feat(windows): check windows binaries signatures

sigilioso · sigilioso · commit d147e2673eb3 · 2025-12-15T09:27:53.000+01:00
diff --git a/.github/workflows/component_packages.yml b/.github/workflows/component_packages.yml
@@ -110,3 +110,25 @@ jobs:
           path: |
             ./bin/*
             ./dist/*
+
+  verify-windows-signatures:
+    runs-on: windows-latest
+    name: Verify Windows signatures
+    needs: build
+    if: ${{ ! inputs.skip_sign }}
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Download built binaries
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+        with:
+          name: built-binaries-${{ inputs.tag_name }}
+          path: ./artifacts
+
+      - name: Verify Windows executable signatures
+        shell: powershell
+        run: |
+          ./build/scripts/windows-exec-sign/verify-signature.ps1 -Executables @(
+            "./artifacts/dist/newrelic-agent-control-windows_x86_64-pc-windows-msvc/newrelic-agent-control.exe",
+            "./artifacts/dist/newrelic-agent-control-cli-windows_x86_64-pc-windows-msvc/newrelic-agent-control-cli.exe"
+          )
diff --git a/build/scripts/windows-exec-sign/verify-signature.ps1 b/build/scripts/windows-exec-sign/verify-signature.ps1
@@ -0,0 +1,68 @@
+#!/usr/bin/env pwsh
+#
+# Verify Windows executable signatures
+#
+# This script verifies that Windows executables are properly signed
+# with valid Authenticode signatures.
+#
+# Usage:
+#   verify-signature.ps1 -Executables <exe1>,<exe2>,...
+#
+# Example:
+#   verify-signature.ps1 -Executables "./artifacts/dist/foo.exe","./artifacts/dist/bar.exe"
+#
+
+param(
+    [Parameter(Mandatory=$true)]
+    [string[]]$Executables
+)
+
+Write-Host "Verifying signatures for Windows executables"
+Write-Host "=============================================="
+Write-Host ""
+
+$allValid = $true
+
+foreach ($exePath in $Executables) {
+    $exeName = Split-Path -Leaf $exePath
+
+    Write-Host "Checking: $exeName"
+    Write-Host "  Path: $exePath"
+
+    if (-not (Test-Path $exePath)) {
+        Write-Host "  ERROR: File not found!" -ForegroundColor Red
+        $allValid = $false
+        Write-Host ""
+        continue
+    }
+
+    $signature = Get-AuthenticodeSignature -FilePath $exePath
+
+    Write-Host "  Status: $($signature.Status)"
+
+    if ($signature.SignerCertificate) {
+        Write-Host "  Signer: $($signature.SignerCertificate.Subject)"
+        Write-Host "  Thumbprint: $($signature.SignerCertificate.Thumbprint)"
+    }
+
+    if ($signature.Status -ne 'Valid') {
+        Write-Host "  ERROR: Signature is not valid!" -ForegroundColor Red
+        if ($signature.StatusMessage) {
+            Write-Host "  Reason: $($signature.StatusMessage)" -ForegroundColor Red
+        }
+        $allValid = $false
+    } else {
+        Write-Host "  SUCCESS: Signature is valid" -ForegroundColor Green
+    }
+
+    Write-Host ""
+}
+
+Write-Host "=============================================="
+if (-not $allValid) {
+    Write-Host "FAILED: One or more executables are missing or have invalid signatures" -ForegroundColor Red
+    exit 1
+}
+
+Write-Host "SUCCESS: All Windows executables are properly signed" -ForegroundColor Green
+exit 0
