upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-08 00:02:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Use public key to validate the authenticode of the installer

Browse source
This commit is contained in:
Adrien Ferrand 2020-01-09 21:39:37 +01:00
parent f86a1bde9d
commit f5f5c9eba6
1 changed files with 21 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
windows-installer/auto-update.ps1
View file

@ -19,7 +19,17 @@ process {
$ErrorActionPreference = 'Stop'
$installDir = $PSScriptRoot
$installerAuthenticodeCertificateThumbprint = "CHANGEME"
$certbotPublicKey = '
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbq
OzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18
xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp
9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiij
n9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XH
cXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+
CQIDAQAB
-----END PUBLIC KEY-----
'
# Get current local certbot version
try {
@ -76,12 +86,16 @@ Aborting auto-upgrade process.
$signature = Get-AuthenticodeSignature $installerPath
# Uncomment the following lines of code once the Certbot installer is correctly signed.
# if ($signature.Status -ne 'Valid') {
# throw "Downloaded installer has no or invalid Authenticode signature."
# }
# if ($signature.SignerCertificate.Thumbprint -ne $installerAuthenticodeCertificateThumbprint) {
# throw "Downloaded installer has not been signed by Certbot development team."
# }
# if ($signature.Status -ne 'Valid') {
# throw "Downloaded installer has no or invalid Authenticode signature."
# }
# $publicKey = $certbotPublicKey -replace '-+.*-+' -replace "`n" -replace "`r"
# $refBinaryPublicKey = [System.Convert]::FromBase64String($publicKey)
# $curBinaryPublicKey = $signature.SignerCertificate.PublicKey.EncodedKeyValue.RawData
# $diff = Compare-Object -ReferenceObject $refBinaryPublicKey -DifferenceObject $curBinaryPublicKey
# if ($diff) {
# throw "Downloaded installer has not been signed by Certbot development team."
# }
if (Test-Path $installDir\uninstall.exe) {
# Uninstall old Certbot first