Validate authenticode signature using the certificate Subject

[paveliak]

Description

This PR switches verification of authenticode signature to use the certificate subject instead of the thumbprint. This prevents occasional verification failures caused by certficate renewal.

Related issue: https://github.com/github/hosted-runners-images/issues/111

Check list

• Related issue / work item is attached
• Tests are written (if applicable)
• Documentation is updated (if applicable)
• Changes are tested and related VM images are successfully generated

[Copilot]

Pull Request Overview

This PR updates authenticode signature verification to match on the certificate’s Subject rather than its thumbprint, preventing failures when certificates are renewed.

• Removed signature fields from toolset JSONs.
• Extended Install-Binary and Test-FileSignature to use ExpectedSubject and compare certificate .Subject.
• Updated all scripts to pass the new ExpectedSubject (and introduced Get-MicrosoftPublisher for Microsoft-signed binaries).

Reviewed Changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
images/windows/toolsets/toolset-*.json	Removed manifest signature entries for all toolsets
images/windows/scripts/helpers/VisualStudioHelpers.ps1	Switched Test-FileSignature call to use ExpectedSubject
images/windows/scripts/helpers/InstallHelpers.ps1	Renamed parameter/docs to ExpectedSubject and logic update
images/windows/scripts/helpers/ImageHelpers.psm1	Exported new Get-MicrosoftPublisher helper
All images/windows/scripts/build/*.ps1 scripts	Replaced -ExpectedSignature arguments with -ExpectedSubject

Comments suppressed due to low confidence (4)

images/windows/scripts/helpers/InstallHelpers.ps1:37

• Consider updating the module's README or an external docs file to reflect the new ExpectedSubject parameter and deprecate ExpectedSignature.

    .EXAMPLE

images/windows/scripts/helpers/InstallHelpers.ps1:83

• Add unit or integration tests for Test-FileSignature covering both valid and invalid subject scenarios to ensure new subject-based validation is exercised.

            Test-FileSignature -Path $filePath -ExpectedSubject $ExpectedSubject

images/windows/scripts/helpers/ImageHelpers.psm1:22

• [nitpick] The name Get-MicrosoftPublisher could be more descriptive as Get-MicrosoftPublisherSubject to clarify that it returns a certificate subject string.

    'Get-MicrosoftPublisher'

images/windows/scripts/helpers/VisualStudioHelpers.ps1:53

• [nitpick] For readability and to avoid repeated calls, consider assigning $(Get-MicrosoftPublisher) to a local variable before passing it to Test-FileSignature.

    Test-FileSignature -Path $bootstrapperFilePath -ExpectedSubject $(Get-MicrosoftPublisher)

[Copilot]

[nitpick] This issuer subject string is lengthy and duplicated inline; consider centralizing common subjects (e.g., Oracle, Google) in helper functions or config to reduce repetition.