From a913e2bcd8b33274f88a3047875c4eb373c75553 Mon Sep 17 00:00:00 2001 From: SoftFever Date: Sat, 30 May 2026 09:59:55 +0800 Subject: [PATCH] ci(windows): detect untrusted root via structured signature status The previous text match on signtool output was flaky: signtool interleaves stdout (chain details) and stderr (error), so the wrapped "untrusted root" phrase stayed contiguous for one file but was split for another, causing the verify step to pass orca-slicer.exe but throw on OrcaSlicer.dll. Use Get-AuthenticodeSignature instead, whose StatusMessage is a single clean string, to decide the untrusted-root exception. signtool remains the strict primary check; this only governs the -AllowUntrustedRoot test-cert path. --- scripts/verify-authenticode.ps1 | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/scripts/verify-authenticode.ps1 b/scripts/verify-authenticode.ps1 index 69394d8205..9edb91d057 100644 --- a/scripts/verify-authenticode.ps1 +++ b/scripts/verify-authenticode.ps1 @@ -89,13 +89,19 @@ foreach ($relativePath in $Files) { continue } - # signtool wraps the message across lines, so normalize whitespace before matching. - $normalizedOutput = (($output | Out-String) -replace "\s+", " ") - $isUntrustedRoot = $normalizedOutput -match "terminated in a root certificate which is not trusted by the trust provider" - - if ($AllowUntrustedRoot -and $isUntrustedRoot) { - Write-Host " Accepted: '$relativePath' is signed but its certificate chains to an untrusted root (expected for the SignPath test certificate)." - continue + if ($AllowUntrustedRoot) { + # signtool interleaves its stdout (chain details) and stderr (the error) + # unpredictably, so the error text cannot be matched reliably. Use the + # structured Get-AuthenticodeSignature result instead: accept only when the + # file is genuinely signed and the sole problem is that the chain terminates + # in an untrusted root (i.e. the self-signed SignPath test certificate). + $signature = Get-AuthenticodeSignature -LiteralPath $filePath + $isSigned = ($signature.SignatureType -eq "Authenticode") -and ($null -ne $signature.SignerCertificate) + $untrustedRootOnly = $signature.StatusMessage -match "terminated in a root certificate which is not trusted" + if ($isSigned -and $untrustedRootOnly) { + Write-Host " Accepted: '$relativePath' is signed but its certificate chains to an untrusted root (expected for the SignPath test certificate)." + continue + } } throw "SignTool verification failed for '$relativePath' with exit code $exitCode."