Improve authenticode-signing script to better check for a signature
Our current authenticode-signing.sh
script checks two things at the moment:
- Whether a .exe is still unsigned
- Whether removing a signature (using
osslsigncode remove-signature
) is producing the same SHA-256 sum as outlined in the SHA-256 sums file.
If both conditions hold it concludes that the bundles are properly signed.
There are ways for improvement here. While I think it's important to check that removing the signature provides the expected unsigned SHA-256 we could try to check the signature directly.
osslsigncode verify -require-leaf-hash
comes to mind. We should investigate, though, how that behaves in case of truncated/broken signatures or no signatures at all.