from "path"

// $certificateInfo = (Get-AuthenticodeSignature 'xxx\yyy.exe'
// | where {$_.Status.Equals([System.Management.Automation.SignatureStatus]::Valid) -and $_.SignerCertificate.Subject.Contains("CN=siemens.com")})
Expand Down Expand Up @@ -48,6 +49,18 @@ export function verifySignature(publisherNames: Array<string>, unescapedTempUpda
}
const data = parseOut(stdout)
if (data.Status === 0) {
try {
const normlaizedUpdateFilePath = path.normalize(data.Path)
const normalizedTempUpdateFile = path.normalize(unescapedTempUpdateFile)
logger.info(`LiteralPath: ${normlaizedUpdateFilePath}. Update Path: ${normalizedTempUpdateFile}`)
if (normlaizedUpdateFilePath !== normalizedTempUpdateFile) {

This comment has been minimized.

Copy link
@ckarich

ckarich Aug 9, 2024

Contributor

seems to be a typo here

handleError(logger, new Error(`LiteralPath of ${normlaizedUpdateFilePath} is different than ${normalizedTempUpdateFile}`), stderr, reject)
resolve(null)
return
}
} catch (error: any) {
logger.warn(`Unable to verify LiteralPath of update asset due to missing data.Path. Skipping this step of validation. Message: ${error.message ?? error.stack}`)
}
const subject = parseDn(data.SignerCertificate.Subject)
let match = false
for (const name of publisherNames) {
Expand Down Expand Up @@ -96,7 +109,6 @@ function parseOut(out: string): any {
// duplicates data.SignerCertificate (contains RawData)
delete signerCertificate.SubjectName
}
delete data.Path
return data
}

Expand Down

0 comments on commit ac2e6a2

Please sign in to comment.