Check files are signed after Submit-SigningRequest#19113
Merged
Conversation
Member
Author
|
@michaelDCurran thoughts on this? Any ideas on how we can test? I thought about just intentionally bypassing the |
Contributor
There was a problem hiding this comment.
Pull Request Overview
Adds a post-signing validation step to ensure artifacts are actually signed after Submit-SigningRequest completes, failing CI with diagnostic details if validation fails.
- Verify signature with Get-AuthenticodeSignature and check Status
- On invalid signature, append formatted details to $GITHUB_STEP_SUMMARY and exit 1
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
6ddb54d to
e30d29b
Compare
Member
|
Yeah, I think just intentionally not making the call will be a good
enough test.
The file will then be not signed and will fail the signing check.
|
LeonarddeR
reviewed
Oct 21, 2025
Member
Author
|
@michaelDCurran NB my notes about some executables still not being signed in the testing section of the PR description |
Collaborator
|
The remote loaders should definitely be signed. They Are signed in 2025.3 at least. |
michaelDCurran
approved these changes
Oct 24, 2025
bramd
pushed a commit
to bramd/nvda
that referenced
this pull request
Nov 11, 2025
Fixes nvaccess#19099 Supersedes nvaccess#18384 ### Summary of the issue: Some files are not signed some of the time ### Description of user facing changes: None ### Description of developer facing changes: In the case of alpha, beta, rc, stable and try builds, failure to sign the launcher or most of our executables will fail the build. All CI builds now run serially to avoid race conditions. ### Description of development approach: Set the `ErrorAction` common parameter on `Send-SigningRequest` to `Stop` to cause the signing script to fail if the cmd-let fails. Use `Get-AuthenticodeSignature` to verify the signature of files after `Submit-SigningRequest` returns. ### Testing strategy: CI * [x] Successful signing: https://github.com/nvaccess/nvda/actions/runs/18733609673 * Note that this run's failure was due to a system test failure * Checked that the launcher and all `dll` and `exe` files are signed. Found unsigned `exe`s and `dll` s by unzipping the controller client and launcher into the same directory, and running: ```ps1 (Get-ChildItem -Recurse -Include *.exe, *.dll -Name | Get-AuthenticodeSignature | where-object {$_.Status -ne 'Valid'}).Path ``` The following files do not have valid signatures: * `app\brailleDisplayDrivers\lilli.dll` * `app\miscDeps\tools\msgfmt.exe` * `app\synthDrivers\espeak.dll` * `app\synthDrivers\sonic.dll` * `app\brlapi-0.8.dll` * `app\libgcc_s_dw2-1.dll` * `app\wxbase32u_net_vc140.dll` * `app\wxbase32u_vc140.dll` * `app\wxmsw32u_aui_vc140.dll` * `app\wxmsw32u_core_vc140.dll` * `app\wxmsw32u_html_vc140.dll` * `app\wxmsw32u_stc_vc140.dll` * `Banner.dll` * `System.dll` However, as best as I can tell, we never attempt to sign these files. * [x] Intentionally don't sign a DLL: https://github.com/nvaccess/nvda/actions/runs/18703904287 * [x] Intentionally don't sign the launcher: https://github.com/nvaccess/nvda/actions/runs/18707118372 ### Known issues with pull request: None
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Link to issue number:
Fixes #19099
Supersedes #18384
Summary of the issue:
Some files are not signed some of the time
Description of user facing changes:
None
Description of developer facing changes:
In the case of alpha, beta, rc, stable and try builds, failure to sign the launcher or most of our executables will fail the build.
All CI builds now run serially to avoid race conditions.
Description of development approach:
Set the
ErrorActioncommon parameter onSend-SigningRequesttoStopto cause the signing script to fail if the cmd-let fails.Use
Get-AuthenticodeSignatureto verify the signature of files afterSubmit-SigningRequestreturns.Testing strategy:
CI
Successful signing: https://github.com/nvaccess/nvda/actions/runs/18733609673
Note that this run's failure was due to a system test failure
Checked that the launcher and all
dllandexefiles are signed. Found unsignedexes anddlls by unzipping the controller client and launcher into the same directory, and running:The following files do not have valid signatures:
app\brailleDisplayDrivers\lilli.dllapp\miscDeps\tools\msgfmt.exeapp\synthDrivers\espeak.dllapp\synthDrivers\sonic.dllapp\brlapi-0.8.dllapp\libgcc_s_dw2-1.dllapp\wxbase32u_net_vc140.dllapp\wxbase32u_vc140.dllapp\wxmsw32u_aui_vc140.dllapp\wxmsw32u_core_vc140.dllapp\wxmsw32u_html_vc140.dllapp\wxmsw32u_stc_vc140.dllBanner.dllSystem.dllHowever, as best as I can tell, we never attempt to sign these files.
Intentionally don't sign a DLL: https://github.com/nvaccess/nvda/actions/runs/18703904287
Intentionally don't sign the launcher: https://github.com/nvaccess/nvda/actions/runs/18707118372
Known issues with pull request:
None
Code Review Checklist: