Check Authenticode signature on setup

jon-turney · jon-turney · commit 52b4c10c3c3c · 2025-04-20T16:50:33.000+01:00
Check that an Authenticode signature on setup is present, valid and made
by the expected key.
diff --git a/README.md b/README.md
@@ -29,6 +29,7 @@ Parameters
 | add-to-path         | true                                         | Whether to add Cygwin's `/bin` directory to the system `PATH`
 | allow-test-packages | false                                        | Consider package versions marked test for installation
 | check-hash          | true                                         | Whether to check the hash of the downloaded Cygwin installer.
+| check-installer-sig | true                                         | Whether to check the Authenticode signature of the downloaded Cygwin installer.
 | work-vol            | D:                                           | Volume on which to store setup and packages, and install Cygwin.
 
 Line endings
@@ -100,7 +101,9 @@ Mirrors and signatures
 ----------------------
 
 You probably don't need to change the setting for `site`, and you shouldn't
-change `check-sig` unless you're very confident it's appropriate and necessary.
+change `check-installer-sig` or `check-sig` unless you're very confident it's
+appropriate and necessary.
+
 These options are very unlikely to be useful except in some very isolated
 circumstances, such as using the [Cygwin Time
 Machine](http://www.crouchingtigerhiddenfruitbat.org/Cygwin/timemachine.html).
diff --git a/action.yml b/action.yml
@@ -37,6 +37,10 @@ inputs:
     description: Check the hash of the installer
     required: false
     default: 'true'
+  check-installer-sig:
+    description: Check the Autheticode signature of the installer
+    required: false
+    default: 'true'
   work-vol:
     description: Volume on which to store setup and packages, and install Cygwin
     required: false
@@ -102,6 +106,15 @@ runs:
           throw "The downloaded setup has a zero length!"
         }
 
+        $signature = Get-AuthenticodeSignature -FilePath $setupExe
+        echo "Signature status: $($signature.Status) fingerprint: $($signature.SignerCertificate.GetCertHashString("SHA256"))"
+        # TBD: this should check against a list of fingerprints for valid certs we have used
+        if (!$signature.Status -ne 'Valid' -or $signature.SignerCertificate.GetCertHashString("SHA256") -ne '2ce11da3a675a9d631e06a28ddfd6f730b9cc6989b43bd30ad7cc79d219cf2bd') {
+          if ('${{ inputs.check-installer-sig }}' -eq 'true') {
+              throw "Invalid CodeSign signature on the downloaded setup!"
+          }
+        }
+
         if ('${{ inputs.check-hash }}' -eq 'true') {
           $hashFile = "$vol\sha512.sum"
           Invoke-WebRequest-With-Retry https://cygwin.com/sha512.sum $hashFile
