Added malware scan on batch_sign

.github/workflows/test.yml

@@ -151,3 +151,41 @@ jobs:
         with:
           name: batch-sign
           path: ./artifacts
+
+  batch-sign-scan-code:
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    needs: ['batch-sign']
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Create multiple Input file for test signing
+        shell: bash
+        run: |
+          mkdir -p ${GITHUB_WORKSPACE}/example
+          echo 'Write-Output -InputObject "Happy Signing From ESigner.com for Batch Sign 1!"' > ${GITHUB_WORKSPACE}/example/batch1.ps1
+          echo 'Write-Output -InputObject "Happy Signing From ESigner.com for Batch Sign 2!"' > ${GITHUB_WORKSPACE}/example/batch2.ps1
+          echo 'Write-Output -InputObject "Happy Signing From ESigner.com for Batch Sign 3!"' > ${GITHUB_WORKSPACE}/example/batch3.ps1
+          cp ./sample/minimal.exe ${GITHUB_WORKSPACE}/example/minimal.exe
+          cp ./sample/minimal.msi ${GITHUB_WORKSPACE}/example/minimal.msi
+
+      - uses: ./
+        with:
+          command: batch_sign
+          username: ${{ secrets.ES_USERNAME }}
+          password: ${{ secrets.ES_PASSWORD }}
+          credential_id: ${{ secrets.CREDENTIAL_ID }}
+          totp_secret: ${{ secrets.ES_TOTP_SECRET }}
+          dir_path: ${GITHUB_WORKSPACE}/example
+          output_path: ${GITHUB_WORKSPACE}/artifacts
+          environment_name: TEST
+          malware_block: true
+          jvm_max_memory: 4096M
+
+      - name: Upload Signed Files
+        uses: actions/upload-artifact@v3
+        with:
+          name: batch-sign
+          path: ./artifacts

README.md

@@ -39,6 +39,7 @@
     output_path: ${GITHUB_WORKSPACE}/artifacts
 
     # Scans your file for any possible malware in order to avoid code compromise and prevents signing of code if malware is detected.
+    # On batch_sign command: If you are getting 'Error: hash needs to be scanned first before submitting for signing: <hash_value>', you can set this value to true
     malware_block: false
 
     # Overrides the input file after signing, if this parameter is set and no -output_dir_path parameter

src/constants.ts

@@ -13,10 +13,12 @@ export const CODESIGNTOOL_UNIX_RUN_CMD = 'CodeSignTool.sh';
 
 export const ACTION_SIGN = 'sign';
 export const ACTION_BATCH_SIGN = 'batch_sign';
+export const ACTION_SCAN_CODE = 'scan_code';
 
 export const SUPPORT_COMMANDS = new Map<string, string[]>([
     ['sign', ['username', 'password', 'credential_id', 'totp_secret', 'program_name', 'file_path', 'output_path', 'malware_block', 'override']],
-    ['batch_sign', ['username', 'password', 'credential_id', 'totp_secret', 'program_name', 'dir_path', 'output_path']]
+    ['batch_sign', ['username', 'password', 'credential_id', 'totp_secret', 'program_name', 'dir_path', 'output_path']],
+    ['scan_code', ['username', 'password', 'credential_id', 'program_name']]
 ]);
 
 export const INPUT_COMMAND = 'command';

src/main.ts

@@ -3,7 +3,7 @@ import * as exec from '@actions/exec';
 
 import fs from 'fs';
 import path from 'path';
-import { INPUT_CLEAN_LOGS } from './constants';
+import { ACTION_BATCH_SIGN, INPUT_CLEAN_LOGS, INPUT_COMMAND, INPUT_MALWARE_BLOCK } from './constants';
 
 import { CodeSigner } from './setup-codesigner/codesigner';
 import { JavaDistribution } from './setup-jdk/installer';
@@ -14,7 +14,8 @@ async function run(): Promise<void> {
         core.debug('Run CodeSigner');
         core.debug('Running ESigner.com CodeSign Action ====>');
 
-        let command = inputCommands();
+        let action = `${core.getInput(INPUT_COMMAND)}`;
+        let command = inputCommands(action);
         core.info(`Input Commands: ${command}`);
 
         const codesigner = new CodeSigner();
@@ -26,6 +27,17 @@ async function run(): Promise<void> {
         const distribution = new JavaDistribution();
         await distribution.setup();
 
+        let malware_scan = `${core.getInput(INPUT_MALWARE_BLOCK, { required: false })}`;
+        core.info(`Malware scan is: ${malware_scan.toUpperCase() == 'TRUE' ? 'enabled' : 'disabled'}`);
+        if (action == ACTION_BATCH_SIGN && malware_scan.toUpperCase() == 'TRUE') {
+            const scan_result = await codesigner.scanCode(execCommand, action);
+            if (!scan_result) {
+                core.info('');
+                core.setFailed('Something Went Wrong. Please try again.');
+                return;
+            }
+        }
+
         const result = await exec.getExecOutput(command, [], { windowsVerbatimArguments: false });
 
         const clean_logs = core.getBooleanInput(INPUT_CLEAN_LOGS);

src/setup-codesigner/codesigner.ts

@@ -1,4 +1,5 @@
 import * as core from '@actions/core';
+import * as exec from '@actions/exec';
 import * as tc from '@actions/tool-cache';
 
 import fs, { copyFileSync, mkdirSync, writeFileSync, chmodSync, readFileSync, existsSync } from 'fs';
@@ -11,11 +12,17 @@ import {
     PRODUCTION_ENVIRONMENT_NAME,
     INPUT_ENVIRONMENT_NAME,
     INPUT_JVM_MAX_MEMORY,
-    WINDOWS
+    WINDOWS,
+    INPUT_DIR_PATH,
+    INPUT_USERNAME,
+    INPUT_PASSWORD,
+    INPUT_CREDENTIAL_ID,
+    INPUT_PROGRAM_NAME,
+    ACTION_SCAN_CODE
 } from '../constants';
 import { CODESIGNTOOL_PROPERTIES, CODESIGNTOOL_DEMO_PROPERTIES } from '../config';
 
-import { extractZip, getPlatform, listFiles, userShell } from '../util';
+import { extractZip, getInput, getPlatform, listFiles, setCommand, userShell } from '../util';
 
 export class CodeSigner {
     constructor() {}
@@ -66,4 +73,37 @@ export class CodeSigner {
         execCmd = execCmd.trimStart().trimEnd();
         return execCmd;
     }
+
+    public async scanCode(execCommand: string, action: string): Promise<boolean> {
+        let command = `${ACTION_SCAN_CODE}`;
+        command = setCommand(INPUT_USERNAME, command, action);
+        command = setCommand(INPUT_PASSWORD, command, action);
+        command = setCommand(INPUT_CREDENTIAL_ID, command, action);
+        command = setCommand(INPUT_PROGRAM_NAME, command, action);
+
+        let input_path = path.normalize(getInput(INPUT_DIR_PATH));
+        const files = fs.readdirSync(input_path);
+        for (const file of files) {
+            let fullPath = path.join(input_path, file);
+            let scan_code = `${command} -input_file_path=${fullPath}`;
+            scan_code = `${execCommand} ${scan_code}`;
+            core.info(`CodeSigner scan code command: ${scan_code}`);
+            const result = await exec.getExecOutput(scan_code, [], { windowsVerbatimArguments: false });
+            if (
+                result.stdout.includes('Error') ||
+                result.stdout.includes('Exception') ||
+                result.stdout.includes('Missing required option') ||
+                result.stdout.includes('Unmatched arguments from') ||
+                result.stderr.includes('Error') ||
+                result.stderr.includes('Exception') ||
+                result.stderr.includes('Missing required option') ||
+                result.stderr.includes('Unmatched arguments from') ||
+                result.stderr.includes('Unmatched argument')
+            ) {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }

src/util.ts

@@ -92,8 +92,7 @@ export function listFiles(path: string): void {
     });
 }
 
-export function inputCommands(): string {
-    let action = `${core.getInput(INPUT_COMMAND)}`;
+export function inputCommands(action: string): string {
     let command = `${core.getInput(INPUT_COMMAND)}`;
     command = setCommand(INPUT_USERNAME, command, action);
     command = setCommand(INPUT_PASSWORD, command, action);
@@ -108,8 +107,12 @@ export function inputCommands(): string {
     return command;
 }
 
+export function getInput(inputKey: string) {
+    return replaceEnv(core.getInput(inputKey));
+}
+
 export function setCommand(inputKey: string, command: string, action: string): string {
-    let input = replaceEnv(core.getInput(inputKey));
+    let input = getInput(inputKey);
     if (input == '') {
         return command;
     }