1Password/load-secrets-action
1
0
Fork 0
mirror of https://github.com/1Password/load-secrets-action.git synced 2026-06-20 22:23:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Harden windows check

Browse Source
This commit is contained in:
Jill Regan
2026-06-09 10:26:38 -04:00
parent 7b7cb42941
commit feec3fd0c1
2 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dist/index.js
Vendored
+5 -3
View File
@@ -35581,10 +35581,12 @@ const verifyAuthenticodeSignature = async (opExePath, runPowerShell = defaultPow
if (status !== "Valid") {
throw new Error(`Authenticode status is ${status ?? "unknown"}, expected Valid.\nGet-AuthenticodeSignature output:\n${output}`);
}
// Confirm the signer is AgileBits, not some other publisher.
// Confirm the signer is AgileBits, not some other publisher. Trailing comma
// anchors the CN value so e.g. "CN=AgilebitsAttacker, ..." cannot match.
const subject = fieldValue("Subject=") ?? "";
if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) {
throw new Error(`1Password CLI signature verification failed: signer Subject (${subject}) does not contain CN=${WINDOWS_SIGNER_SUBJECT_CN}. ` +
const expectedCn = `CN=${WINDOWS_SIGNER_SUBJECT_CN},`;
if (!subject.includes(expectedCn)) {
throw new Error(`1Password CLI signature verification failed: signer Subject (${subject}) does not contain ${expectedCn} ` +
"If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.");
}
};
src/op-cli-installer/github-action/cli-installer/windows-signature.ts
+5 -3
View File
@@ -49,11 +49,13 @@ export const verifyAuthenticodeSignature = async (
);
}
// Confirm the signer is AgileBits, not some other publisher.
// Confirm the signer is AgileBits, not some other publisher. Trailing comma
// anchors the CN value so e.g. "CN=AgilebitsAttacker, ..." cannot match.
const subject = fieldValue("Subject=") ?? "";
if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) {
const expectedCn = `CN=${WINDOWS_SIGNER_SUBJECT_CN},`;
if (!subject.includes(expectedCn)) {
throw new Error(
`1Password CLI signature verification failed: signer Subject (${subject}) does not contain CN=${WINDOWS_SIGNER_SUBJECT_CN}. ` +
`1Password CLI signature verification failed: signer Subject (${subject}) does not contain ${expectedCn} ` +
"If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.",
);
}