[Windows] Add signature validation (#8390)

sergei-pyshnoi · web-flow · commit 6315b7ed2c67 · 2023-10-11T11:02:59.000+02:00
diff --git a/images/win/scripts/ImageHelpers/ImageHelpers.psm1 b/images/win/scripts/ImageHelpers/ImageHelpers.psm1
@@ -57,4 +57,5 @@ Export-ModuleMember -Function @(
     'Get-ModuleVersionAsJob'
     'Use-ChecksumComparison'
     'Get-HashFromGitHubReleaseBody'
+    'Test-FileSignature'
 )
diff --git a/images/win/scripts/ImageHelpers/InstallHelpers.ps1 b/images/win/scripts/ImageHelpers/InstallHelpers.ps1
@@ -29,7 +29,7 @@ function Install-Binary
         [Parameter(Mandatory, ParameterSetName="LocalPath")]
         [String] $FilePath,
         [String[]] $ArgumentList,
-        [String] $ExpectedSignature
+        [String[]] $ExpectedSignature
     )
 
     if ($PSCmdlet.ParameterSetName -eq "LocalPath")
@@ -47,14 +47,13 @@ function Install-Binary
         if ($ExpectedSignature)
         {
             Test-FileSignature -FilePath $filePath -ExpectedThumbprint $ExpectedSignature
-
         }
         else
         {
             throw "ExpectedSignature parameter is specified, but no signature is provided."
         }
     }
-
+ 
     # MSI binaries should be installed via msiexec.exe
     $fileExtension = ([System.IO.Path]::GetExtension($Name)).Replace(".", "")
     if ($fileExtension -eq "msi")
@@ -722,18 +721,27 @@ function Test-FileSignature {
         [Parameter(Mandatory=$true)]
         [string]$FilePath,
         [Parameter(Mandatory=$true)]
-        [string]$ExpectedThumbprint
+        [string[]]$ExpectedThumbprint
     )
- 
+
     $signature = Get-AuthenticodeSignature $FilePath
- 
+
     if ($signature.Status -ne "Valid") {
         throw "Signature status is not valid. Status: $($signature.Status)"
     }
-
-    if ($signature.SignerCertificate.Thumbprint.Contains($ExpectedThumbprint) -ne $true) {
-        throw "Signature thumbprint do not match expected"
+    
+    foreach ($thumbprint in $ExpectedThumbprint) {
+        if ($signature.SignerCertificate.Thumbprint.Contains($thumbprint)) {
+            Write-Output "Signature for $FilePath is valid"
+            $signatureMatched = $true
+            return
+        }
     }
 
-    Write-Output "Signature for $FilePath is valid"
+    if ($signatureMatched) {
+        Write-Output "Signature for $FilePath is valid"
+    }
+    else {
+        throw "Signature thumbprint do not match expected."
+    }
 }
diff --git a/images/win/scripts/ImageHelpers/VisualStudioHelpers.ps1 b/images/win/scripts/ImageHelpers/VisualStudioHelpers.ps1
@@ -28,7 +28,8 @@ Function Install-VisualStudio {
         [Parameter(Mandatory)] [String] $Edition,
         [Parameter(Mandatory)] [String] $Channel,
         [Parameter(Mandatory)] [String[]] $RequiredComponents,
-        [String] $ExtraArgs = ""
+        [String] $ExtraArgs = "",
+        [Parameter(Mandatory)] [String] $SignatureThumbprint
     )
 
     $bootstrapperUrl = "https://aka.ms/vs/${Version}/${Channel}/vs_${Edition}.exe"
@@ -40,6 +41,9 @@ Function Install-VisualStudio {
     $BootstrapperName = [IO.Path]::GetFileName($BootstrapperUrl)
     $bootstrapperFilePath = Start-DownloadWithRetry -Url $BootstrapperUrl -Name $BootstrapperName
 
+    # Verify that the bootstrapper is signed by Microsoft
+    Test-FileSignature -FilePath $bootstrapperFilePath -ExpectedThumbprint $SignatureThumbprint
+
     try {
         Write-Host "Enable short name support on Windows needed for Xamarin Android AOT, defaults appear to have been changed in Azure VMs"
         $shortNameEnableProcess = Start-Process -FilePath fsutil.exe -ArgumentList ('8dot3name', 'set', '0') -Wait -PassThru
@@ -124,4 +128,4 @@ function Get-VisualStudioComponents {
     (Get-VisualStudioInstance).Packages | Where-Object type -in 'Component', 'Workload' |
     Sort-Object Id, Version | Select-Object @{n = 'Package'; e = {$_.Id}}, Version |
     Where-Object { $_.Package -notmatch "[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}" }
-}
+}
diff --git a/images/win/scripts/Installers/Install-AWS.ps1 b/images/win/scripts/Installers/Install-AWS.ps1
@@ -10,7 +10,8 @@ Choco-Install -PackageName awscli
 # Install Session Manager Plugin for the AWS CLI
 $sessionManagerName = "SessionManagerPluginSetup.exe"
 $sessionManagerUrl = "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/windows/$sessionManagerName"
-Install-Binary -Url $sessionManagerUrl -Name $sessionManagerName -ArgumentList ("/silent", "/install")
+$sessionManagerSignatureThumbprint = "FF457E5732E98A9F156E657F8CC7C4432507C3BB"
+Install-Binary -Url $sessionManagerUrl -Name $sessionManagerName -ArgumentList ("/silent", "/install")  -ExpectedSignature $sessionManagerSignatureThumbprint
 $env:Path = $env:Path + ";$env:ProgramFiles\Amazon\SessionManagerPlugin\bin"
 
 # Install AWS SAM CLI
diff --git a/images/win/scripts/Installers/Install-AzureCli.ps1 b/images/win/scripts/Installers/Install-AzureCli.ps1
@@ -13,7 +13,8 @@ ${env:AZURE_CONFIG_DIR} = $azureCliConfigPath
 
 #temporary pin 2.52.0 version
 $azCliUrl = 'https://azcliprod.blob.core.windows.net/msi/azure-cli-2.52.0-x64.msi'
-Install-Binary -Url $azCliUrl -Name 'azure-cli.msi'
+$azCliSignatureThumbprint = "72105B6D5F370B62FD5C82F1512F7AD7DEE5F2C0"
+Install-Binary -Url $azCliUrl -Name 'azure-cli.msi' -ExpectedSignature $azCliSignatureThumbprint
 
 $azureCliExtensionPath = Join-Path $Env:CommonProgramFiles 'AzureCliExtensionDirectory'
 $null = New-Item -ItemType 'Directory' -Path $azureCliExtensionPath
diff --git a/images/win/scripts/Installers/Install-AzureCosmosDbEmulator.ps1 b/images/win/scripts/Installers/Install-AzureCosmosDbEmulator.ps1
@@ -5,7 +5,8 @@
 
 $InstallerName = "AzureCosmosDBEmulator.msi"
 $InstallerUrl = "https://aka.ms/cosmosdb-emulator"
+$SignatureThumbprint = "F372C27F6E052A6BE8BAB3112B465C692196CD6F"
 
-Install-Binary -Url $InstallerUrl -Name $InstallerName
+Install-Binary -Url $InstallerUrl -Name $InstallerName -ExpectedSignature $SignatureThumbprint
 
-Invoke-PesterTests -TestFile "Tools" -TestName "Azure Cosmos DB Emulator"
+Invoke-PesterTests -TestFile "Tools" -TestName "Azure Cosmos DB Emulator"
diff --git a/images/win/scripts/Installers/Install-BizTalkBuildComponent.ps1 b/images/win/scripts/Installers/Install-BizTalkBuildComponent.ps1
@@ -73,11 +73,16 @@ Write-Host "Unzip $setupZipFile to $setupPath..."
 Extract-7Zip -Path $setupZipFile -DestinationPath $setupPath
 Remove-Item $setupZipFile
 
+# Verify signature
+$BuildComponentSignatureThumbprint = "8740DF4ACB749640AD318E4BE842F72EC651AD80"
+Test-FileSignature -FilePath "$setupPath\Bootstrap.msi" -ExpectedThumbprint $BuildComponentSignatureThumbprint
+Test-FileSignature -FilePath "$setupPath\BuildComponentSetup.msi" -ExpectedThumbprint $BuildComponentSignatureThumbprint
+
 # Install
 Install-Msi -MsiPath "$setupPath\Bootstrap.msi" -LogPath "$setupPath\bootstrap.log"
 Install-Msi -MsiPath "$setupPath\BuildComponentSetup.msi" -LogPath  "$setupPath\buildComponentSetup.log"
 
 Remove-Item $setupPath -Recurse -Force
 
 # Test
-Invoke-PesterTests -TestFile "BizTalk" -TestName "BizTalk Build Component Setup"
+Invoke-PesterTests -TestFile "BizTalk" -TestName "BizTalk Build Component Setup"
diff --git a/images/win/scripts/Installers/Install-Choco.ps1 b/images/win/scripts/Installers/Install-Choco.ps1
@@ -17,8 +17,11 @@ if ($userPath) {
     $env:Path = $systemPath
 }
 
-# Run the installer
-Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
+# Verify and run choco installer
+$signatureThumbprint = "83AC7D88C66CB8680BCE802E0F0F5C179722764B"
+$InstallScriptPath = Start-DownloadWithRetry -Url 'https://chocolatey.org/install.ps1'
+Test-FileSignature -FilePath $InstallScriptPath -ExpectedThumbprint $signatureThumbprint
+Invoke-Expression $InstallScriptPath
 
 # Turn off confirmation
 choco feature enable -n allowGlobalConfirmation
diff --git a/images/win/scripts/Installers/Install-Chrome.ps1 b/images/win/scripts/Installers/Install-Chrome.ps1
@@ -4,9 +4,10 @@
 ################################################################################
 
 # Download and install latest Chrome browser
+$ChromeSignatureThumbprint = "2673EA6CC23BEFFDA49AC715B121544098A1284C"
 $ChromeInstallerFile = "googlechromestandaloneenterprise64.msi"
 $ChromeInstallerUrl = "https://dl.google.com/tag/s/dl/chrome/install/${ChromeInstallerFile}"
-Install-Binary -Url $ChromeInstallerUrl -Name $ChromeInstallerFile -ArgumentList @()
+Install-Binary -Url $ChromeInstallerUrl -Name $ChromeInstallerFile -ArgumentList @() -ExpectedSignature $ChromeSignatureThumbprint
 
 # Prepare firewall rules
 Write-Host "Adding the firewall rule for Google update blocking..."
@@ -84,4 +85,4 @@ $PathValue = Get-ItemPropertyValue -Path $regEnvKey -Name 'Path'
 $PathValue += ";$ChromeDriverPath\"
 Set-ItemProperty -Path $regEnvKey -Name 'Path' -Value $PathValue
 
-Invoke-PesterTests -TestFile "Browsers" -TestName "Chrome"
+Invoke-PesterTests -TestFile "Browsers" -TestName "Chrome"
diff --git a/images/win/scripts/Installers/Install-CloudFoundryCli.ps1 b/images/win/scripts/Installers/Install-CloudFoundryCli.ps1
@@ -20,4 +20,8 @@ Extract-7Zip -Path $CloudFoundryArchPath -DestinationPath $CloudFoundryCliPath
 # Add cf to path
 Add-MachinePathItem $CloudFoundryCliPath
 
-Invoke-PesterTests -TestFile "CLI.Tools" -TestName "CloudFoundry CLI"
+# Validate cf signature
+$CloudFoundrySignatureThumbprint = "4C69EDD13930ED01B83DD1D17B09C434DC1F2177"
+Test-FileSignature -FilePath "$CloudFoundryCliPath\cf.exe" -ExpectedThumbprint $CloudFoundrySignatureThumbprint
+
+Invoke-PesterTests -TestFile "CLI.Tools" -TestName "CloudFoundry CLI"
diff --git a/images/win/scripts/Installers/Install-DACFx.ps1 b/images/win/scripts/Installers/Install-DACFx.ps1
@@ -5,7 +5,8 @@
 
 $InstallerName = "DacFramework.msi"
 $InstallerUrl = "https://aka.ms/dacfx-msi"
+$SignatureThumbprint = "72105B6D5F370B62FD5C82F1512F7AD7DEE5F2C0"
 
-Install-Binary -Url $InstallerUrl -Name $InstallerName
+Install-Binary -Url $InstallerUrl -Name $InstallerName -ExpectedSignature $SignatureThumbprint
 
-Invoke-PesterTests -TestFile "Tools" -TestName "DACFx"
+Invoke-PesterTests -TestFile "Tools" -TestName "DACFx"
diff --git a/images/win/scripts/Installers/Install-Edge.ps1 b/images/win/scripts/Installers/Install-Edge.ps1
@@ -26,13 +26,18 @@ Write-Host "Download Microsoft Edge WebDriver..."
 $EdgeDriverLatestVersion = Get-Content -Path $EdgeDriverVersionFile
 $EdgeDriverArchName = "edgedriver_win64.zip"
 
+
 $EdgeDriverDownloadUrl = "https://msedgedriver.azureedge.net/${EdgeDriverLatestVersion}/${EdgeDriverArchName}"
 
 $EdgeDriverArchPath = Start-DownloadWithRetry -Url $EdgeDriverDownloadUrl -Name $EdgeDriverArchName
 
 Write-Host "Expand Microsoft Edge WebDriver archive..."
 Extract-7Zip -Path $EdgeDriverArchPath -DestinationPath $EdgeDriverPath
 
+#Validate the EdgeDriver signature
+$EdgeDriverSignatureThumbprint = ("7C94971221A799907BB45665663BBFD587BAC9F8", "70E52D50651BB9E8DC08DE566C4DD5713833B038")
+Test-FileSignature -FilePath "$EdgeDriverPath\msedgedriver.exe" -ExpectedThumbprint $EdgeDriverSignatureThumbprint
+
 Write-Host "Setting the environment variables..."
 setx EdgeWebDriver "$EdgeDriverPath" /M
 
diff --git a/images/win/scripts/Installers/Install-Firefox.ps1 b/images/win/scripts/Installers/Install-Firefox.ps1
@@ -45,8 +45,12 @@ $GeckoDriverArchPath = Start-DownloadWithRetry -Url $GeckoDriverDownloadUrl -Nam
 Write-Host "Expand Gecko WebDriver archive..."
 Extract-7Zip -Path $GeckoDriverArchPath -DestinationPath $GeckoDriverPath
 
+# Validate Gecko WebDriver signature
+$GeckoDriverSignatureThumbprint = "1326B39C3D5D2CA012F66FB439026F7B59CB1974"
+Test-FileSignature -FilePath "$GeckoDriverPath/geckodriver.exe" -ExpectedThumbprint $GeckoDriverSignatureThumbprint
+
 Write-Host "Setting the environment variables..."
 Add-MachinePathItem -PathItem $GeckoDriverPath
 setx GeckoWebDriver "$GeckoDriverPath" /M
 
-Invoke-PesterTests -TestFile "Browsers" -TestName "Firefox"
+Invoke-PesterTests -TestFile "Browsers" -TestName "Firefox"
diff --git a/images/win/scripts/Installers/Install-GoogleCloudCLI.ps1 b/images/win/scripts/Installers/Install-GoogleCloudCLI.ps1
@@ -6,6 +6,8 @@
 # https://cloud.google.com/sdk/docs/downloads-interactive
 $googleCloudCLIInstaller = "https://dl.google.com/dl/cloudsdk/channels/rapid/GoogleCloudSDKInstaller.exe"
 $argumentList = @("/S", "/allusers", "/noreporting")
-Install-Binary -Url $googleCloudCLIInstaller -Name "GoogleCloudSDKInstaller.exe" -ArgumentList $argumentList
+$googleCloudCLISignatureThumbprint = "2673EA6CC23BEFFDA49AC715B121544098A1284C"
+
+Install-Binary -Url $googleCloudCLIInstaller -Name "GoogleCloudSDKInstaller.exe" -ArgumentList $argumentList -ExpectedSignature $googleCloudCLISignatureThumbprint
 
 Invoke-PesterTests -TestFile "Tools" -TestName "GoogleCloudCLI"
diff --git a/images/win/scripts/Installers/Install-NET48-devpack.ps1 b/images/win/scripts/Installers/Install-NET48-devpack.ps1
@@ -6,8 +6,9 @@
 # .NET 4.8 Dev pack
 $InstallerName = "ndp48-devpack-enu.exe"
 $InstallerUrl = "https://download.visualstudio.microsoft.com/download/pr/014120d7-d689-4305-befd-3cb711108212/0307177e14752e359fde5423ab583e43/${InstallerName}"
+$InstallerSignatureThumbprint = "C82273A065EC470FB1EBDE846A91E6FFB29E9C12"
 $ArgumentList = ("Setup", "/passive", "/norestart")
 
-Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList
+Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList -ExpectedSignature $InstallerSignatureThumbprint
 
-Invoke-PesterTests -TestFile "Tools" -TestName "NET48"
+Invoke-PesterTests -TestFile "Tools" -TestName "NET48"
diff --git a/images/win/scripts/Installers/Install-NET48.ps1 b/images/win/scripts/Installers/Install-NET48.ps1
@@ -6,6 +6,7 @@
 # .NET 4.8 Dev pack
 $InstallerName = "ndp48-x86-x64-allos-enu.exe"
 $InstallerUrl = "https://download.visualstudio.microsoft.com/download/pr/2d6bb6b2-226a-4baa-bdec-798822606ff1/8494001c276a4b96804cde7829c04d7f/${InstallerName}"
+$InstallerSignatureThumbprint = "ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B"
 $ArgumentList = ("Setup", "/passive", "/norestart")
 
-Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList
+Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList -ExpectedSignature $InstallerSignatureThumbprint
diff --git a/images/win/scripts/Installers/Install-PostgreSQL.ps1 b/images/win/scripts/Installers/Install-PostgreSQL.ps1
@@ -48,7 +48,7 @@ do {
 $ErrorActionPreference = $ErrorActionOldValue
 $InstallerName = $InstallerUrl.Split('/')[-1]
 $ArgumentList = ("--install_runtimes 0","--superpassword root","--enable_acledit 1","--unattendedmodeui none","--mode unattended")
-Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList
+Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList -ExpectedSignature (Get-ToolsetContent).postgresql.signature
 
 # Get Path to pg_ctl.exe
 $pgPath = (Get-CimInstance Win32_Service -Filter "Name LIKE 'postgresql-%'").PathName
@@ -79,4 +79,4 @@ $pgService = Get-Service -Name postgresql*
 Stop-Service -InputObject $pgService
 Set-Service -InputObject $pgService -StartupType Disabled
 
-Invoke-PesterTests -TestFile "Databases" -TestName "PostgreSQL"
+Invoke-PesterTests -TestFile "Databases" -TestName "PostgreSQL"
diff --git a/images/win/scripts/Installers/Install-SQLPowerShellTools.ps1 b/images/win/scripts/Installers/Install-SQLPowerShellTools.ps1
@@ -4,16 +4,17 @@
 ################################################################################
 
 $BaseUrl = "https://download.microsoft.com/download/B/1/7/B1783FE9-717B-4F78-A39A-A2E27E3D679D/ENU/x64"
+$SignatureThumbrint = "9ACA9419E53D3C9E56396DD2335FF683A8B0B8F3"
 
 # install required MSIs
 $SQLSysClrTypesName = "SQLSysClrTypes.msi"
 $SQLSysClrTypesUrl = "${BaseUrl}/${SQLSysClrTypesName}"
-Install-Binary -Url $SQLSysClrTypesUrl -Name $SQLSysClrTypesName
+Install-Binary -Url $SQLSysClrTypesUrl -Name $SQLSysClrTypesName -ExpectedSignature $SignatureThumbrint
 
 $SharedManagementObjectsName = "SharedManagementObjects.msi"
 $SharedManagementObjectsUrl = "${BaseUrl}/${SharedManagementObjectsName}"
-Install-Binary -Url $SharedManagementObjectsUrl -Name $SharedManagementObjectsName
+Install-Binary -Url $SharedManagementObjectsUrl -Name $SharedManagementObjectsName -ExpectedSignature $SignatureThumbrint
 
 $PowerShellToolsName = "PowerShellTools.msi"
 $PowerShellToolsUrl = "${BaseUrl}/${PowerShellToolsName}"
-Install-Binary -Url $PowerShellToolsUrl -Name $PowerShellToolsName
+Install-Binary -Url $PowerShellToolsUrl -Name $PowerShellToolsName -ExpectedSignature $SignatureThumbrint
diff --git a/images/win/scripts/Installers/Install-ServiceFabricSDK.ps1 b/images/win/scripts/Installers/Install-ServiceFabricSDK.ps1
@@ -15,11 +15,11 @@ $serviceFabricSDKVersion = (Get-ToolsetContent).serviceFabric.sdk.version
 $InstallerName = "MicrosoftServiceFabric.${serviceFabricRuntimeVersion}.exe"
 $InstallerUrl = "https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/${InstallerName}"
 $ArgumentList = ("/accepteula ","/quiet","/force")
-Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList
+Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList -ExpectedSignature (Get-ToolsetContent).serviceFabric.runtime.signature
 
 # Install Service Fabric SDK
 $InstallerName = "MicrosoftServiceFabricSDK.${serviceFabricSDKVersion}.msi"
 $InstallerUrl = "https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/${InstallerName}"
-Install-Binary -Url $InstallerUrl -Name $InstallerName
+Install-Binary -Url $InstallerUrl -Name $InstallerName -ExpectedSignature (Get-ToolsetContent).serviceFabric.sdk.signature
 
-Invoke-PesterTests -TestFile "Tools" -TestName "ServiceFabricSDK"
+Invoke-PesterTests -TestFile "Tools" -TestName "ServiceFabricSDK" 
diff --git a/images/win/scripts/Installers/Install-VCRedist.ps1 b/images/win/scripts/Installers/Install-VCRedist.ps1
@@ -8,8 +8,9 @@ $vc2010x86URI = "https://download.microsoft.com/download/1/6/5/165255E7-1014-4D0
 $vc2010x64Name = "vcredist_x64.exe"
 $vc2010x64URI = "https://download.microsoft.com/download/1/6/5/165255E7-1014-4D0A-B094-B6A430A6BFFC/${Vc2010x64Name}"
 $argumentList = ("/install", "/quiet", "/norestart")
+$vcSignatureThumbprint = "ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B"
 
-Install-Binary -Url $vc2010x86URI -Name $vc2010x86Name -ArgumentList $argumentList
-Install-Binary -Url $vc2010x64URI -Name $vc2010x64Name -ArgumentList $argumentList
+Install-Binary -Url $vc2010x86URI -Name $vc2010x86Name -ArgumentList $argumentList -ExpectedSignature $vcSignatureThumbprint
+Install-Binary -Url $vc2010x64URI -Name $vc2010x64Name -ArgumentList $argumentList -ExpectedSignature $vcSignatureThumbprint
 
 Invoke-PesterTests -TestFile "Tools" -TestName "VCRedist"
diff --git a/images/win/scripts/Installers/Install-VS.ps1 b/images/win/scripts/Installers/Install-VS.ps1
@@ -11,7 +11,8 @@ Install-VisualStudio `
     -Edition $toolset.visualStudio.edition `
     -Channel $toolset.visualStudio.channel `
     -RequiredComponents $toolset.visualStudio.workloads `
-    -ExtraArgs "--allWorkloads --includeRecommended --remove Component.CPython3.x64"
+    -ExtraArgs "--allWorkloads --includeRecommended --remove Component.CPython3.x64" `
+    -SignatureThumbprint $toolset.visualStudio.signature
 
 # Find the version of VS installed for this instance
 # Only supports a single instance
@@ -30,25 +31,29 @@ $newContent = '{"Extensions":[{"Key":"1e906ff5-9da8-4091-a299-5c253c55fdc9","Val
 Set-Content -Path "$vsInstallRoot\Common7\IDE\Extensions\MachineState.json" -Value $newContent
 
 if (Test-IsWin19) {
+    
 	# Install Windows 10 SDK version 10.0.14393.795
+    $sdkSignatureThumbprint = "C91545B333C52C4465DE8B90A3FAF4E1D9C58DFA"
 	$sdkUrl = "https://go.microsoft.com/fwlink/p/?LinkId=838916"
 	$sdkFileName = "sdksetup14393.exe"
 	$argumentList = ("/q", "/norestart", "/ceip off", "/features OptionId.WindowsSoftwareDevelopmentKit")
-	Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList
-
+	Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList -ExpectedSignature $sdkSignatureThumbprint
+    
 	# Install Windows 11 SDK version 10.0.22621.0
-        $sdkUrl = "https://go.microsoft.com/fwlink/p/?linkid=2196241"
-        $sdkFileName = "sdksetup22621.exe"
-        $argumentList = ("/q", "/norestart", "/ceip off", "/features OptionId.UWPManaged OptionId.UWPCPP OptionId.UWPLocalized OptionId.DesktopCPPx86 OptionId.DesktopCPPx64 OptionId.DesktopCPParm64")
-        Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList
+    $sdkSignatureThumbprint = "E4C5C5FCDB68B930EE4E19BC25D431EF6D864C51"
+    $sdkUrl = "https://go.microsoft.com/fwlink/p/?linkid=2196241"
+    $sdkFileName = "sdksetup22621.exe"
+    $argumentList = ("/q", "/norestart", "/ceip off", "/features OptionId.UWPManaged OptionId.UWPCPP OptionId.UWPLocalized OptionId.DesktopCPPx86 OptionId.DesktopCPPx64 OptionId.DesktopCPParm64")
+    Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList -ExpectedSignature $sdkSignatureThumbprint   
 }
 
-if (Test-IsWin22) {
+if (Test-IsWin22) {    
     # Install Windows 10 SDK version 10.0.17763
+    $sdkSignatureThumbprint = "7535269B94C1FEA4A5EF6D808E371DA242F27936"
     $sdkUrl = "https://go.microsoft.com/fwlink/p/?LinkID=2033908"
     $sdkFileName = "sdksetup17763.exe"
     $argumentList = ("/q", "/norestart", "/ceip off", "/features OptionId.UWPManaged OptionId.UWPCPP OptionId.UWPLocalized OptionId.DesktopCPPx86 OptionId.DesktopCPPx64 OptionId.DesktopCPParm64")
-    Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList
+    Install-Binary -Url $sdkUrl -Name $sdkFileName -ArgumentList $argumentList -ExpectedSignature $sdkSignatureThumbprint
 }
 
 Invoke-PesterTests -TestFile "VisualStudio"
diff --git a/images/win/scripts/Installers/Install-WDK.ps1 b/images/win/scripts/Installers/Install-WDK.ps1
diff --git a/images/win/scripts/Installers/Install-WebPlatformInstaller.ps1 b/images/win/scripts/Installers/Install-WebPlatformInstaller.ps1
diff --git a/images/win/scripts/Installers/Install-WinAppDriver.ps1 b/images/win/scripts/Installers/Install-WinAppDriver.ps1
diff --git a/images/win/toolsets/toolset-2019.json b/images/win/toolsets/toolset-2019.json
diff --git a/images/win/toolsets/toolset-2022.json b/images/win/toolsets/toolset-2022.json

Original file line number	Diff line number	Diff line change
`@@ -57,4 +57,5 @@ Export-ModuleMember -Function @(`
`57`	`57`	`'Get-ModuleVersionAsJob'`
`58`	`58`	`'Use-ChecksumComparison'`
`59`	`59`	`'Get-HashFromGitHubReleaseBody'`
	`60`	`+ 'Test-FileSignature'`
`60`	`61`	`)`