mirror of
https://github.com/1Password/load-secrets-action.git
synced 2026-06-21 14:23:48 +00:00
Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Jill Regan
|
feec3fd0c1 |
Vendored
+5
-3
@@ -35581,10 +35581,12 @@ const verifyAuthenticodeSignature = async (opExePath, runPowerShell = defaultPow
|
|||||||
if (status !== "Valid") {
|
if (status !== "Valid") {
|
||||||
throw new Error(`Authenticode status is ${status ?? "unknown"}, expected Valid.\nGet-AuthenticodeSignature output:\n${output}`);
|
throw new Error(`Authenticode status is ${status ?? "unknown"}, expected Valid.\nGet-AuthenticodeSignature output:\n${output}`);
|
||||||
}
|
}
|
||||||
// Confirm the signer is AgileBits, not some other publisher.
|
// Confirm the signer is AgileBits, not some other publisher. Trailing comma
|
||||||
|
// anchors the CN value so e.g. "CN=AgilebitsAttacker, ..." cannot match.
|
||||||
const subject = fieldValue("Subject=") ?? "";
|
const subject = fieldValue("Subject=") ?? "";
|
||||||
if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) {
|
const expectedCn = `CN=${WINDOWS_SIGNER_SUBJECT_CN},`;
|
||||||
throw new Error(`1Password CLI signature verification failed: signer Subject (${subject}) does not contain CN=${WINDOWS_SIGNER_SUBJECT_CN}. ` +
|
if (!subject.includes(expectedCn)) {
|
||||||
|
throw new Error(`1Password CLI signature verification failed: signer Subject (${subject}) does not contain ${expectedCn} ` +
|
||||||
"If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.");
|
"If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.");
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -49,11 +49,13 @@ export const verifyAuthenticodeSignature = async (
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Confirm the signer is AgileBits, not some other publisher.
|
// Confirm the signer is AgileBits, not some other publisher. Trailing comma
|
||||||
|
// anchors the CN value so e.g. "CN=AgilebitsAttacker, ..." cannot match.
|
||||||
const subject = fieldValue("Subject=") ?? "";
|
const subject = fieldValue("Subject=") ?? "";
|
||||||
if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) {
|
const expectedCn = `CN=${WINDOWS_SIGNER_SUBJECT_CN},`;
|
||||||
|
if (!subject.includes(expectedCn)) {
|
||||||
throw new Error(
|
throw new Error(
|
||||||
`1Password CLI signature verification failed: signer Subject (${subject}) does not contain CN=${WINDOWS_SIGNER_SUBJECT_CN}. ` +
|
`1Password CLI signature verification failed: signer Subject (${subject}) does not contain ${expectedCn} ` +
|
||||||
"If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.",
|
"If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.",
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user