From eeb755f76a2b65ff95d9c1a2eabeff154558f040 Mon Sep 17 00:00:00 2001 From: Marc Durdin Date: Fri, 6 Oct 2023 09:14:35 +0700 Subject: [PATCH 1/6] fix(windows): re-enable signature check Fixes #9692. Signature checking was skipped because we missed a ".virtual" to force nmake to build the test and test_i3633 targets. This opened up a small cascade of related formatting issues on Makefiles, and the fact that the test_i3633 (has there ever been a more poorly named project?) Makefile did not even work. Refactored significantly, added same tests to Developer Makefile, and also now verifying the .msi and installer executable. We can improve this further but I'd like to get this in to avoid further critical issues with code signing given the current broken signing configuration. --- .../windows/delphi/ext/sentry/test/Makefile | 3 +- common/windows/delphi/tools/Makefile | 6 +++- .../delphi/tools/verify_signatures/Makefile | 13 ++++++++ .../tools/verify_signatures}/sigcheck.bin | Bin .../verify_signatures/verify_signatures.dpr | 4 +-- .../verify_signatures/verify_signatures.dproj | 6 ++-- .../verify_signatures/verify_signatures.res | Bin developer/src/Makefile | 2 ++ developer/src/inst/download.in.mak | 3 ++ .../src/tools/verify_signatures/Makefile | 19 +++++++++++ windows/src/Defines.mak | 9 +++++ windows/src/Makefile | 2 +- windows/src/desktop/inst/download.in | 4 +++ windows/src/desktop/insthelp/Makefile | 4 +-- windows/src/desktop/kmconfig/Makefile | 2 +- windows/src/desktop/kmshell/Makefile | 2 +- windows/src/support/charident/Makefile | 2 +- windows/src/support/km_yim/Makefile | 5 +-- windows/src/test/Makefile | 14 ++++---- windows/src/test/test_i3633/Makefile | 31 ------------------ windows/src/test/verify_signatures/Makefile | 21 ++++++++++++ 21 files changed, 100 insertions(+), 52 deletions(-) create mode 100644 common/windows/delphi/tools/verify_signatures/Makefile rename {windows/src/test/test_i3633 => common/windows/delphi/tools/verify_signatures}/sigcheck.bin (100%) rename windows/src/test/test_i3633/verify.dpr => common/windows/delphi/tools/verify_signatures/verify_signatures.dpr (94%) rename windows/src/test/test_i3633/verify.dproj => common/windows/delphi/tools/verify_signatures/verify_signatures.dproj (99%) rename windows/src/test/test_i3633/verify.res => common/windows/delphi/tools/verify_signatures/verify_signatures.res (100%) create mode 100644 developer/src/tools/verify_signatures/Makefile delete mode 100644 windows/src/test/test_i3633/Makefile create mode 100644 windows/src/test/verify_signatures/Makefile diff --git a/common/windows/delphi/ext/sentry/test/Makefile b/common/windows/delphi/ext/sentry/test/Makefile index 63fc664b011..b2e92bb8964 100644 --- a/common/windows/delphi/ext/sentry/test/Makefile +++ b/common/windows/delphi/ext/sentry/test/Makefile @@ -4,7 +4,8 @@ !include ..\..\..\Defines.mak -build: dirs # version.res manifest.res +build: dirs +# version.res manifest.res $(DELPHI_MSBUILD) SentryClientTest.dproj "/p:Platform=Win32" $(DELPHI_MSBUILD) SentryClientVclTest.dproj "/p:Platform=Win32" diff --git a/common/windows/delphi/tools/Makefile b/common/windows/delphi/tools/Makefile index a9c1151473a..2ea11ab2372 100644 --- a/common/windows/delphi/tools/Makefile +++ b/common/windows/delphi/tools/Makefile @@ -7,7 +7,7 @@ NOTARGET_SIGNCODE=yes !ifdef NODELPHI TARGETS=.virtual !else -TARGETS=build_standards_data buildunidata devtools sentrytool test-klog +TARGETS=build_standards_data buildunidata devtools sentrytool test-klog verify_signatures !endif CLEANS=clean-tools @@ -28,6 +28,10 @@ buildunidata: .virtual cd $(COMMON_ROOT)\tools\buildunidata $(MAKE) $(TARGET) +verify_signatures: .virtual + cd $(COMMON_ROOT)\tools\verify_signatures + $(MAKE) $(TARGET) + devtools: .virtual !ifdef NODELPHI echo Skipping devtools diff --git a/common/windows/delphi/tools/verify_signatures/Makefile b/common/windows/delphi/tools/verify_signatures/Makefile new file mode 100644 index 00000000000..0f67747665e --- /dev/null +++ b/common/windows/delphi/tools/verify_signatures/Makefile @@ -0,0 +1,13 @@ +# +# test for signatures and version information being correct in ?install directory or ?bin directory +# + +!include ..\..\Defines.mak + +build: + $(DELPHI_MSBUILD) verify_signatures.dproj + copy sigcheck.bin $(WIN32_TARGET_PATH)\sigcheck.exe + +clean: def-clean + +!include ..\..\Target.mak diff --git a/windows/src/test/test_i3633/sigcheck.bin b/common/windows/delphi/tools/verify_signatures/sigcheck.bin similarity index 100% rename from windows/src/test/test_i3633/sigcheck.bin rename to common/windows/delphi/tools/verify_signatures/sigcheck.bin diff --git a/windows/src/test/test_i3633/verify.dpr b/common/windows/delphi/tools/verify_signatures/verify_signatures.dpr similarity index 94% rename from windows/src/test/test_i3633/verify.dpr rename to common/windows/delphi/tools/verify_signatures/verify_signatures.dpr index b3707d84617..fe77f887d7f 100644 --- a/windows/src/test/test_i3633/verify.dpr +++ b/common/windows/delphi/tools/verify_signatures/verify_signatures.dpr @@ -1,4 +1,4 @@ -program verify; +program verify_signatures; {$APPTYPE CONSOLE} @@ -90,7 +90,7 @@ begin if (ParamStr(1) = '-?') or (ParamCount < 1) then begin - writeln('verify [-d] VERSION.md: Verify the output of sigcheck to ensure all executables are signed and have proper version.'); + writeln('verify_signatures [-d] VERSION.md: Verify the output of sigcheck to ensure all executables are signed and have proper version.'); writeln(' -d: Check the timestamp on the signature is less than 2 days old.'); writeln(' VERSION.md: path to the version to verify against'); Halt(2); diff --git a/windows/src/test/test_i3633/verify.dproj b/common/windows/delphi/tools/verify_signatures/verify_signatures.dproj similarity index 99% rename from windows/src/test/test_i3633/verify.dproj rename to common/windows/delphi/tools/verify_signatures/verify_signatures.dproj index e23aeb3a4d8..323353c79b9 100644 --- a/windows/src/test/test_i3633/verify.dproj +++ b/common/windows/delphi/tools/verify_signatures/verify_signatures.dproj @@ -3,7 +3,7 @@ {A6DCA558-8DD0-4FFF-8DAE-F305AB8D2AF4} 18.8 None - verify.dpr + verify_signatures.dpr True Debug Win32 @@ -45,7 +45,7 @@ true - verify + verify_signatures $(BDS)\bin\delphi_PROJECTICNS.icns $(BDS)\bin\delphi_PROJECTICON.ico bindcompfmx;fmx;rtl;dbrtl;DbxClientDriver;bindcomp;inetdb;DBXInterBaseDriver;xmlrtl;DbxCommonDriver;DBXMySQLDriver;dbxcds;soaprtl;bindengine;CustomIPTransport;dsnap;fmxase;inet;fmxobj;inetdbxpress;fmxdae;dbexpress;$(DCC_UsePackage) @@ -161,7 +161,7 @@ - verify.dpr + verify_signatures.dpr Microsoft Office 2000 Sample Automation Server Wrapper Components diff --git a/windows/src/test/test_i3633/verify.res b/common/windows/delphi/tools/verify_signatures/verify_signatures.res similarity index 100% rename from windows/src/test/test_i3633/verify.res rename to common/windows/delphi/tools/verify_signatures/verify_signatures.res diff --git a/developer/src/Makefile b/developer/src/Makefile index 0c6c81ece6b..6a1cf398e51 100644 --- a/developer/src/Makefile +++ b/developer/src/Makefile @@ -153,6 +153,8 @@ do-build-release: $(MAKE) build-release-dependencies $(MAKE) "SIGNCODE_BUILD=SIGNCODE_BUILD" build test $(MAKE) signcode + cd $(DEVELOPER_ROOT)\src\tools\verify_signatures + $(MAKE) test cd $(DEVELOPER_ROOT)\src\inst $(MAKE) diff --git a/developer/src/inst/download.in.mak b/developer/src/inst/download.in.mak index eeadd67ac0a..871f4b012c0 100644 --- a/developer/src/inst/download.in.mak +++ b/developer/src/inst/download.in.mak @@ -26,6 +26,9 @@ copykmdev: makeinstaller make-kmcomp-install-zip -mkdir $(DEVELOPER_ROOT)\release\$Version copy /Y $(DEVELOPER_ROOT)\src\inst\keymandeveloper.msi $(DEVELOPER_ROOT)\release\$Version\keymandeveloper.msi copy /Y $(DEVELOPER_ROOT)\src\inst\keymandeveloper-$Version.exe $(DEVELOPER_ROOT)\release\$Version\keymandeveloper-$Version.exe + $(SIGCHECK) $(DEVELOPER_ROOT)\release\$Version\* > sig1 + $(VERIFY_SIGNATURES) < sig1 + -del sig1 test-releaseexists: if exist $(DEVELOPER_ROOT)\release\$Version\keymandeveloper*.msi echo. & echo Release $Version already exists. Delete it or update VERSION.md and try again & exit 1 diff --git a/developer/src/tools/verify_signatures/Makefile b/developer/src/tools/verify_signatures/Makefile new file mode 100644 index 00000000000..003f6aa5d50 --- /dev/null +++ b/developer/src/tools/verify_signatures/Makefile @@ -0,0 +1,19 @@ +# +# test for signatures and version information being correct in bin folder +# + +!include ..\..\Defines.mak + +test: prereq + $(SIGCHECK) $(DEVELOPER_PROGRAM)\* > sig1 + $(VERIFY_SIGNATURES) < sig1 + +# prereq may not be needed? +prereq: + cd $(VERIFY_SIGNATURES_PATH) + $(MAKE) + +clean: def-clean + -del sig1 + +!include ..\..\Target.mak diff --git a/windows/src/Defines.mak b/windows/src/Defines.mak index bf8f77b9987..9506dfa6df0 100644 --- a/windows/src/Defines.mak +++ b/windows/src/Defines.mak @@ -322,3 +322,12 @@ SYMSTORE="C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symstore.exe" add /compress /f CLEAN=-del /S /Q + +# +# Signature checks +# + +VERIFY_SIGNATURES_PATH=$(KEYMAN_ROOT)\common\windows\delphi\tools\verify_signatures +# Note: hyphen prefix is important to ignore return value from sigcheck +SIGCHECK=-$(VERIFY_SIGNATURES_PATH)\$(WIN32_TARGET_PATH)\sigcheck -q -s -e -v -accepteula +VERIFY_SIGNATURES=$(VERIFY_SIGNATURES_PATH)\$(WIN32_TARGET_PATH)\verify_signatures -d $(KEYMAN_ROOT)\VERSION.md diff --git a/windows/src/Makefile b/windows/src/Makefile index 7dda8852632..e9048fcf71b 100644 --- a/windows/src/Makefile +++ b/windows/src/Makefile @@ -81,7 +81,7 @@ support: global $(MAKE) $(TARGET) cd $(ROOT)\src -test: +test: .virtual cd $(ROOT)\src\test $(MAKE) $(TARGET) cd $(ROOT)\src diff --git a/windows/src/desktop/inst/download.in b/windows/src/desktop/inst/download.in index 0bf062eeba4..17b832210cc 100644 --- a/windows/src/desktop/inst/download.in +++ b/windows/src/desktop/inst/download.in @@ -17,6 +17,10 @@ copyredist-desktop: copy /Y keymandesktop.exe $(ROOT)\release\$Version\keyman-$Version.exe copy /Y $(ROOT)\bin\desktop\setup.exe $(ROOT)\release\$Version\setup.exe + $(SIGCHECK) $(ROOT)\release\$Version\* > sig1 + $(VERIFY_SIGNATURES) < sig1 + -del sig1 + # Copy the unsigned setup.exe for use in bundling scenarios; zip it up for clarity $(WZZIP) $(ROOT)\release\$Version\setup-redist.zip $(ROOT)\bin\desktop\setup-redist.exe diff --git a/windows/src/desktop/insthelp/Makefile b/windows/src/desktop/insthelp/Makefile index b3d4dcdf070..b1ca957636e 100644 --- a/windows/src/desktop/insthelp/Makefile +++ b/windows/src/desktop/insthelp/Makefile @@ -11,9 +11,9 @@ build: version.res dirs $(COPY) $(WIN32_TARGET_PATH)\insthelp.exe $(ROOT)\bin\desktop\insthelp.exe test-manifest: - # test that (a) linked manifest exists and correct, and (b) has uiAccess=true +# test that (a) linked manifest exists and correct, and (b) has uiAccess=true @rem $(MT) -nologo -inputresource:$(PROGRAM)\desktop\insthelp.exe -validate_manifest - # TODO: Investigate why no manifest included? +# TODO: Investigate why no manifest included? clean: def-clean diff --git a/windows/src/desktop/kmconfig/Makefile b/windows/src/desktop/kmconfig/Makefile index d7f308f9d65..98028758335 100644 --- a/windows/src/desktop/kmconfig/Makefile +++ b/windows/src/desktop/kmconfig/Makefile @@ -21,7 +21,7 @@ wrap-symbols: $(SYMSTORE) $(DEBUGPATH)\desktop\kmconfig.dbg /t keyman-windows test-manifest: - # test that linked manifest exists and correct +# test that linked manifest exists and correct $(MT) -nologo -inputresource:$(PROGRAM)\desktop\kmconfig.exe -validate_manifest install: diff --git a/windows/src/desktop/kmshell/Makefile b/windows/src/desktop/kmshell/Makefile index caaa7da54e0..773942d0a1b 100644 --- a/windows/src/desktop/kmshell/Makefile +++ b/windows/src/desktop/kmshell/Makefile @@ -39,7 +39,7 @@ wrap-symbols: $(SYMSTORE) $(DEBUGPATH)\desktop\kmshell.dbg /t keyman-windows test-manifest: - # test that (a) linked manifest exists and correct, and (b) has uiAccess=true +# test that (a) linked manifest exists and correct, and (b) has uiAccess=true $(MT) -nologo -inputresource:$(PROGRAM)\desktop\kmshell.exe -validate_manifest install: .virtual diff --git a/windows/src/support/charident/Makefile b/windows/src/support/charident/Makefile index dd6721c5c0a..cff67416776 100644 --- a/windows/src/support/charident/Makefile +++ b/windows/src/support/charident/Makefile @@ -15,6 +15,6 @@ signcode: wrap-symbols: $(SYMSTORE) $(PROGRAM)\support\charident.exe /t keyman-windows - #TODO: $(SYMSTORE) $(DEBUGPATH)\support\charident.dbg /t keyman-windows +#TODO: $(SYMSTORE) $(DEBUGPATH)\support\charident.dbg /t keyman-windows !include ..\..\Target.mak diff --git a/windows/src/support/km_yim/Makefile b/windows/src/support/km_yim/Makefile index f0f93e6fe22..1aef5f80f02 100644 --- a/windows/src/support/km_yim/Makefile +++ b/windows/src/support/km_yim/Makefile @@ -4,12 +4,13 @@ !include ..\..\Defines.mak -build: # version.res +build: +# version.res $(DCC32) km_yim.dpr rem $(TDSPACK) $(PROGRAM)\desktop\km_yim.exe km_yim.tds rem $(TDS2DBG) $(PROGRAM)\desktop\km_yim.exe $(WZZIP) inst_km_yim.zip km_yim.exe - # $(WZSE) inst_km_yim -setup -t inst_km_yim.dialog.txt -st "Tavultesoft Keyman Desktop Yahoo Messenger Addin" -c km_yim.exe +# $(WZSE) inst_km_yim -setup -t inst_km_yim.dialog.txt -st "Tavultesoft Keyman Desktop Yahoo Messenger Addin" -c km_yim.exe clean: def-clean if exist inst_km_yim.zip del inst_km_yim.zip diff --git a/windows/src/test/Makefile b/windows/src/test/Makefile index 5df2892dfad..5e8dec85b53 100644 --- a/windows/src/test/Makefile +++ b/windows/src/test/Makefile @@ -4,12 +4,14 @@ # ---------------------------------------------------------------------- +# TODO: both test-manifest-exec and verify_signatures are really part of buildtools + !ifdef NODELPHI TARGETS=.virtual !else -TARGETS=test_i3633 +TARGETS=verify_signatures !endif -CLEAN=test_i3633 +CLEAN=verify_signatures test: test-manifest-exec $(MAKE) "TARGET=test" $(TARGETS) @@ -22,10 +24,10 @@ test-manifest-exec: $(MAKE) test-manifest cd test -# test_i3633: validate certificates and binary metadata on executables -# TODO: Move this to buildtools -test_i3633: - cd $(ROOT)\src\test\test_i3633 +# validate certificates and binary metadata on executables +# TODO: move to buildtools? +verify_signatures: .virtual + cd $(ROOT)\src\buildtools\verify_signatures $(MAKE) $(TARGET) # ---------------------------------------------------------------------- diff --git a/windows/src/test/test_i3633/Makefile b/windows/src/test/test_i3633/Makefile deleted file mode 100644 index 575d77e7e83..00000000000 --- a/windows/src/test/test_i3633/Makefile +++ /dev/null @@ -1,31 +0,0 @@ -# -# test for signatures and version information being correct in ?install directory or ?bin directory -# - -!include ..\..\Defines.mak - -SIGCHECK=-$(WIN32_TARGET_PATH)\sigcheck -q -s -e -v -accepteula -VERIFY=$(WIN32_TARGET_PATH)\verify -d $(KEYMAN_ROOT)\VERSION.md - -test: test-bin - -test-bin: prereq - $(SIGCHECK) $(ROOT)\bin\desktop\* > sig1 - $(SIGCHECK) $(ROOT)\bin\developer\* >> sig1 - $(SIGCHECK) $(ROOT)\bin\engine\* >> sig1 - $(SIGCHECK) $(ROOT)\bin\inst\* >> sig1 - $(VERIFY) < sig1 - -test-install: prereq - - -prereq: - $(DELPHI_MSBUILD) verify.dproj "/p:Platform=Win32" - copy sigcheck.bin $(WIN32_TARGET_PATH)\sigcheck.exe - - -clean: def-clean - -del sig1 - -del sig2 - -!include ..\..\Target.mak diff --git a/windows/src/test/verify_signatures/Makefile b/windows/src/test/verify_signatures/Makefile new file mode 100644 index 00000000000..dfd1495992c --- /dev/null +++ b/windows/src/test/verify_signatures/Makefile @@ -0,0 +1,21 @@ +# +# test for signatures and version information being correct in bin folder +# + +!include ..\..\Defines.mak + +test: prereq + $(SIGCHECK) $(ROOT)\bin\desktop\* > sig1 + $(SIGCHECK) $(ROOT)\bin\engine\* >> sig1 + $(SIGCHECK) $(ROOT)\bin\inst\* >> sig1 + $(VERIFY_SIGNATURES) < sig1 + +# prereq may not be needed? +prereq: + cd $(VERIFY_SIGNATURES) + $(MAKE) + +clean: def-clean + -del sig1 + +!include ..\..\Target.mak From 9461a3b5832faafbcc1fa6348e89fd05f845d8eb Mon Sep 17 00:00:00 2001 From: Marc Durdin Date: Fri, 6 Oct 2023 09:45:22 +0700 Subject: [PATCH 2/6] chore(windows): fix path in Makefile --- windows/src/test/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/src/test/Makefile b/windows/src/test/Makefile index 5e8dec85b53..2087f3d8a00 100644 --- a/windows/src/test/Makefile +++ b/windows/src/test/Makefile @@ -27,7 +27,7 @@ test-manifest-exec: # validate certificates and binary metadata on executables # TODO: move to buildtools? verify_signatures: .virtual - cd $(ROOT)\src\buildtools\verify_signatures + cd $(ROOT)\src\test\verify_signatures $(MAKE) $(TARGET) # ---------------------------------------------------------------------- From 702b3a0582da7cad144b8126064aaa788642eff2 Mon Sep 17 00:00:00 2001 From: Marc Durdin Date: Fri, 6 Oct 2023 10:11:08 +0700 Subject: [PATCH 3/6] chore(windows): fix typo --- windows/src/test/verify_signatures/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/src/test/verify_signatures/Makefile b/windows/src/test/verify_signatures/Makefile index dfd1495992c..607e5d22cf9 100644 --- a/windows/src/test/verify_signatures/Makefile +++ b/windows/src/test/verify_signatures/Makefile @@ -12,7 +12,7 @@ test: prereq # prereq may not be needed? prereq: - cd $(VERIFY_SIGNATURES) + cd $(VERIFY_SIGNATURES_PATH) $(MAKE) clean: def-clean From 7c2d3624cdfd790740a84b5f4cd790bc93ee38b1 Mon Sep 17 00:00:00 2001 From: Marc Durdin Date: Fri, 6 Oct 2023 10:37:25 +0700 Subject: [PATCH 4/6] chore(developer): sign addons in server --- developer/src/server/Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/developer/src/server/Makefile b/developer/src/server/Makefile index 0a580ea3d6a..a66eb449c11 100644 --- a/developer/src/server/Makefile +++ b/developer/src/server/Makefile @@ -14,7 +14,10 @@ clean: .virtual -del tsconfig.tsbuildinfo signcode: - @rem nothing to do + $(SIGNCODE) /d "Keyman" build\src\win32\console\node-hide-console-window.node + $(SIGNCODE) /d "Keyman" build\src\win32\console\node-hide-console-window.x64.node + $(SIGNCODE) /d "Keyman" build\src\win32\trayicon\addon.node + $(SIGNCODE) /d "Keyman" build\src\win32\trayicon\addon.x64.node wrap-symbols: @rem nothing to do From c970b1e2460b26970e22f3ab367b8e39e0328411 Mon Sep 17 00:00:00 2001 From: Marc Durdin Date: Fri, 6 Oct 2023 11:38:55 +0700 Subject: [PATCH 5/6] chore(developer): fix paths for addon signing --- developer/src/server/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/developer/src/server/Makefile b/developer/src/server/Makefile index a66eb449c11..214732e41db 100644 --- a/developer/src/server/Makefile +++ b/developer/src/server/Makefile @@ -14,10 +14,10 @@ clean: .virtual -del tsconfig.tsbuildinfo signcode: - $(SIGNCODE) /d "Keyman" build\src\win32\console\node-hide-console-window.node - $(SIGNCODE) /d "Keyman" build\src\win32\console\node-hide-console-window.x64.node - $(SIGNCODE) /d "Keyman" build\src\win32\trayicon\addon.node - $(SIGNCODE) /d "Keyman" build\src\win32\trayicon\addon.x64.node + $(SIGNCODE) /d "Keyman Developer" $(DEVELOPER_PROGRAM)\server\dist\win32\console\node-hide-console-window.node + $(SIGNCODE) /d "Keyman Developer" $(DEVELOPER_PROGRAM)\server\dist\win32\console\node-hide-console-window.x64.node + $(SIGNCODE) /d "Keyman Developer" $(DEVELOPER_PROGRAM)\server\dist\win32\trayicon\addon.node + $(SIGNCODE) /d "Keyman Developer" $(DEVELOPER_PROGRAM)\server\dist\win32\trayicon\addon.x64.node wrap-symbols: @rem nothing to do From 982fdd0318a8fd4a10dda826bec652ced6841393 Mon Sep 17 00:00:00 2001 From: Marc Durdin Date: Sat, 7 Oct 2023 05:49:25 +0700 Subject: [PATCH 6/6] fix(developer): skip resource check for node addons --- .../delphi/tools/verify_signatures/verify_signatures.dpr | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/common/windows/delphi/tools/verify_signatures/verify_signatures.dpr b/common/windows/delphi/tools/verify_signatures/verify_signatures.dpr index fe77f887d7f..49478ac3edf 100644 --- a/common/windows/delphi/tools/verify_signatures/verify_signatures.dpr +++ b/common/windows/delphi/tools/verify_signatures/verify_signatures.dpr @@ -36,6 +36,7 @@ begin Delete(s,1,1); end; + // TODO: sign these files and move the check down to the EndsWith node test if str[0].ToLower.Contains('sentry.') or str[0].ToLower.Contains('crashpad_handler') or str[0].ToLower.Contains('keymanmc') then // We don't verify sentry.dll or sentry.x64.dll or crashpad_handler.exe because they're not our files // We don't verify keymanmc.dll because it has no version resources, as it is mc-generated @@ -62,6 +63,14 @@ begin end; end; + if str[0].ToLower.EndsWith('node') then + begin + // It's one of the node addons -- in developer server at time of writing + // we don't have a version resource but we have signed it, so treat it + // as valid + Exit(''); + end; + if str[3] <> 'SIL International' then begin Exit('File has wrong company name');