Skip to content
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 43 additions & 12 deletions lib/engines/functest/tests/scripts/verify_driver_signed.ps1
Original file line number Diff line number Diff line change
@@ -1,26 +1,57 @@
# Verify the Authenticode signature on @driver_module@.sys in the DriverStore.
# Fails if the signature is missing or invalid.
# Verify the Authenticode signature on @driver_module@ driver package (.sys, .cat, .inf).
# When signtool is available, also cross-checks .sys and .inf hashes against the .cat catalog.

$ErrorActionPreference = 'Stop'

$module = '@driver_module@'
$signtoolPath = '@signtool_path@'

$drv = Get-WindowsDriver -Online |
Where-Object { $_.OriginalFileName -like '*@driver_module@.inf' } |
Where-Object { $_.OriginalFileName -like "*${module}.inf" } |
Select-Object -First 1

if (-not $drv) { throw '@driver_module@.inf not found in the DriverStore' }
if (-not $drv) { throw "${module}.inf not found in the DriverStore" }

$drvDir = Split-Path $drv.OriginalFileName -Parent
$sys = Get-ChildItem $drvDir -Filter '@driver_module@.sys' | Select-Object -First 1

if (-not $sys) { throw '@driver_module@.sys not found in ' + $drvDir }
$sys = Get-ChildItem $drvDir -Filter "${module}.sys" | Select-Object -First 1
$cat = Get-ChildItem $drvDir -Filter '*.cat' | Select-Object -First 1
$inf = Get-ChildItem $drvDir -Filter "${module}.inf" | Select-Object -First 1

if (-not $sys) { throw "${module}.sys not found in $drvDir" }
if (-not $cat) { throw "No .cat file found in $drvDir" }
if (-not $inf) { throw "${module}.inf not found in $drvDir" }

$sig = Get-AuthenticodeSignature $sys.FullName
$catSig = Get-AuthenticodeSignature $cat.FullName
Write-Output "CAT: $($catSig.Status) - Signer: $($catSig.SignerCertificate.Subject)"
if ($catSig.Status -ne 'Valid') {
throw "$($cat.Name) signature invalid: $($catSig.Status)"
}

$sysSig = Get-AuthenticodeSignature $sys.FullName
Write-Output "SYS: $($sysSig.Status) - Signer: $($sysSig.SignerCertificate.Subject)"
if ($sysSig.Status -ne 'Valid') {
throw "${module}.sys signature invalid: $($sysSig.Status)"
}

Write-Output "Signature status: $($sig.Status)"
Write-Output "Signer: $($sig.SignerCertificate.Subject)"
if ($signtoolPath -eq '@signtool_path@' -or -not (Test-Path $signtoolPath)) {
Write-Output "WARN: signtool not available at '$signtoolPath', skipping catalog cross-check"
Write-Output "PASS: ${module} driver is digitally signed (catalog cross-check skipped)"
exit 0
}

Write-Output "Using signtool: $signtoolPath"

& $signtoolPath verify /v /pa /c $cat.FullName $sys.FullName
if ($LASTEXITCODE -ne 0) {
throw "${module}.sys failed catalog verification"
}
Write-Output "SYS->CAT: PASS"

if ($sig.Status -ne 'Valid') {
throw '@driver_module@.sys is NOT signed (status: ' + $sig.Status + ')'
& $signtoolPath verify /v /pa /c $cat.FullName $inf.FullName
if ($LASTEXITCODE -ne 0) {
throw "${module}.inf failed catalog verification"
}
Write-Output "INF->CAT: PASS"

Write-Output 'PASS: Driver is digitally signed'
Write-Output "PASS: ${module} driver package is digitally signed"
Loading