bool RunSignTool(AuthenticodeKeyVaultSigner signer, string file, string description, string descriptionUrl)
{
var startTime = DateTimeOffset.UtcNow;
var stopwatch = Stopwatch.StartNew();
logger.LogInformation("Signing using {fileName}", file);
var success = false;
var code = 0;
try
{
code = signer.SignFile(file, description, descriptionUrl, null);
success = code == 0;
telemetryLogger.TrackSignToolDependency(signToolName, file, startTime, stopwatch.Elapsed, null, code);
}
catch (Exception e)
{
logger.LogError(e, e.Message);
}
if (success)
{
logger.LogInformation("Sign tool completed successfuly");
return(true);
}
logger.LogError("Sign tool completed with error {errorCode}", code);
return(false);
}
// Inspired from https://github.com/squaredup/bettersigntool/blob/master/bettersigntool/bettersigntool/SignCommand.cs
bool Sign(AuthenticodeKeyVaultSigner signer, string file, string description, string descriptionUrl)
{
var retry = TimeSpan.FromSeconds(5);
var attempt = 1;
do
{
if (attempt > 1)
{
logger.LogInformation($"Performing attempt #{attempt} of 3 attempts after {retry.TotalSeconds}s");
Thread.Sleep(retry);
}
if (RunSignTool(signer, file, description, descriptionUrl))
{
return(true);
}
attempt++;
retry = TimeSpan.FromSeconds(Math.Pow(retry.TotalSeconds, 1.5));
} while (attempt <= 3);
logger.LogError($"Failed to sign. Attempts exceeded");
return(false);
}
public void ShouldSignExeWithECDsaSigningCertificates_Sha256FileDigest(string certificate)
{
var signingCert = new X509Certificate2(certificate, "test", X509KeyStorageFlags.EphemeralKeySet);
var signer = new AuthenticodeKeyVaultSigner(signingCert.GetECDsaPrivateKey(), signingCert, HashAlgorithmName.SHA256, TimeStampConfiguration.None);
var fileToSign = GetFileToSign();
var result = signer.SignFile(fileToSign, null, null, null);
Assert.Equal(0, result);
}
public void ShouldSignExeWithRSASigningCertificates_Sha256FileDigest_WithTimestamps(string certificate)
{
var signingCert = new X509Certificate2(certificate, "test", X509KeyStorageFlags.EphemeralKeySet);
var timestampConfig = new TimeStampConfiguration("http://timestamp.digicert.com", HashAlgorithmName.SHA256, TimeStampType.RFC3161);
var signer = new AuthenticodeKeyVaultSigner(signingCert.GetRSAPrivateKey(), signingCert, HashAlgorithmName.SHA256, timestampConfig);
var fileToSign = GetFileToSign();
var result = signer.SignFile(fileToSign, null, null, null);
Assert.Equal(0, result);
}
void SubmitInternal(HashMode hashMode, string name, string description, string descriptionUrl, IList <string> files)
{
logger.LogInformation("Signing SignTool job {0} with {1} files", name, files.Count());
var certificate = keyVaultService.GetCertificateAsync().Result;
using var rsa = keyVaultService.ToRSA().Result;
using var signer = new AuthenticodeKeyVaultSigner(rsa, certificate, HashAlgorithmName.SHA256, new TimeStampConfiguration(keyVaultService.CertificateInfo.TimestampUrl, HashAlgorithmName.SHA256, TimeStampType.RFC3161));
// loop through all of the files here, looking for appx/eappx
// mark each as being signed and strip appx
Parallel.ForEach(files, (file, state) =>
{
telemetryLogger.OnSignFile(file, signToolName);
if (!Sign(signer, file, description, descriptionUrl))
{
throw new Exception($"Could not append sign {file}");
}
});
}
