public void GetCertificatesRetrievesNestedSignatures()
{
var certificates = AuthentiCode.GetCertificates(Path.Combine(s_testDataPath, "triple_signed.dll")).ToArray();
Assert.Equal("CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", certificates[0].Subject);
Assert.Equal("sha1RSA", certificates[0].SignatureAlgorithm.FriendlyName);
Assert.Equal("CN=Microsoft 3rd Party Application Component, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", certificates[1].Subject);
Assert.Equal("sha256RSA", certificates[1].SignatureAlgorithm.FriendlyName);
Assert.Equal("CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", certificates[2].Subject);
Assert.Equal("sha256RSA", certificates[2].SignatureAlgorithm.FriendlyName);
}
private void VerifyPackageSignature(string msiPath)
{
if (s_IsDotNetSigned)
{
bool isAuthentiCodeSigned = AuthentiCode.IsSigned(msiPath);
// Need to capture the error now as other OS calls might change the last error.
uint lastError = !isAuthentiCodeSigned ? unchecked ((uint)Marshal.GetLastWin32Error()) : Error.SUCCESS;
bool isTrustedOrganization = AuthentiCode.IsSignedByTrustedOrganization(msiPath, AuthentiCode.TrustedOrganizations);
if (isAuthentiCodeSigned && isTrustedOrganization)
{
Log?.LogMessage($"Successfully verified AuthentiCode signature for {msiPath}.");
}
else
{
// Summarize the failure and then report additional details.
Log?.LogMessage($"Failed to verify signature for {msiPath}. AuthentiCode signed: {isAuthentiCodeSigned}, Trusted organization: {isTrustedOrganization}.");
IEnumerable <X509Certificate2> certificates = AuthentiCode.GetCertificates(msiPath);
// Dump all the certificates if there are any.
if (certificates.Any())
{
Log?.LogMessage($"Certificate(s):");
foreach (X509Certificate2 certificate in certificates)
{
Log?.LogMessage($" Subject={certificate.Subject}");
Log?.LogMessage($" Issuer={certificate.Issuer}");
Log?.LogMessage($" Not before={certificate.NotBefore}");
Log?.LogMessage($" Not after={certificate.NotAfter}");
Log?.LogMessage($" Thumbprint={certificate.Thumbprint}");
Log?.LogMessage($" Algorithm={certificate.SignatureAlgorithm.FriendlyName}");
}
}
if (!isAuthentiCodeSigned)
{
// If it was a WinTrust failure, we can exit using that error code and include a proper message from the OS.
ExitOnError(lastError, $"Failed to verify authenticode signature for {msiPath}.");
}
if (!isTrustedOrganization)
{
throw new SecurityException(string.Format(LocalizableStrings.AuthentiCodeNoTrustedOrg, msiPath));
}
}
}
else
{
Log?.LogMessage($"Command is not signed, skipping signature verification for {msiPath}.");
}
}
public void GetCertificatesRetrievesNothingForUnsignedFiles()
{
var certificates = AuthentiCode.GetCertificates(Assembly.GetExecutingAssembly().Location);
Assert.Empty(certificates);
}