Skip to content

feat(scripts): add verify-msi.ps1 for client-side MSI integrity check#112

Merged
ashishkurmi merged 1 commit into
step-security:mainfrom
raysubham:subham/feat/msi-verify-script
May 26, 2026
Merged

feat(scripts): add verify-msi.ps1 for client-side MSI integrity check#112
ashishkurmi merged 1 commit into
step-security:mainfrom
raysubham:subham/feat/msi-verify-script

Conversation

@raysubham
Copy link
Copy Markdown
Contributor

@raysubham raysubham commented May 26, 2026

Summary

Standalone PowerShell verifier IT admins run on a staging workstation
before pushing an MSI to SCCM / Intune / GPO. It confirms the MSI on
disk matches the SHA-256 covered by the release operator's Ed25519
signature (*.sha256.sig sidecar already published with each release),
independent of Windows Authenticode trust.

The same Ed25519 trust path the loader script uses for .exe updates
now applies to the MSI install vehicle.

Why

MDM deployments (SCCM/Intune/GPO) have no loader. Admins currently have
no native, zero-dep way to verify the downloaded MSI before staging it
to distribution points. cosign verify-blob works but needs cosign
installed; gh attestation verify needs the GH CLI. The new script
needs only OpenSSH 8.0+ (built into Windows 10 2004+ / Windows 11 /
Server 2022) and is fully offline once the MSI + .sha256.sig are
downloaded.

What it does

  • Computes SHA-256 of the MSI.
  • Decodes the .sha256.sig base64 envelope back to an SSH signature
    blob.
  • Calls ssh-keygen -Y verify with pinned pubkey, identity
    (releases@stepsecurity.io), and namespace
    (stepsecurity-mdm-checksum).
  • Exits 0 on match, 1 on mismatch/tamper, 2 for missing files,
    3 if ssh-keygen lacks -Y verify support.

Sidecar path auto-derived from $Msi.sha256.sig; can be overridden via
-Sig. ssh-keygen discovery probes PATH first, then Git-for-Windows
and other known fallback locations.

Test plan

Verified end-to-end on Windows against the v1.11.3 arm64 release:

  • Untouched MSI -> [OK] Signature VERIFIED, exit 0
  • Single-byte flip at offset 100 -> [FAIL] DO NOT INSTALL, exit 1
  • Missing sidecar -> [FAIL] Signature sidecar not found, exit 2
  • Sidecar passed via -Sig override -> exit 0
  • One-arg form (auto-derive sidecar) -> exit 0

Crypto path also cross-checked on macOS using shasum -a 256 +
ssh-keygen -Y verify directly against the same v1.11.3 artifacts
(pass and tamper cases both behave as expected).

Follow-ups (not in this PR)

  • Customer-facing docs section for the SCCM page on docs.stepsecurity.io
    is drafted separately and will be handed to the docs team.
  • Pre-release / on-demand test-build MSIs do not currently emit
    .sha256.sig sidecars. Worth wiring up so UAT builds are also
    verifiable.

@raysubham
scripts: add verify-msi.ps1 for client-side MSI integrity check
7d487a3 
Standalone PowerShell verifier that confirms a downloaded MSI matches
the SHA-256 covered by the release operator's Ed25519 signature
(*.sha256.sig sidecar), independent of Windows Authenticode trust.

Intended for IT admins on a staging workstation to run once per release
before pushing to SCCM/Intune/GPO. The script auto-detects ssh-keygen
across PATH and Git-for-Windows fallback locations, exits 0 on success
and 1 on tamper/mismatch.

Verified end-to-end against v1.11.3 arm64 MSI on Windows: clean MSI
exits 0, single-byte flip exits 1.
@ashishkurmi ashishkurmi merged commit 9d0352d into step-security:main May 26, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashishkurmi ashishkurmi ashishkurmi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@raysubham @ashishkurmi