Harden windows check

2026-06-21 14:23:48 +00:00 · 2026-06-09 10:26:38 -04:00
3 changed files with 12 additions and 14 deletions
@@ -2,7 +2,7 @@ name: E2E Tests

 on:
  push:
-    branches: [main, jill/test-verification]
+    branches: [main]
    paths-ignore: &ignore_paths
      - "docs/**"
      - "config/**"
@@ -69,10 +69,6 @@ jobs:
            echo "condition=push-to-main" >> $GITHUB_OUTPUT
            echo "Setting condition=push-to-main (push to main)"
            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
-          elif [ "${{ github.event_name }}" == "push" ] && [ "${REF_NAME}" == "jill/test-verification" ]; then
-            echo "condition=push-to-test-branch" >> $GITHUB_OUTPUT
-            echo "Setting condition=push-to-test-branch (push to jill/test-verification)"
-            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
          else
            # Unknown event type
            echo "condition=skip" >> $GITHUB_OUTPUT
@@ -89,8 +85,6 @@ jobs:
      (needs.check-external-pr.outputs.condition == 'dispatch-event')
      ||
      needs.check-external-pr.outputs.condition == 'push-to-main'
-      ||
-      needs.check-external-pr.outputs.condition == 'push-to-test-branch'
    uses: ./.github/workflows/e2e-tests.yml
    with:
      ref: ${{ needs.check-external-pr.outputs.ref }}
@@ -35581,10 +35581,12 @@ const verifyAuthenticodeSignature = async (opExePath, runPowerShell = defaultPow
    if (status !== "Valid") {
        throw new Error(`Authenticode status is ${status ?? "unknown"}, expected Valid.\nGet-AuthenticodeSignature output:\n${output}`);
    }
-    // Confirm the signer is AgileBits, not some other publisher.
+    // Confirm the signer is AgileBits, not some other publisher. Trailing comma
+    // anchors the CN value so e.g. "CN=AgilebitsAttacker, ..." cannot match.
    const subject = fieldValue("Subject=") ?? "";
-    if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) {
-        throw new Error(`1Password CLI signature verification failed: signer Subject (${subject}) does not contain CN=${WINDOWS_SIGNER_SUBJECT_CN}. ` +
+    const expectedCn = `CN=${WINDOWS_SIGNER_SUBJECT_CN},`;
+    if (!subject.includes(expectedCn)) {
+        throw new Error(`1Password CLI signature verification failed: signer Subject (${subject}) does not contain ${expectedCn} ` +
            "If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.");
    }
 };
@@ -5,7 +5,7 @@ const execFileAsync = promisify(execFile);

 // Identifying field of 1Password's Authenticode signing cert for op.exe.
 // See https://www.1password.dev/cli/verify.
-export const WINDOWS_SIGNER_SUBJECT_CN = "AgilebitsButWrong";
+export const WINDOWS_SIGNER_SUBJECT_CN = "Agilebits";

 const defaultPowerShellRunner = async (script: string): Promise<string> => {
 	const { stdout } = await execFileAsync("powershell.exe", [
@@ -49,11 +49,13 @@ export const verifyAuthenticodeSignature = async (
 		);
 	}

-	// Confirm the signer is AgileBits, not some other publisher.
+	// Confirm the signer is AgileBits, not some other publisher. Trailing comma
+	// anchors the CN value so e.g. "CN=AgilebitsAttacker, ..." cannot match.
 	const subject = fieldValue("Subject=") ?? "";
-	if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) {
+	const expectedCn = `CN=${WINDOWS_SIGNER_SUBJECT_CN},`;
+	if (!subject.includes(expectedCn)) {
 		throw new Error(
-			`1Password CLI signature verification failed: signer Subject (${subject}) does not contain CN=${WINDOWS_SIGNER_SUBJECT_CN}. ` +
+			`1Password CLI signature verification failed: signer Subject (${subject}) does not contain ${expectedCn} ` +
 				"If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.",
 		);
 	}