public override bool Execute()
{
using (Package package = Package.Open(PackageFile, FileMode.Open))
{
try
{
PackageDigitalSignatureManager signatureManager = new PackageDigitalSignatureManager(package);
signatureManager.CertificateOption = CertificateEmbeddingOption.InSignaturePart;
List <Uri> toSign = package.GetParts().Select(part => part.Uri).ToList();
toSign.Add(PackUriHelper.GetRelationshipPartUri(signatureManager.SignatureOrigin));
toSign.Add(signatureManager.SignatureOrigin);
toSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
signatureManager.Sign(toSign, new X509Certificate2(Certificate, CertificatePassword));
return(true);
}
catch (Exception ex)
{
Log.LogError("Error signing package: ", ex);
return(false);
}
}
}
private static bool SignVsix(string vsixPackagePath, X509Certificate2 certificate)
{
// many thanks to Jeff Wilcox for the idea and code
// check for details: http://www.jeff.wilcox.name/2010/03/vsixcodesigning/
using (var package = Package.Open(vsixPackagePath))
{
var signatureManager = new PackageDigitalSignatureManager(package);
signatureManager.CertificateOption = CertificateEmbeddingOption.InSignaturePart;
var partsToSign = new List <Uri>();
foreach (var packagePart in package.GetParts())
{
partsToSign.Add(packagePart.Uri);
}
partsToSign.Add(PackUriHelper.GetRelationshipPartUri(signatureManager.SignatureOrigin));
partsToSign.Add(signatureManager.SignatureOrigin);
partsToSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
try
{
signatureManager.Sign(partsToSign, certificate);
}
catch (CryptographicException)
{
return(false);
}
return(true);
}
}
}// end:ValidateSignatures()
//</SnippetPackageDigSigValidate>
//<SnippetPackageDigSigSign>
private static void SignAllParts(Package package)
{
if (package == null)
{
throw new ArgumentNullException("SignAllParts(package)");
}
// Create the DigitalSignature Manager
PackageDigitalSignatureManager dsm =
new PackageDigitalSignatureManager(package);
dsm.CertificateOption =
CertificateEmbeddingOption.InSignaturePart;
// Create a list of all the part URIs in the package to sign
// (GetParts() also includes PackageRelationship parts).
System.Collections.Generic.List <Uri> toSign =
new System.Collections.Generic.List <Uri>();
foreach (PackagePart packagePart in package.GetParts())
{
// Add all package parts to the list for signing.
toSign.Add(packagePart.Uri);
}
// Add the URI for SignatureOrigin PackageRelationship part.
// The SignatureOrigin relationship is created when Sign() is called.
// Signing the SignatureOrigin relationship disables counter-signatures.
toSign.Add(PackUriHelper.GetRelationshipPartUri(dsm.SignatureOrigin));
// Also sign the SignatureOrigin part.
toSign.Add(dsm.SignatureOrigin);
// Add the package relationship to the signature origin to be signed.
toSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
// Sign() will prompt the user to select a Certificate to sign with.
try
{
dsm.Sign(toSign);
}
// If there are no certificates or the SmartCard manager is
// not running, catch the exception and show an error message.
catch (CryptographicException ex)
{
MessageBox.Show(
"Cannot Sign\n" + ex.Message,
"No Digital Certificates Available",
MessageBoxButton.OK,
MessageBoxImage.Exclamation);
}
}// end:SignAllParts()
/// <summary>
/// Main signing process
/// </summary>
/// <param name="package"></param>
/// <returns></returns>
private bool SignAllParts(Package package)
{
if (package == null)
{
throw new ArgumentNullException("SignAllParts(package)");
}
// Create the DigitalSignature Manager
PackageDigitalSignatureManager dsm =
new PackageDigitalSignatureManager(package);
dsm.CertificateOption =
CertificateEmbeddingOption.InSignaturePart;
// Create a list of all the part URIs in the package to sign
// (GetParts() also includes PackageRelationship parts).
System.Collections.Generic.List <Uri> toSign =
new System.Collections.Generic.List <Uri>();
foreach (PackagePart packagePart in package.GetParts())
{
// Add all package parts to the list for signing.
toSign.Add(packagePart.Uri);
}
// Add the URI for SignatureOrigin PackageRelationship part.
// The SignatureOrigin relationship is created when Sign() is called.
// Signing the SignatureOrigin relationship disables counter-signatures.
toSign.Add(PackUriHelper.GetRelationshipPartUri(dsm.SignatureOrigin));
// Also sign the SignatureOrigin part.
toSign.Add(dsm.SignatureOrigin);
// Add the package relationship to the signature origin to be signed.
toSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
// Sign() will prompt the user to select a Certificate to sign with.
try
{
var cert = new X509Certificate2(this.CertificatePath, (String.IsNullOrEmpty(this.CertificatePassword) ? null : this.CertificatePassword));
dsm.Sign(toSign, cert);
}
// If there are no certificates or the SmartCard manager is
// not running, catch the exception and show an error message.
catch (CryptographicException ex)
{
Console.WriteLine(
"Cannot Sign: {0}", ex.Message);
}
return(dsm.IsSigned && dsm.VerifySignatures(true) == VerifyResult.Success);
}// end:SignAllParts()
/// <summary>
///
/// </summary>
/// <param name="path"></param>
/// <param name="overrideCurrentSignature"></param>
/// <from>http://msdn.microsoft.com/en-us/library/system.io.packaging.packagedigitalsignaturemanager.sign(v=vs.100).aspx</from>
public void Sign(string path, bool overrideCurrentSignature)
{
{
_log.Debug("We're going to try signing {0}, override current signature {1}".format(path,
overrideCurrentSignature));
var package = Package.Open(path);
_log.Debug("Opened {0}".format(path));
var signatureManager = new PackageDigitalSignatureManager(package)
{
CertificateOption = CertificateEmbeddingOption.InSignaturePart
};
if (signatureManager.IsSigned)
{
if (overrideCurrentSignature)
{
_log.Debug("{0} is signed we'll try to remove signatures".format(path));
//TODO: make smarter so we only remove signatures for the relevant parts
signatureManager.RemoveAllSignatures();
package.Flush();
}
else
{
_log.Debug("{0} is signed, we're going to throw".format(path));
throw new AlreadySignedException();
}
}
var toSign = package.GetParts().Select(packagePart => packagePart.Uri).ToList();
toSign.Add(PackUriHelper.GetRelationshipPartUri(signatureManager.SignatureOrigin));
toSign.Add(signatureManager.SignatureOrigin);
toSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
_log.Debug("About to start signing {0}".format(path));
signatureManager.Sign(toSign, Certificate);
_log.Debug("signed {0}, going to close".format(path));
package.Close();
_log.Debug("closed {0}".format(path));
}
GC.Collect();
}
/// <summary>
/// Signs all parts of the VSIX file
/// </summary>
/// <param name="vsixFileName">The file path of the VSIX file</param>
/// <param name="pfxFileName">The file path of the certificate</param>
/// <param name="password">The password for the certificate</param>
/// <returns>True if the file has been signed, false otherwise</returns>
private bool SignVSIXFile(string vsixFileName, string pfxFileName, string password)
{
if (File.Exists(vsixFileName) == false)
{
this.LogBuildError("VSIX file doesn't exist");
return(false);
}
if (File.Exists(pfxFileName) == false)
{
this.LogBuildError("Certificate file doesn't exist");
return(false);
}
LogBuildMessage(string.Format("Signing {0} ", Path.GetFileName(vsixFileName)), BuildMessageImportance.High);
using (var package = Package.Open(vsixFileName, FileMode.Open))
{
var packageSignatureManager = new PackageDigitalSignatureManager(package)
{
CertificateOption = CertificateEmbeddingOption.InSignaturePart
};
var partsToSign = package.GetParts().Select(packagePart => packagePart.Uri).ToList();
partsToSign.Add(PackUriHelper.GetRelationshipPartUri(packageSignatureManager.SignatureOrigin));
partsToSign.Add(packageSignatureManager.SignatureOrigin);
partsToSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
try
{
packageSignatureManager.Sign(partsToSign, new System.Security.Cryptography.X509Certificates.X509Certificate2(pfxFileName, password));
}
catch (System.Security.Cryptography.CryptographicException ex)
{
this.LogBuildError("Error Signing File " + ex.Message);
return(false);
}
return(packageSignatureManager.IsSigned && packageSignatureManager.VerifySignatures(true) == VerifyResult.Success);
}
}
public void SignPackage(Package package, X509Certificate cert)
{
var dsm = new PackageDigitalSignatureManager(package)
{
CertificateOption = CertificateEmbeddingOption.InSignaturePart,
HashAlgorithm = SignedXml.XmlDsigSHA512Url,
};
var toSign = new List <Uri>();
foreach (PackagePart packagePart in package.GetParts())
{
toSign.Add(packagePart.Uri);
}
toSign.Add(PackUriHelper.GetRelationshipPartUri(dsm.SignatureOrigin));
toSign.Add(dsm.SignatureOrigin);
toSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
dsm.Sign(toSign, cert);
}
private static void SignAllParts(Package package, X509Certificate cert)
{
if (package == null)
{
throw new ArgumentNullException("SignAllParts(package)");
}
if (cert == null)
{
throw new ArgumentNullException("SignAllParts(cert)");
}
PackageDigitalSignatureManager dsm = new PackageDigitalSignatureManager(package)
{
CertificateOption = CertificateEmbeddingOption.InSignaturePart,
HashAlgorithm = SignedXml.XmlDsigSHA512Url
};
List <Uri> toSign = new List <Uri>();
foreach (PackagePart packagePart in package.GetParts())
{
toSign.Add(packagePart.Uri);
}
toSign.Add(PackUriHelper.GetRelationshipPartUri(dsm.SignatureOrigin));
toSign.Add(dsm.SignatureOrigin);
toSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
try
{
dsm.Sign(toSign, cert);
}
catch (CryptographicException ex)
{
AppHealth.Current.Error.TrackAsync("Error sigingn package.", ex).FireAndForget();
throw;
}
}
/// <summary>
///
/// </summary>
/// <param name="path"></param>
/// <from>http://msdn.microsoft.com/en-us/library/system.io.packaging.packagedigitalsignaturemanager.sign(v=vs.100).aspx</from>
public void Sign(string path)
{
var package = Package.Open(path);
var signatureManager = new PackageDigitalSignatureManager(package);
signatureManager.CertificateOption = CertificateEmbeddingOption.InSignaturePart;
var toSign = new List <Uri>();
foreach (PackagePart packagePart in package.GetParts())
{
toSign.Add(packagePart.Uri);
}
toSign.Add(PackUriHelper.GetRelationshipPartUri(signatureManager.SignatureOrigin));
toSign.Add(signatureManager.SignatureOrigin);
toSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
signatureManager.Sign(toSign, Certificate);
package.Close();
}
public void GetRelationshipPartUriTest2()
{
PackUriHelper.GetRelationshipPartUri(null);
}
public void GetRelationshipPartUriTest()
{
Assert.AreEqual("/_rels/file1.rels", PackUriHelper.GetRelationshipPartUri(part1).ToString());
}
// TODO (Andreas Orzelski, 2020-08-01): The signature file and [Content_Types].xml can be tampered?
// Is this an issue?
/// <summary>
/// Will sign all parts and relationships in the package (any modification will invalidate the signature)
/// Will prompt the user to select a certificate to sign with.
/// New files can be added to the package, but they will not be signed,
/// therefore easy to detect during verification.
/// </summary>
/// <param name="packagePath"></param>
/// <param name="storeName"></param>
public static void SignAll(string packagePath, string storeName = "My")
{
using (Package package = Package.Open(packagePath, FileMode.Open))
{
// Create the DigitalSignature Manager
PackageDigitalSignatureManager dsm = new PackageDigitalSignatureManager(package);
dsm.CertificateOption = CertificateEmbeddingOption.InSignaturePart;
// Create a list of all the part URIs in the package to sign
// (GetParts() also includes PackageRelationship parts).
System.Collections.Generic.List <Uri> toSign = new System.Collections.Generic.List <Uri>();
foreach (PackagePart packagePart in package.GetParts())
{
// Add all package parts to the list for signing.
toSign.Add(packagePart.Uri);
}
// Create list of selectors for the list of relationships
List <PackageRelationshipSelector> relationshipSelectors = new List <PackageRelationshipSelector>();
// Create one selector for each package-level relationship, based on id
foreach (PackageRelationship relationship in package.GetRelationships())
{
relationshipSelectors.Add(
new PackageRelationshipSelector(
relationship.SourceUri, PackageRelationshipSelectorType.Id, relationship.Id));
}
// For parts-level relationships ...
foreach (PackagePart packagePart in package.GetParts())
{
try
{
foreach (PackageRelationship relationship in packagePart.GetRelationships())
{
relationshipSelectors.Add(
new PackageRelationshipSelector(
relationship.SourceUri, PackageRelationshipSelectorType.Id, relationship.Id));
}
}
catch (Exception ex)
{
AdminShellNS.LogInternally.That.SilentlyIgnoredError(ex);
}
}
// Also sign the SignatureOrigin part.
toSign.Add(dsm.SignatureOrigin);
// Add the URI for SignatureOrigin PackageRelationship part.
// The SignatureOrigin relationship is created when Sign() is called.
// Signing the SignatureOrigin relationship disables counter-signatures.
toSign.Add(PackUriHelper.GetRelationshipPartUri(dsm.SignatureOrigin));
// Sign all relationships entry of signature-origin inside the root .rels file
relationshipSelectors.Add(
new PackageRelationshipSelector(
new Uri("/", UriKind.Relative), PackageRelationshipSelectorType.Type,
"http://schemas.openxmlformats.org/package/2006/relationships/digital-signature/origin"));
// Sign() will prompt the user to select a Certificate to sign with.
try
{
var dlg = new OpenFileDialog();
try
{
dlg.InitialDirectory = System.IO.Path.GetDirectoryName("\\");
}
catch (Exception ex)
{
AdminShellNS.LogInternally.That.SilentlyIgnoredError(ex);
}
dlg.Filter = ".pfx files (*.pfx)|*.pfx";
dlg.ShowDialog();
X509Certificate2 x509 = new X509Certificate2(dlg.FileName, "i40");
X509Certificate2Collection scollection = new X509Certificate2Collection(x509);
dsm.Sign(toSign, scollection[0], relationshipSelectors);
}
// If there are no certificates or the SmartCard manager is
// not running, catch the exception and show an error message.
catch (CryptographicException ex)
{
MessageBox.Show(
"Cannot Sign\n" + ex.Message, "Error signing", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
private static bool SignVsix(string vsixPackagePath,
SignData arguments,
StringBuilder outputBuffer,
StringBuilder errorBuffer,
bool signContentInVsix = false)
{
if (arguments == null)
{
throw new ArgumentNullException("arguments");
}
// try to load the certificate:
try
{
arguments.VerifyCertificate();
}
catch (Exception ex)
{
if (errorBuffer != null)
{
errorBuffer.AppendLine("Certificate error.");
errorBuffer.AppendLine(ex.Message);
}
return(false);
}
// many thanks to Jeff Wilcox for the idea and code
// check for details: http://www.jeff.wilcox.name/2010/03/vsixcodesigning/
using (var package = Package.Open(vsixPackagePath))
{
var signatureManager = new PackageDigitalSignatureManager(package);
signatureManager.CertificateOption = CertificateEmbeddingOption.InSignaturePart;
// select respective hashing algorithm (http://www.w3.org/TR/2001/WD-xmlenc-core-20010626/):
if (arguments.HashAlgorithm == null || string.IsNullOrEmpty(arguments.HashAlgorithm.Uri))
{
// fail gracefully:
if (errorBuffer != null)
{
errorBuffer.AppendLine("Unable to sign VSIX with requested '" + (arguments.HashAlgorithm != null ? arguments.HashAlgorithm.Name : "<unknown>") + "' algorithm.");
}
return(false);
}
signatureManager.HashAlgorithm = arguments.HashAlgorithm.Uri;
var partsToSign = new List <Uri>();
foreach (var packagePart in package.GetParts())
{
if (signContentInVsix)
{
var fileName = Path.GetFileName(packagePart.Uri.OriginalString);
var name = Path.Combine(Path.GetTempPath(), fileName);
var extension = Path.GetExtension(name);
using (var stream = packagePart.GetStream(FileMode.Open, FileAccess.Read))
{
using (var fileStream = new FileStream(name, FileMode.Create))
{
stream.CopyTo(fileStream);
}
}
if ((extension.Equals(".dll") || extension.Equals(".exe")) && !VerifyBinaryDigitalSignature(name))
{
if (!SignBinary(name, arguments, outputBuffer, errorBuffer))
{
return(false);
}
using (var stream = packagePart.GetStream(FileMode.Open, FileAccess.Write))
{
using (var fileStream = new FileStream(name, FileMode.Open))
{
fileStream.CopyTo(stream);
}
}
}
}
partsToSign.Add(packagePart.Uri);
}
partsToSign.Add(PackUriHelper.GetRelationshipPartUri(signatureManager.SignatureOrigin));
partsToSign.Add(signatureManager.SignatureOrigin);
partsToSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
try
{
signatureManager.Sign(partsToSign, arguments.Certificate);
}
catch (CryptographicException ex)
{
if (errorBuffer != null)
{
errorBuffer.AppendLine("Signing could not be completed: " + ex.Message);
}
return(false);
}
finally
{
signatureManager.HashAlgorithm = PackageDigitalSignatureManager.DefaultHashAlgorithm;
}
if (ValidateSignatures(package))
{
if (outputBuffer != null)
{
outputBuffer.AppendLine("VSIX signing completed successfully.");
}
return(true);
}
if (outputBuffer != null)
{
outputBuffer.AppendLine("The digital signature is invalid, there may have been a problem with the signing process.");
}
return(false);
}
}
