Improve authenticode-signing script to better check for a signature
Our current authenticode-signing.sh script checks two things at the moment:
- Whether a .exe is still unsigned
- Whether removing a signature (using
osslsigncode remove-signature) is producing the same SHA-256 sum as outlined in the SHA-256 sums file.
If both conditions hold it concludes that the bundles are properly signed.
There are ways for improvement here. While I think it's important to check that removing the signature provides the expected unsigned SHA-256 we could try to check the signature directly.
osslsigncode verify -require-leaf-hash comes to mind. We should investigate, though, how that behaves in case of truncated/broken signatures or no signatures at all.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information