Add warning on Windows if files aren't authenticode signed

Author: Steve Lee (POWERSHELL HE/HIM) (from Dev Box)

dsc/Cargo.lock

@@ -3,6 +3,7 @@
 
 use crate::args::{SchemaType, OutputFormat, TraceFormat};
 use crate::resolve::Include;
+use dsc_lib::security::check_file_security;
 use dsc_lib::{
     configure::{
         config_doc::{
@@ -461,6 +462,10 @@ pub fn get_input(input: Option<&String>, file: Option<&String>, parameters_from_
                 }
             }
         } else {
+            if let Err(err) = check_file_security(Path::new(path)) {
+                warn!("{err}");
+            }
+
             // see if an extension should handle this file
             let mut discovery = Discovery::new();
             for extension in discovery.get_extensions(&Capability::Import) {

dsc/src/util.rs

@@ -0,0 +1,22 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+Describe 'Tests for security features' {
+    It 'Unsigned config file gives warning' -Skip:(!$IsWindows) {
+        $null = dsc config get -f $PSScriptRoot/../examples/osinfo_parameters.dsc.yaml 2>$TestDrive/error.log
+        $LASTEXITCODE | Should -Be 0
+        (Get-Content $TestDrive/error.log -Raw) | Should -Match "WARN Authenticode: The file '.*?\\osinfo_parameters.dsc.yaml' is not signed.*?"
+    }
+
+    It 'Unsigned resource manifest gives warning' -Skip:(!$IsWindows) {
+        $null = dsc resource get -r Microsoft/OSInfo 2>$TestDrive/error.log
+        $LASTEXITCODE | Should -Be 0
+        (Get-Content $TestDrive/error.log -Raw) | Should -Match "WARN Authenticode: The file '.*?\\osinfo.dsc.resource.json' is not signed.*?"
+    }
+
+    It 'Unsigned resource executable gives warning' -Skip:(!$IsWindows) {
+        $null = dsc resource get -r Microsoft/OSInfo 2>$TestDrive/error.log
+        $LASTEXITCODE | Should -Be 0
+        (Get-Content $TestDrive/error.log -Raw) | Should -Match "WARN Authenticode: The file '.*?\\osinfo.exe' is not signed.*?"
+    }
+}

dsc/tests/dsc_security.tests.ps1

@@ -49,6 +49,14 @@ tree-sitter-rust = "0.24"
 tree-sitter-dscexpression = { path = "../tree-sitter-dscexpression" }
 uuid = { version = "1.18", features = ["v4"] }
 which = "8.0"
+windows = { version = "0.62", features = [
+    "Win32_Foundation",
+    "Win32_Security",
+    "Win32_Security_Cryptography",
+    "Win32_Security_WinTrust",
+] }
+windows-result = "0.4"
+windows-strings = "0.5"
 
 [dev-dependencies]
 serde_yaml = "0.9"

dsc_lib/Cargo.lock

@@ -6,12 +6,13 @@ pub mod discovery_trait;
 
 use crate::discovery::discovery_trait::{DiscoveryKind, ResourceDiscovery, DiscoveryFilter};
 use crate::extensions::dscextension::{Capability, DscExtension};
+use crate::security::check_file_security;
 use crate::{dscresources::dscresource::DscResource, progress::ProgressFormat};
 use core::result::Result::Ok;
 use semver::{Version, VersionReq};
-use std::collections::BTreeMap;
+use std::{collections::BTreeMap, path::Path};
 use command_discovery::{CommandDiscovery, ImportedManifest};
-use tracing::error;
+use tracing::{error, warn};
 
 #[derive(Clone)]
 pub struct Discovery {
@@ -94,7 +95,7 @@ impl Discovery {
         }
 
         let type_name = type_name.to_lowercase();
-        if let Some(resources) = self.resources.get(&type_name) {
+        let resource = if let Some(resources) = self.resources.get(&type_name) {
             if let Some(version) = version_string {
                 let version = fix_semver(version);
                 if let Ok(version_req) = VersionReq::parse(&version) {
@@ -119,7 +120,15 @@ impl Discovery {
             }
         } else {
             None
+        };
+
+        if let Some(found_resource) = &resource {
+            if let Err(err) = check_file_security(Path::new(&found_resource.path)) {
+                warn!("{err}");
+            }
         }
+
+        resource
     }
 
     /// Find resources based on the required resource types.

dsc_lib/Cargo.toml

@@ -14,6 +14,9 @@ pub enum DscError {
     #[error("{t}: {0}", t = t!("dscerror.adapterNotFound"))]
     AdapterNotFound(String),
 
+    #[error("Authenticode: {0}")]
+    AuthenticodeError(String),
+
     #[error("{t}: {0}", t = t!("dscerror.booleanConversion"))]
     BooleanConversion(#[from] std::str::ParseBoolError),
 
@@ -131,6 +134,9 @@ pub enum DscError {
     #[error("{t}: {0}", t = t!("dscerror.validation"))]
     Validation(String),
 
+    #[error("Which: {0}")]
+    Which(#[from] which::Error),
+
     #[error("YAML: {0}")]
     Yaml(#[from] serde_yaml::Error),
 

dsc_lib/src/discovery/mod.rs

@@ -6,8 +6,9 @@ use jsonschema::Validator;
 use rust_i18n::t;
 use serde::Deserialize;
 use serde_json::{Map, Value};
+use which::which;
 use std::{collections::HashMap, env, process::Stdio};
-use crate::configure::{config_doc::ExecutionKind, config_result::{ResourceGetResult, ResourceTestResult}};
+use crate::{configure::{config_doc::ExecutionKind, config_result::{ResourceGetResult, ResourceTestResult}}, security::check_file_security};
 use crate::dscerror::DscError;
 use super::{dscresource::get_diff, invoke_result::{ExportResult, GetResult, ResolveResult, SetResult, TestResult, ValidateResult, ResourceGetResponse, ResourceSetResponse, ResourceTestResponse, get_in_desired_state}, resource_manifest::{ArgKind, InputKind, Kind, ResourceManifest, ReturnKind, SchemaKind}};
 use tracing::{error, warn, info, debug, trace};
@@ -596,6 +597,11 @@ async fn run_process_async(executable: &str, args: Option<Vec<String>>, input: O
     // the value is based on list result of largest of built-in adapters - WMI adapter ~500KB
     const INITIAL_BUFFER_CAPACITY: usize = 1024*1024;
 
+    let exe = which(executable)?;
+    if let Err(err) = check_file_security(&exe) {
+        warn!("{err}");
+    }
+
     let mut command = Command::new(executable);
     if input.is_some() {
         command.stdin(Stdio::piped());

dsc_lib/src/dscerror.rs

@@ -20,6 +20,7 @@ pub mod parser;
 pub mod progress;
 pub mod util;
 pub mod schemas;
+pub mod security;
 
 i18n!("locales", fallback = "en-us");