juli/OrcaSlicer
1
1
Fork 0
mirror of https://github.com/OrcaSlicer/OrcaSlicer.git synced 2026-06-12 23:13:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci(windows): detect untrusted root via structured signature status

Browse Source 
The previous text match on signtool output was flaky: signtool interleaves
stdout (chain details) and stderr (error), so the wrapped "untrusted root"
phrase stayed contiguous for one file but was split for another, causing the
verify step to pass orca-slicer.exe but throw on OrcaSlicer.dll.

Use Get-AuthenticodeSignature instead, whose StatusMessage is a single clean
string, to decide the untrusted-root exception. signtool remains the strict
primary check; this only governs the -AllowUntrustedRoot test-cert path.
This commit is contained in:
SoftFever
2026-05-30 09:59:55 +08:00
parent ad737d1080
commit a913e2bcd8
1 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
scripts/verify-authenticode.ps1
View File

@@ -89,13 +89,19 @@ foreach ($relativePath in $Files) {
continue
}
# signtool wraps the message across lines, so normalize whitespace before matching.
$normalizedOutput = (($output | Out-String) -replace "\s+", " ")
$isUntrustedRoot = $normalizedOutput -match "terminated in a root certificate which is not trusted by the trust provider"
if ($AllowUntrustedRoot -and $isUntrustedRoot) {
Write-Host " Accepted: '$relativePath' is signed but its certificate chains to an untrusted root (expected for the SignPath test certificate)."
continue
if ($AllowUntrustedRoot) {
# signtool interleaves its stdout (chain details) and stderr (the error)
# unpredictably, so the error text cannot be matched reliably. Use the
# structured Get-AuthenticodeSignature result instead: accept only when the
# file is genuinely signed and the sole problem is that the chain terminates
# in an untrusted root (i.e. the self-signed SignPath test certificate).
$signature = Get-AuthenticodeSignature -LiteralPath $filePath
$isSigned = ($signature.SignatureType -eq "Authenticode") -and ($null -ne $signature.SignerCertificate)
$untrustedRootOnly = $signature.StatusMessage -match "terminated in a root certificate which is not trusted"
if ($isSigned -and $untrustedRootOnly) {
Write-Host " Accepted: '$relativePath' is signed but its certificate chains to an untrusted root (expected for the SignPath test certificate)."
continue
}
}
throw "SignTool verification failed for '$relativePath' with exit code $exitCode."