From d90b0c2b202d8b5b09891bdb9f3e8f5768165f58 Mon Sep 17 00:00:00 2001 From: Adrien Ferrand Date: Thu, 13 Feb 2020 21:45:22 +0100 Subject: [PATCH] Enable signing check. Fix logs. --- .../test_main.py | 6 ++--- windows-installer/auto-update.ps1 | 27 +++++++++---------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/certbot-ci/windows_installer_integration_tests/test_main.py b/certbot-ci/windows_installer_integration_tests/test_main.py index d0bdbd236..8defe8dac 100644 --- a/certbot-ci/windows_installer_integration_tests/test_main.py +++ b/certbot-ci/windows_installer_integration_tests/test_main.py @@ -142,7 +142,7 @@ def test_base(installer): This test checks that the Certbot installer installs correctly Certbot, including a fully functional automated renewal mechanism through a Windows scheduled task. """ - _assert_certbot_is_broken() + _assert_certbot_is_missing() # Install certbot subprocess.check_output([installer, '/S']) @@ -183,7 +183,7 @@ def test_upgrade(upgrade_env): # Break Certbot on purpose _ps('Remove-Item "${env:ProgramFiles(x86)}\\Certbot\\bin\\certbot.exe" -Confirm:$false') - _assert_certbot_is_broken() + _assert_certbot_is_missing() # Trigger the renew + auto-upgrade task, expecting Certbot to be reinstalled and functional again. now = time.time() @@ -193,7 +193,7 @@ def test_upgrade(upgrade_env): subprocess.check_output(['certbot', '--version']) -def _assert_certbot_is_broken(): +def _assert_certbot_is_missing(): try: subprocess.check_output(['certbot', '--version']) except (subprocess.CalledProcessError, OSError): diff --git a/windows-installer/auto-update.ps1 b/windows-installer/auto-update.ps1 index 4df728cb0..0f7d6c3ef 100644 --- a/windows-installer/auto-update.ps1 +++ b/windows-installer/auto-update.ps1 @@ -2,15 +2,15 @@ param() begin {} process { - New-EventLog -Source "auto-update.ps1" -LogName "CertbotAutoUpdate" -ErrorAction SilentlyContinue + New-EventLog -Source "certbot/auto-update.ps1" -LogName "CertbotAutoUpdate" -ErrorAction SilentlyContinue function Write-Message($message, $level = "Information") { - Write-EventLog -Source "auto-update.ps1" -LogName "CertbotAutoUpdate" -EventID 1 -EntryType $level -Message $message + Write-EventLog -Source "certbot/auto-update.ps1" -LogName "CertbotAutoUpdate" -EventID 1 -EntryType $level -Message $message Write-Host $message } function Write-Error($message) { - Write-EventLog -Source "auto-update.ps1" -LogName "CertbotAutoUpdate" -EventID 1 -EntryType Error -Message $message + Write-EventLog -Source "certbot/auto-update.ps1" -LogName "CertbotAutoUpdate" -EventID 1 -EntryType Error -Message $message throw $message } @@ -97,17 +97,16 @@ Aborting auto-upgrade process. # Check installer has a valid signature from the Certbot release team $signature = Get-AuthenticodeSignature $installerPath -# # Uncomment the following lines of code once the Certbot installer is correctly signed. -# if ($signature.Status -ne 'Valid') { -# throw "Downloaded installer has no or invalid Authenticode signature." -# } -# $publicKey = $certbotSigningPubKey -replace '-+.*-+' -replace "`n" -replace "`r" -# $refBinaryPublicKey = [System.Convert]::FromBase64String($publicKey) -# $curBinaryPublicKey = $signature.SignerCertificate.PublicKey.EncodedKeyValue.RawData -# $diff = Compare-Object -ReferenceObject $refBinaryPublicKey -DifferenceObject $curBinaryPublicKey -# if ($diff) { -# throw "Downloaded installer has not been signed by Certbot development team." -# } + if ($signature.Status -ne 'Valid') { + throw "Downloaded installer has no or invalid Authenticode signature." + } + $publicKey = $certbotSigningPubKey -replace '-+.*-+' -replace "`n" -replace "`r" + $refBinaryPublicKey = [System.Convert]::FromBase64String($publicKey) + $curBinaryPublicKey = $signature.SignerCertificate.PublicKey.EncodedKeyValue.RawData + $diff = Compare-Object -ReferenceObject $refBinaryPublicKey -DifferenceObject $curBinaryPublicKey + if ($diff) { + throw "Downloaded installer has not been signed by Certbot development team." + } if (Test-Path $installDir\uninstall.exe) { # Uninstall old Certbot first