Harden windows check

.github/workflows/test-e2e.yml

@@ -2,7 +2,7 @@ name: E2E Tests
 
 on:
   push:
-    branches: [main, jill/test-verification]
+    branches: [main]
     paths-ignore: &ignore_paths
       - "docs/**"
       - "config/**"
@@ -69,10 +69,6 @@ jobs:
             echo "condition=push-to-main" >> $GITHUB_OUTPUT
             echo "Setting condition=push-to-main (push to main)"
             echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
-          elif [ "${{ github.event_name }}" == "push" ] && [ "${REF_NAME}" == "jill/test-verification" ]; then
-            echo "condition=push-to-test-branch" >> $GITHUB_OUTPUT
-            echo "Setting condition=push-to-test-branch (push to jill/test-verification)"
-            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
           else
             # Unknown event type
             echo "condition=skip" >> $GITHUB_OUTPUT
@@ -89,8 +85,6 @@ jobs:
       (needs.check-external-pr.outputs.condition == 'dispatch-event')
       ||
       needs.check-external-pr.outputs.condition == 'push-to-main'
-      ||
-      needs.check-external-pr.outputs.condition == 'push-to-test-branch'
     uses: ./.github/workflows/e2e-tests.yml
     with:
       ref: ${{ needs.check-external-pr.outputs.ref }}

dist/index.js

@@ -35581,10 +35581,12 @@ const verifyAuthenticodeSignature = async (opExePath, runPowerShell = defaultPow
     if (status !== "Valid") {
         throw new Error(`Authenticode status is ${status ?? "unknown"}, expected Valid.\nGet-AuthenticodeSignature output:\n${output}`);
     }
-    // Confirm the signer is AgileBits, not some other publisher.
+    // Confirm the signer is AgileBits, not some other publisher. Trailing comma
+    // anchors the CN value so e.g. "CN=AgilebitsAttacker, ..." cannot match.
     const subject = fieldValue("Subject=") ?? "";
-    if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) {
+    const expectedCn = `CN=${WINDOWS_SIGNER_SUBJECT_CN},`;
-        throw new Error(`1Password CLI signature verification failed: signer Subject (${subject}) does not contain CN=${WINDOWS_SIGNER_SUBJECT_CN}. ` +
+    if (!subject.includes(expectedCn)) {
+        throw new Error(`1Password CLI signature verification failed: signer Subject (${subject}) does not contain ${expectedCn} ` +
             "If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.");
     }
 };

src/op-cli-installer/github-action/cli-installer/windows-signature.ts

@@ -5,7 +5,7 @@ const execFileAsync = promisify(execFile);
 
 // Identifying field of 1Password's Authenticode signing cert for op.exe.
 // See https://www.1password.dev/cli/verify.
-export const WINDOWS_SIGNER_SUBJECT_CN = "AgilebitsButWrong";
+export const WINDOWS_SIGNER_SUBJECT_CN = "Agilebits";
 
 const defaultPowerShellRunner = async (script: string): Promise<string> => {
 	const { stdout } = await execFileAsync("powershell.exe", [
@@ -49,11 +49,13 @@ export const verifyAuthenticodeSignature = async (
 		);
 	}
 
-	// Confirm the signer is AgileBits, not some other publisher.
+	// Confirm the signer is AgileBits, not some other publisher. Trailing comma
+	// anchors the CN value so e.g. "CN=AgilebitsAttacker, ..." cannot match.
 	const subject = fieldValue("Subject=") ?? "";
-	if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) {
+	const expectedCn = `CN=${WINDOWS_SIGNER_SUBJECT_CN},`;
+	if (!subject.includes(expectedCn)) {
 		throw new Error(
-			`1Password CLI signature verification failed: signer Subject (${subject}) does not contain CN=${WINDOWS_SIGNER_SUBJECT_CN}. ` +
+			`1Password CLI signature verification failed: signer Subject (${subject}) does not contain ${expectedCn} ` +
 				"If 1Password has rotated or renamed their signing identity, this action needs to be updated — please file an issue at https://github.com/1Password/load-secrets-action/issues.",
 		);
 	}