From feec3fd0c135cf035d2d612e16b989bc57812806 Mon Sep 17 00:00:00 2001
From: Jill Regan <jill.regan@agilebits.com>
Date: Tue, 9 Jun 2026 10:26:38 -0400
Subject: [PATCH] Harden windows check

---
 dist/index.js                                             | 8 +++++---
 .../github-action/cli-installer/windows-signature.ts      | 8 +++++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/dist/index.js b/dist/index.js
index 91f4ef9..3a38d6b 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -35581,10 +35581,12 @@ const verifyAuthenticodeSignature = async (opExePath, runPowerShell = defaultPow
     if (status !== "Valid") {
         throw new Error(`Authenticode status is ${status ?? "unknown"}, expected Valid.\nGet-AuthenticodeSignature output:\n${output}`);
     }
-    // Confirm the signer is AgileBits, not some other publisher.
+    // Confirm the signer is AgileBits, not some other publisher. Trailing comma
+    // anchors the CN value so e.g. "CN=AgilebitsAttacker, ..." cannot match.
     const subject = fieldValue("Subject=") ?? "";
-    if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) {
-        throw new Error(`1Password CLI signature verification failed: signer Subject (${subject}) does not contain CN=${WINDOWS_SIGNER_SUBJECT_CN}. ` +
+    const expectedCn = `CN=${WINDOWS_SIGNER_SUBJECT_CN},`;
+    if (!subject.includes(expectedCn)) {
+        throw new Error(`1Password CLI signature verification failed: signer Subject (${subject}) does not contain ${expectedCn} ` +
             "If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.");
     }
 };
diff --git a/src/op-cli-installer/github-action/cli-installer/windows-signature.ts b/src/op-cli-installer/github-action/cli-installer/windows-signature.ts
index d4c82f5..f2483cc 100644
--- a/src/op-cli-installer/github-action/cli-installer/windows-signature.ts
+++ b/src/op-cli-installer/github-action/cli-installer/windows-signature.ts
@@ -49,11 +49,13 @@ export const verifyAuthenticodeSignature = async (
 		);
 	}
 
-	// Confirm the signer is AgileBits, not some other publisher.
+	// Confirm the signer is AgileBits, not some other publisher. Trailing comma
+	// anchors the CN value so e.g. "CN=AgilebitsAttacker, ..." cannot match.
 	const subject = fieldValue("Subject=") ?? "";
-	if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) {
+	const expectedCn = `CN=${WINDOWS_SIGNER_SUBJECT_CN},`;
+	if (!subject.includes(expectedCn)) {
 		throw new Error(
-			`1Password CLI signature verification failed: signer Subject (${subject}) does not contain CN=${WINDOWS_SIGNER_SUBJECT_CN}. ` +
+			`1Password CLI signature verification failed: signer Subject (${subject}) does not contain ${expectedCn} ` +
 				"If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.",
 		);
 	}