Add authenticode validation to Install-PSResource (#632)

Author: alerickson

src/code/InstallHelper.cs

@@ -103,6 +103,12 @@ class InstallPSResource : PSCmdlet
         /// </summary>
         [Parameter]
         public SwitchParameter SkipDependencyCheck { get; set; }
+        
+        /// <summary>
+        /// Check validation for signed and catalog files
+        /// </summary>
+        [Parameter]
+        public SwitchParameter AuthenticodeCheck { get; set; }
 
         /// <summary>
         /// Passes the resource installed to the console.
@@ -310,7 +316,7 @@ protected override void ProcessRecord()
                     {
                         requiredResourceFileStream = sr.ReadToEnd();
                     }
-                    
+
                     Hashtable pkgsInFile = null;
                     try
                     {
@@ -513,6 +519,7 @@ private void ProcessInstallHelper(string[] pkgNames, VersionRange pkgVersion, bo
                 asNupkg: false,
                 includeXML: true,
                 skipDependencyCheck: SkipDependencyCheck,
+                authenticodeCheck: AuthenticodeCheck,
                 savePkg: false,
                 pathsToInstallPkg: _pathsToInstallPkg);
 

src/code/InstallPSResource.cs

@@ -131,6 +131,13 @@ public string Path
         [Parameter]
         public SwitchParameter SkipDependencyCheck { get; set; }
 
+        /// <summary>
+        /// Check validation for signed and catalog files
+
+        /// </summary>
+        [Parameter]
+        public SwitchParameter AuthenticodeCheck { get; set; }
+
         /// <summary>
         /// Suppresses progress information.
         /// </summary>
@@ -259,6 +266,7 @@ private void ProcessSaveHelper(string[] pkgNames, bool pkgPrerelease, string[] p
                 asNupkg: AsNupkg, 
                 includeXML: IncludeXML, 
                 skipDependencyCheck: SkipDependencyCheck,
+                authenticodeCheck: AuthenticodeCheck,
                 savePkg: true,
                 pathsToInstallPkg: new List<string> { _path });
 

src/code/SavePSResource.cs

@@ -111,6 +111,13 @@ public sealed class UpdatePSResource : PSCmdlet
         [Parameter]
         public SwitchParameter SkipDependencyCheck { get; set; }
 
+        /// <summary>
+        /// Check validation for signed and catalog files
+
+        /// </summary>
+        [Parameter]
+        public SwitchParameter AuthenticodeCheck { get; set; }
+
         #endregion
 
         #region Override Methods
@@ -178,6 +185,7 @@ protected override void ProcessRecord()
                 asNupkg: false,
                 includeXML: true,
                 skipDependencyCheck: SkipDependencyCheck,
+                authenticodeCheck: AuthenticodeCheck,
                 savePkg: false,
                 pathsToInstallPkg: _pathsToInstallPkg);
 

src/code/UpdatePSResource.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using Microsoft.Win32.SafeHandles;
 using NuGet.Versioning;
 using System;
 using System.Collections;
@@ -14,6 +15,7 @@
 using System.Management.Automation.Runspaces;
 using System.Runtime.InteropServices;
 using System.Security;
+using System.Security.Cryptography.X509Certificates;
 
 namespace Microsoft.PowerShell.PowerShellGet.UtilClasses
 {
@@ -1126,7 +1128,117 @@ public static Collection<T> InvokeScriptWithHost<T>(
         }
 
         #endregion Methods
-    }
-
+    }
+
+    #endregion
+
+    #region AuthenticodeSignature
+
+    internal static class AuthenticodeSignature
+    {
+        #region Methods
+
+        internal static bool CheckAuthenticodeSignature(string pkgName, string tempDirNameVersion, VersionRange versionRange, List<string> pathsToSearch, string installPath, PSCmdlet cmdletPassedIn, out ErrorRecord errorRecord)
+        {
+            errorRecord = null;
+
+            // Because authenticode and catalog verifications are only applicable on Windows, we allow all packages by default to be installed on unix systems.
+            if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                return true;
+            }
+
+            // Check that the catalog file is signed properly
+            string catalogFilePath = Path.Combine(tempDirNameVersion, pkgName + ".cat");
+            if (File.Exists(catalogFilePath))
+            {
+                // Run catalog validation
+                Collection<PSObject> TestFileCatalogResult = new Collection<PSObject>();
+                string moduleBasePath = tempDirNameVersion;
+                try
+                {
+                    // By default "Test-FileCatalog will look through all files in the provided directory, -FilesToSkip allows us to ignore specific files
+                    TestFileCatalogResult = cmdletPassedIn.InvokeCommand.InvokeScript(
+                        script: @"param (
+                                      [string] $moduleBasePath, 
+                                      [string] $catalogFilePath
+                                 ) 
+                                $catalogValidation = Test-FileCatalog -Path $moduleBasePath -CatalogFilePath $CatalogFilePath `
+                                                 -FilesToSkip '*.nupkg','*.nuspec', '*.nupkg.metadata', '*.nupkg.sha512' `
+                                                 -Detailed -ErrorAction SilentlyContinue
+        
+                                if ($catalogValidation.Status.ToString() -eq 'valid' -and $catalogValidation.Signature.Status -eq 'valid') {
+                                    return $true
+                                }
+                                else {
+                                    return $false
+                                }
+                        ",
+                        useNewScope: true,
+                        writeToPipeline: System.Management.Automation.Runspaces.PipelineResultTypes.None,
+                        input: null,
+                        args: new object[] { moduleBasePath, catalogFilePath });
+                }
+                catch (Exception e)
+                {
+                    errorRecord = new ErrorRecord(new ArgumentException(e.Message), "TestFileCatalogError", ErrorCategory.InvalidResult, cmdletPassedIn);
+                    return false;
+                }
+
+                bool catalogValidation = (TestFileCatalogResult[0] != null) ? (bool)TestFileCatalogResult[0].BaseObject : false;
+                if (!catalogValidation)
+                {
+                    var exMessage = String.Format("The catalog file '{0}' is invalid.", pkgName + ".cat");
+                    var ex = new ArgumentException(exMessage);
+
+                    errorRecord = new ErrorRecord(ex, "TestFileCatalogError", ErrorCategory.InvalidResult, cmdletPassedIn);
+                    return false;
+                }
+            }
+
+            Collection<PSObject> authenticodeSignature = new Collection<PSObject>();
+            try
+            {
+                string[] listOfExtensions = { "*.ps1", "*.psd1", "*.psm1", "*.mof", "*.cat", "*.ps1xml" };
+                authenticodeSignature = cmdletPassedIn.InvokeCommand.InvokeScript(
+                    script: @"param (
+                                      [string] $tempDirNameVersion, 
+                                      [string[]] $listOfExtensions
+                                 ) 
+                                 Get-ChildItem $tempDirNameVersion -Recurse -Include $listOfExtensions | Get-AuthenticodeSignature -ErrorAction SilentlyContinue",
+                    useNewScope: true,
+                    writeToPipeline: System.Management.Automation.Runspaces.PipelineResultTypes.None,
+                    input: null,
+                    args: new object[] { tempDirNameVersion, listOfExtensions });
+            }
+            catch (Exception e)
+            {
+                errorRecord = new ErrorRecord(new ArgumentException(e.Message), "GetAuthenticodeSignatureError", ErrorCategory.InvalidResult, cmdletPassedIn);
+                return false;
+            }
+
+            // If the authenticode signature is not valid, return false
+            if (authenticodeSignature.Any() && authenticodeSignature[0] != null)
+            {
+                foreach (var sign in authenticodeSignature)
+                {
+                    Signature signature = (Signature)sign.BaseObject;
+                    if (!signature.Status.Equals(SignatureStatus.Valid))
+                    {
+                        var exMessage = String.Format("The signature for '{0}' is '{1}.", pkgName, signature.Status.ToString());
+                        var ex = new ArgumentException(exMessage);
+                        errorRecord = new ErrorRecord(ex, "GetAuthenticodeSignatureError", ErrorCategory.InvalidResult, cmdletPassedIn);
+
+                        return false;
+                    }
+                }
+            }
+
+            return true;
+        }
+       
+        #endregion
+    }
+
     #endregion
 }

src/code/Utils.cs

@@ -12,14 +12,15 @@ Describe 'Test Install-PSResource for Module' {
         $testModuleName = "test_module"
         $testModuleName2 = "TestModule99"
         $testScriptName = "test_script"
+        $PackageManagement = "PackageManagement"
         $RequiredResourceJSONFileName = "TestRequiredResourceFile.json"
         $RequiredResourcePSD1FileName = "TestRequiredResourceFile.psd1"
         Get-NewPSResourceRepositoryFile
         Register-LocalRepos
     }
 
     AfterEach {
-        Uninstall-PSResource "test_module", "test_module2", "test_script", "TestModule99", "testModuleWithlicense", "TestFindModule","ClobberTestModule1", "ClobberTestModule2" -SkipDependencyCheck -ErrorAction SilentlyContinue
+        Uninstall-PSResource "test_module", "test_module2", "test_script", "TestModule99", "testModuleWithlicense", "TestFindModule","ClobberTestModule1", "ClobberTestModule2", "PackageManagement" -SkipDependencyCheck -ErrorAction SilentlyContinue
     }
 
     AfterAll {
@@ -415,6 +416,56 @@ Describe 'Test Install-PSResource for Module' {
         $res3.Name | Should -Be $testModuleName2
         $res3.Version | Should -Be "0.0.93.0"
     }
+
+    # Install module 1.4.3 (is authenticode signed and has catalog file)
+    # Should install successfully 
+    It "Install modules with catalog file using publisher validation" -Skip:(!(Get-IsWindows)) {
+        Install-PSResource -Name $PackageManagement -Version "1.4.3" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository
+
+        $res1 = Get-PSResource $PackageManagement -Version "1.4.3"
+        $res1.Name | Should -Be $PackageManagement
+        $res1.Version | Should -Be "1.4.3.0"
+    }
+
+    # Install module 1.4.7 (is authenticode signed and has no catalog file)
+    # Should not install successfully 
+    It "Install module with no catalog file" -Skip:(!(Get-IsWindows)) {
+        Install-PSResource -Name $PackageManagement -Version "1.4.7" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository
+
+        $res1 = Get-PSResource $PackageManagement -Version "1.4.7"
+        $res1.Name | Should -Be $PackageManagement
+        $res1.Version | Should -Be "1.4.7.0"    
+    }
+
+    # Install module that is not authenticode signed
+    # Should FAIL to install the  module
+    It "Install module that is not authenticode signed" -Skip:(!(Get-IsWindows)) {
+        Install-PSResource -Name $testModuleName -Version "5.0.0" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository -ErrorAction SilentlyContinue
+        $Error[0].FullyQualifiedErrorId | Should -be "InstallPackageFailed,Microsoft.PowerShell.PowerShellGet.Cmdlets.InstallPSResource"
+    }
+    # Install 1.4.4.1 (with incorrect catalog file)
+    # Should FAIL to install the  module
+    It "Install module with incorrect catalog file" -Skip:(!(Get-IsWindows)) {
+        Install-PSResource -Name $PackageManagement -Version "1.4.4.1" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository -ErrorAction SilentlyContinue
+        $Error[0].FullyQualifiedErrorId | Should -be "InstallPackageFailed,Microsoft.PowerShell.PowerShellGet.Cmdlets.InstallPSResource"
+    }
+
+    # Install script that is signed
+    # Should install successfully 
+    It "Install script that is authenticode signed" -Skip:(!(Get-IsWindows)) {
+        Install-PSResource -Name "Install-VSCode" -Version "1.4.2" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository
+
+        $res1 = Get-PSResource "Install-VSCode" -Version "1.4.2"
+        $res1.Name | Should -Be "Install-VSCode"
+        $res1.Version | Should -Be "1.4.2.0"
+    }
+
+    # Install script that is not signed
+    # Should throw
+    It "Install script that is not signed" -Skip:(!(Get-IsWindows)) {
+        Install-PSResource -Name "TestTestScript" -Version "1.3.1.1" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository -ErrorAction SilentlyContinue
+        $Error[0].FullyQualifiedErrorId | Should -be "InstallPackageFailed,Microsoft.PowerShell.PowerShellGet.Cmdlets.InstallPSResource"
+    }
 }
 
 <# Temporarily commented until -Tag is implemented for this Describe block

test/InstallPSResource.Tests.ps1

@@ -12,6 +12,7 @@ Describe 'Test Save-PSResource for PSResources' {
         $testModuleName = "test_module"
         $testScriptName = "test_script"
         $testModuleName2 = "testmodule99"
+        $PackageManagement = "PackageManagement"
         Get-NewPSResourceRepositoryFile
         Register-LocalRepos
 
@@ -217,6 +218,61 @@ Describe 'Test Save-PSResource for PSResources' {
         $res.Name | Should -Be $testModuleName
         $res.Version | Should -Be "1.0.0.0"
     }
+
+    # Save module 1.4.3 (is authenticode signed and has catalog file)
+    # Should save successfully 
+    It "Save modules with catalog file using publisher validation" -Skip:(!(Get-IsWindows)) {
+        Save-PSResource -Name $PackageManagement -Version "1.4.3" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository -Path $SaveDir
+
+        $pkgDir = Get-ChildItem -Path $SaveDir | Where-Object Name -eq $PackageManagement
+        $pkgDir | Should -Not -BeNullOrEmpty
+        $pkgDirVersion = Get-ChildItem -Path $pkgDir.FullName
+        $pkgDirVersion.Name | Should -Be "1.4.3" 
+    }
+
+    # Save module 1.4.7 (is authenticode signed and has NO catalog file)
+    # Should save successfully 
+    It "Save module with no catalog file" -Skip:(!(Get-IsWindows)) {
+        Save-PSResource -Name $PackageManagement -Version "1.4.7" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository -Path $SaveDir
+
+        $pkgDir = Get-ChildItem -Path $SaveDir | Where-Object Name -eq $PackageManagement
+        $pkgDir | Should -Not -BeNullOrEmpty
+        $pkgDirVersion = Get-ChildItem -Path $pkgDir.FullName
+        $pkgDirVersion.Name | Should -Be "1.4.7" 
+    }
+
+    # Save module that is not authenticode signed
+    # Should FAIL to save the module
+    It "Save module that is not authenticode signed" -Skip:(!(Get-IsWindows)) {
+        Save-PSResource -Name $testModuleName -Version "5.0.0" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository -Path $SaveDir -ErrorAction SilentlyContinue
+        $Error[0].FullyQualifiedErrorId | Should -be "InstallPackageFailed,Microsoft.PowerShell.PowerShellGet.Cmdlets.SavePSResource"
+    }
+
+    # Save 1.4.4.1 (with incorrect catalog file)
+    # Should FAIL to save the module
+    It "Save module with incorrect catalog file" -Skip:(!(Get-IsWindows)) {
+        Save-PSResource -Name $PackageManagement -Version "1.4.4.1" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository -Path $SaveDir -ErrorAction SilentlyContinue
+        $Error[0].FullyQualifiedErrorId | Should -be "InstallPackageFailed,Microsoft.PowerShell.PowerShellGet.Cmdlets.SavePSResource"
+    }
+
+    # Save script that is signed
+    # Should save successfully 
+    It "Save script that is authenticode signed" -Skip:(!(Get-IsWindows)) {
+        Save-PSResource -Name "Install-VSCode" -Version "1.4.2" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository -Path $SaveDir
+
+        $pkgDir = Get-ChildItem -Path $SaveDir | Where-Object Name -eq "Install-VSCode.ps1" 
+        $pkgDir | Should -Not -BeNullOrEmpty
+        $pkgName = Get-ChildItem -Path $pkgDir.FullName
+        $pkgName.Name | Should -Be "Install-VSCode.ps1" 
+    }
+
+    # Save script that is not signed
+    # Should throw
+    It "Save script that is not signed" -Skip:(!(Get-IsWindows)) {
+        Save-PSResource -Name "TestTestScript" -Version "1.3.1.1" -AuthenticodeCheck -Repository $PSGalleryName -TrustRepository -ErrorAction SilentlyContinue
+        $Error[0].FullyQualifiedErrorId | Should -be "InstallPackageFailed,Microsoft.PowerShell.PowerShellGet.Cmdlets.SavePSResource"
+    }
+
 <#
     # Tests should not write to module directory
     It "Save specific module resource by name if no -Path param is specifed" {