Check for unsigned dlls

Author: fdennis

.github/workflows/windows.yml

@@ -109,7 +109,7 @@ jobs:
           echo "${GAC}" > scribe_sa.json
           echo "GOOGLE_APPLICATION_CREDENTIALS=/scribe/scribe_sa.json" >> $GITHUB_ENV
 
-      - name: run scribe sign exe
+      - name: run scribe sign exe and dlls
         run: >
           docker run
           --user $(id -u):$(id -g)
@@ -123,7 +123,7 @@ jobs:
           --synchronous
           --download-artifacts
 
-      - name: unpack signed exe
+      - name: unpack signed exe and dlls
         run: |
           mkdir -p signed
           mv scribe-download/*/sign-source/1.zip signed/
@@ -218,4 +218,19 @@ jobs:
       uses: actions/upload-artifact@v4
       with:
         name: signed-files-and-msi
-        path: ykman-builds-windows/ykman-installer-windows
+        path: ykman-builds-windows/ykman-installer-windows
+
+  verify-signatures:
+    needs: [sign-msi]
+    runs-on: windows-latest
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: signed-files-and-msi
+          path: ykman-builds-windows/ykman-installer-windows
+
+      - name: Check for unsigned DLLs
+        shell: pwsh
+        working-directory: .\ykman-builds-windows\ykman-installer-windows
+        run: .\scripts\verify_dll.ps1

resources/win/verify_dll.ps1

@@ -0,0 +1,15 @@
+# Set-PSDebug -Trace 1
+
+$ErrorActionPreference = "Stop"
+
+$unsignedDlls = Get-ChildItem -Path "ykman" -Recurse -Filter *.dll | 
+  Where-Object { (Get-AuthenticodeSignature $_.FullName).Status -ne 'Valid' } | 
+  Select-Object -ExpandProperty FullName
+
+if ($unsignedDlls) {
+    Write-Host "ERROR: Found unsigned DLL(s):"
+    $unsignedDlls | ForEach-Object { Write-Host "  - $_" }
+    exit 1
+} else {
+    Write-Host "SUCCESS: All DLLs are signed."
+}