Esempio n. 1
0
        private FileSignInfo TrackFile(string fullPath, ImmutableArray <byte> contentHash, bool isNested)
        {
            var fileSignInfo = ExtractSignInfo(fullPath, contentHash);

            var key = new SignedFileContentKey(contentHash, Path.GetFileName(fullPath));

            if (_filesByContentKey.TryGetValue(key, out var existingSignInfo))
            {
                // If we saw this file already we wouldn't call TrackFile unless this is a top-level file.
                Debug.Assert(!isNested);

                // Copy the signed content to the destination path.
                _filesToCopy.Add(new KeyValuePair <string, string>(existingSignInfo.FullPath, fullPath));
                return(fileSignInfo);
            }

            if (FileSignInfo.IsZipContainer(fullPath))
            {
                Debug.Assert(!_zipDataMap.ContainsKey(contentHash));

                if (TryBuildZipData(fileSignInfo, out var zipData))
                {
                    _zipDataMap[contentHash] = zipData;
                }
            }

            _filesByContentKey.Add(key, fileSignInfo);

            if (fileSignInfo.SignInfo.ShouldSign || fileSignInfo.IsZipContainer())
            {
                _filesToSign.Add(fileSignInfo);
            }

            return(fileSignInfo);
        }
Esempio n. 2
0
        private FileSignInfo TrackFile(
            string fullPath,
            string collisionPriorityId,
            ImmutableArray <byte> contentHash,
            bool isNested,
            bool forceRepack     = false,
            string containerPath = null)
        {
            _log.LogMessage($"Tracking file '{fullPath}' isNested={isNested}");

            // If there's a wixpack in ItemsToSign which corresponds to this file, pass along the path of
            // the wixpack so we can associate the wixpack with the item
            var wixPack      = _wixPacks.SingleOrDefault(w => w.Moniker.Equals(Path.GetFileName(fullPath), StringComparison.OrdinalIgnoreCase));
            var fileSignInfo = ExtractSignInfo(fullPath, collisionPriorityId, contentHash, forceRepack, wixPack.FullPath, containerPath);

            var key = new SignedFileContentKey(contentHash, Path.GetFileName(fullPath));

            if (_filesByContentKey.TryGetValue(key, out var existingSignInfo))
            {
                // If we saw this file already we wouldn't call TrackFile unless this is a top-level file.
                Debug.Assert(!isNested);

                // Copy the signed content to the destination path.
                _filesToCopy.Add(new KeyValuePair <string, string>(existingSignInfo.FullPath, fullPath));
                return(fileSignInfo);
            }

            if (fileSignInfo.IsContainer())
            {
                if (_zipDataMap.ContainsKey(contentHash))
                {
                    _log.LogError($"File '{fullPath}' has the same content hash as '{_zipDataMap[contentHash].FileSignInfo.FullPath}'. The incorrect file will be written.");
                }

                if (fileSignInfo.IsZipContainer())
                {
                    if (TryBuildZipData(fileSignInfo, out var zipData))
                    {
                        _zipDataMap[contentHash] = zipData;
                    }
                }
                else if (fileSignInfo.IsWixContainer())
                {
                    Console.WriteLine($"Trying to gather data for {fullPath}");
                    if (TryBuildWixData(fileSignInfo, out var msiData))
                    {
                        _zipDataMap[contentHash] = msiData;
                    }
                }
            }
            _log.LogMessage(MessageImportance.Low, $"Caching file {key.FileName} {key.StringHash}");
            _filesByContentKey.Add(key, fileSignInfo);

            if (fileSignInfo.SignInfo.ShouldSign || fileSignInfo.ForceRepack || fileSignInfo.IsContainer())
            {
                _filesToSign.Add(fileSignInfo);
            }

            return(fileSignInfo);
        }
Esempio n. 3
0
        internal BatchSignInput GenerateListOfFiles()
        {
            Stopwatch gatherInfoTime = Stopwatch.StartNew();

            foreach (var itemToSign in _itemsToSign)
            {
                string fullPath            = itemToSign.ItemSpec;
                string collisionPriorityId = itemToSign.GetMetadata(SignToolConstants.CollisionPriorityId);
                var    contentHash         = ContentUtil.GetContentHash(fullPath);
                var    fileUniqueKey       = new SignedFileContentKey(contentHash, Path.GetFileName(fullPath));

                if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
                {
                    packages = new HashSet <string>();
                }

                packages.Add(fullPath);

                _whichPackagesTheFileIsIn[fileUniqueKey] = packages;

                PathWithHash pathWithHash = new PathWithHash(fullPath, contentHash);
                TrackFile(pathWithHash, null, collisionPriorityId);
            }
            gatherInfoTime.Stop();
            if (_telemetry != null)
            {
                _telemetry.AddMetric("Gather file info duration (s)", gatherInfoTime.ElapsedMilliseconds / 1000);
            }

            if (_errors.Any())
            {
                // Iterate over each pair of <error code, unique file identity>.
                // We can be sure here that the same file won't have the same error code twice.
                foreach (var errorGroup in _errors)
                {
                    switch (errorGroup.Key)
                    {
                    case SigningToolErrorCode.SIGN002:
                        _log.LogError("Could not determine certificate name for signable file(s):");
                        break;
                    }

                    // For each file that had that error
                    foreach (var erroredFile in errorGroup.Value)
                    {
                        _log.LogError($"\tFile: {erroredFile.FileName}");

                        // Get a list of all containers where the file showed up
                        foreach (var containerName in _whichPackagesTheFileIsIn[erroredFile])
                        {
                            _log.LogError($"\t\t{containerName}");
                        }
                    }
                }
            }

            return(new BatchSignInput(_filesToSign.ToImmutableArray(), _zipDataMap.ToImmutableDictionary(), _filesToCopy.ToImmutableArray()));
        }
Esempio n. 4
0
        private void LogError(SigningToolErrorCode code, SignedFileContentKey targetFile)
        {
            if (!_errors.TryGetValue(code, out var filesErrored))
            {
                filesErrored = new HashSet <SignedFileContentKey>();
            }

            filesErrored.Add(targetFile);
            _errors[code] = filesErrored;
        }
Esempio n. 5
0
        internal FileSignInfo(PathWithHash pathWithHash, SignInfo signInfo, string targetFramework = null, string wixContentFilePath = null, bool hasSignableParts = false)
        {
            Debug.Assert(pathWithHash.FullPath != null);
            Debug.Assert(!pathWithHash.ContentHash.IsDefault && pathWithHash.ContentHash.Length == 256 / 8);
            Debug.Assert(targetFramework != "");

            File               = pathWithHash;
            FileContentKey     = new SignedFileContentKey(File.ContentHash, File.FileName);
            SignInfo           = signInfo;
            TargetFramework    = targetFramework;
            WixContentFilePath = wixContentFilePath;
            HasSignableParts   = hasSignableParts;
        }
Esempio n. 6
0
        internal BatchSignInput GenerateListOfFiles()
        {
            foreach (var itemToSign in _itemsToSign)
            {
                string fullPath            = itemToSign.ItemSpec;
                string collisionPriorityId = itemToSign.GetMetadata(SignToolConstants.CollisionPriorityId);
                var    fileUniqueKey       = new SignedFileContentKey(ContentUtil.GetContentHash(fullPath), fullPath);

                if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
                {
                    packages = new HashSet <string>();
                }

                packages.Add(fullPath);

                _whichPackagesTheFileIsIn[fileUniqueKey] = packages;

                TrackFile(fullPath, collisionPriorityId, ContentUtil.GetContentHash(fullPath), isNested: false);
            }

            if (_errors.Any())
            {
                // Iterate over each pair of <error code, unique file identity>.
                // We can be sure here that the same file won't have the same error code twice.
                foreach (var errorGroup in _errors)
                {
                    switch (errorGroup.Key)
                    {
                    case SigningToolErrorCode.SIGN002:
                        _log.LogError("Could not determine certificate name for signable file(s):");
                        break;
                    }

                    // For each file that had that error
                    foreach (var erroredFile in errorGroup.Value)
                    {
                        _log.LogError($"\tFile: {erroredFile.FileName}");

                        // Get a list of all containers where the file showed up
                        foreach (var containerName in _whichPackagesTheFileIsIn[erroredFile])
                        {
                            _log.LogError($"\t\t{containerName}");
                        }
                    }
                }
            }

            return(new BatchSignInput(_filesToSign.ToImmutableArray(), _zipDataMap.ToImmutableDictionary(ByteSequenceComparer.Instance), _filesToCopy.ToImmutableArray()));
        }
Esempio n. 7
0
        internal FileSignInfo(string fullPath, ImmutableArray <byte> contentHash, SignInfo signInfo, string targetFramework = null, bool forceRepack = false, string wixContentFilePath = null, bool hasSignableParts = false)
        {
            Debug.Assert(fullPath != null);
            Debug.Assert(!contentHash.IsDefault && contentHash.Length == 256 / 8);
            Debug.Assert(targetFramework != "");

            FileName           = Path.GetFileName(fullPath);
            ContentHash        = contentHash;
            FileContentKey     = new SignedFileContentKey(contentHash, FileName);
            FullPath           = fullPath;
            SignInfo           = signInfo;
            TargetFramework    = targetFramework;
            ForceRepack        = forceRepack;
            WixContentFilePath = wixContentFilePath;
            HasSignableParts   = hasSignableParts;
        }
Esempio n. 8
0
        private FileSignInfo TrackFile(string fullPath, ImmutableArray <byte> contentHash, bool isNested, bool forceRepack = false)
        {
            _log.LogMessage($"Tracking file '{fullPath}' isNested={isNested}");
            var fileSignInfo = ExtractSignInfo(fullPath, contentHash, forceRepack);

            var key = new SignedFileContentKey(contentHash, Path.GetFileName(fullPath));

            if (_filesByContentKey.TryGetValue(key, out var existingSignInfo))
            {
                // If we saw this file already we wouldn't call TrackFile unless this is a top-level file.
                Debug.Assert(!isNested);

                // Copy the signed content to the destination path.
                _filesToCopy.Add(new KeyValuePair <string, string>(existingSignInfo.FullPath, fullPath));
                return(fileSignInfo);
            }

            if (FileSignInfo.IsZipContainer(fullPath))
            {
                if (_zipDataMap.ContainsKey(contentHash))
                {
                    _log.LogError($"File '{fullPath}' has the same content hash as '{_zipDataMap[contentHash].FileSignInfo.FullPath}'. The incorrect file will be written.");
                }

                if (TryBuildZipData(fileSignInfo, out var zipData))
                {
                    _zipDataMap[contentHash] = zipData;
                }
            }

            _log.LogMessage(MessageImportance.Low, $"Caching file {key.FileName} {key.StringHash}");
            _filesByContentKey.Add(key, fileSignInfo);

            if (fileSignInfo.SignInfo.ShouldSign || fileSignInfo.ForceRepack || fileSignInfo.IsZipContainer())
            {
                _filesToSign.Add(fileSignInfo);
            }

            return(fileSignInfo);
        }
Esempio n. 9
0
        /// <summary>
        /// Actually sign all of the described files.
        /// </summary>
        private bool SignFiles()
        {
            // Generate the list of signed files in a deterministic order. Makes it easier to track down
            // bugs if repeated runs use the same ordering.
            var toProcessList = _batchData.FilesToSign.ToList();
            var toRepackSet   = _batchData.FilesToSign.Where(x => x.ShouldRepack)?.Select(x => x.FullPath)?.ToHashSet();
            var round         = 0;
            var trackedSet    = new HashSet <SignedFileContentKey>();

            // Given a list of files that need signing, sign them in a batch.
            bool signGroup(IEnumerable <FileSignInfo> files, out int signedCount)
            {
                var filesToSign = files.Where(fileInfo => fileInfo.SignInfo.ShouldSign).ToArray();

                signedCount = filesToSign.Length;
                if (filesToSign.Length == 0)
                {
                    return(true);
                }

                _log.LogMessage(MessageImportance.High, $"Round {round}: Signing {filesToSign.Length} files.");

                foreach (var file in filesToSign)
                {
                    string collisionIdInfo = string.Empty;
                    if (_hashToCollisionIdMap != null)
                    {
                        if (_hashToCollisionIdMap.TryGetValue(file.FileContentKey, out string collisionPriorityId))
                        {
                            collisionIdInfo = $"Collision Id='{collisionPriorityId}'";
                        }
                    }
                    _log.LogMessage(MessageImportance.Low, $"{file} {collisionIdInfo}");
                }

                return(_signTool.Sign(_buildEngine, round, filesToSign));
            }

            // Given a list of files that need signing, sign the installer engines
            // of those that are wix containers.
            bool signEngines(IEnumerable <FileSignInfo> files, out int signedCount)
            {
                var enginesToSign = files.Where(fileInfo => fileInfo.SignInfo.ShouldSign &&
                                                fileInfo.IsWixContainer() &&
                                                Path.GetExtension(fileInfo.FullPath) == ".exe").ToArray();

                signedCount = enginesToSign.Length;
                if (enginesToSign.Length == 0)
                {
                    return(true);
                }

                _log.LogMessage(MessageImportance.High, $"Round {round}: Signing {enginesToSign.Length} engines.");

                Dictionary <SignedFileContentKey, FileSignInfo> engines = new Dictionary <SignedFileContentKey, FileSignInfo>();
                var workingDirectory = Path.Combine(_signTool.TempDir, "engines");
                int engineContainer  = 0;

                // extract engines
                foreach (var file in enginesToSign)
                {
                    string engineFileName = $"{Path.Combine(workingDirectory, $"{engineContainer}", file.FileName)}{SignToolConstants.MsiEngineExtension}";
                    _log.LogMessage(MessageImportance.Normal, $"Extracting engine from {file.FullPath}");
                    if (!RunWixTool("insignia.exe", $"-ib {file.FullPath} -o {engineFileName}",
                                    workingDirectory, _signTool.WixToolsPath, _log))
                    {
                        _log.LogError($"Failed to extract engine from {file.FullPath}");
                        return(false);
                    }

                    var fileUniqueKey = new SignedFileContentKey(file.ContentHash, engineFileName);

                    engines.Add(fileUniqueKey, file);
                    engineContainer++;
                }

                // sign engines
                bool signResult = _signTool.Sign(_buildEngine, round, engines.Select(engine =>
                                                                                     new FileSignInfo(new PathWithHash(engine.Key.FileName, engine.Value.ContentHash), engine.Value.SignInfo)));

                if (!signResult)
                {
                    _log.LogError($"Failed to sign engines");
                    return(signResult);
                }

                // attach engines
                foreach (var engine in engines)
                {
                    _log.LogMessage(MessageImportance.Normal, $"Attaching engine {engine.Key.FileName} to {engine.Value.FullPath}");

                    try
                    {
                        if (!RunWixTool("insignia.exe",
                                        $"-ab {engine.Key.FileName} {engine.Value.FullPath} -o {engine.Value.FullPath}", workingDirectory,
                                        _signTool.WixToolsPath, _log))
                        {
                            _log.LogError($"Failed to attach engine to {engine.Value.FullPath}");
                            return(false);
                        }
                    }
                    finally
                    {
                        // cleanup engines (they fail signing verification if they stay in the drop
                        File.Delete(engine.Key.FileName);
                    }
                }
                return(true);
            }

            // Given a group of file that are ready for processing,
            // repack those files that are containers.
            void repackGroup(IEnumerable <FileSignInfo> files, out int repackCount)
            {
                var repackList = files.Where(w => toRepackSet.Contains(w.FullPath)).ToList();

                repackCount = repackList.Count();
                if (repackCount == 0)
                {
                    return;
                }
                _log.LogMessage(MessageImportance.High, $"Repacking {repackCount} containers.");

                ParallelOptions parallelOptions = new ParallelOptions();

                parallelOptions.MaxDegreeOfParallelism = 16;
                Parallel.ForEach(repackList, parallelOptions, file =>
                {
                    if (file.IsZipContainer())
                    {
                        _log.LogMessage($"Repacking container: '{file.FileName}'");
                        _batchData.ZipDataMap[file.FileContentKey].Repack(_log);
                    }
                    else if (file.IsWixContainer())
                    {
                        _log.LogMessage($"Packing wix container: '{file.FileName}'");
                        _batchData.ZipDataMap[file.FileContentKey].Repack(_log, _signTool.TempDir, _signTool.WixToolsPath);
                    }
                    else
                    {
                        _log.LogError($"Don't know how to repack file '{file.FullPath}'");
                    }
                    toRepackSet.Remove(file.FullPath);
                });
            }

            // Is this file ready to be signed or repackaged? That is are all of the items that it depends on already
            // signed, don't need signing, and are repacked.
            bool isReady(FileSignInfo file)
            {
                if (file.IsContainer())
                {
                    var zipData = _batchData.ZipDataMap[file.FileContentKey];
                    return(zipData.NestedParts.Values.All(x => (!x.FileSignInfo.SignInfo.ShouldSign ||
                                                                trackedSet.Contains(x.FileSignInfo.FileContentKey)) && !toRepackSet.Contains(x.FileSignInfo.FullPath)
                                                          ));
                }
                return(true);
            }

            // Identify the next set of files that should be signed or repacked.
            // This is the set of files for which all of the dependencies have been signed,
            // are already signed, are repacked, etc.
            List <FileSignInfo> identifyNextGroup()
            {
                var list = new List <FileSignInfo>();
                var i    = 0;

                while (i < toProcessList.Count)
                {
                    var current = toProcessList[i];
                    if (isReady(current))
                    {
                        list.Add(current);
                        toProcessList.RemoveAt(i);
                    }
                    else
                    {
                        i++;
                    }
                }

                return(list);
            }

            // Telemetry data
            double    telemetryTotalFilesSigned   = 0;
            double    telemetryTotalFilesRepacked = 0;
            Stopwatch telemetrySignedTime         = new Stopwatch();
            Stopwatch telemetryRepackedTime       = new Stopwatch();

            try
            {
                // Core algorithm of batch signing.
                // While there are files left to process,
                //  Identify which files are ready for processing (ready to repack or sign)
                //  Repack those of that set that are containers
                //  Sign any of those files that need signing, along with their engines.
                while (toProcessList.Count > 0)
                {
                    var trackList = identifyNextGroup();
                    if (trackList.Count == 0)
                    {
                        throw new InvalidOperationException("No progress made on signing which indicates a bug");
                    }

                    int fileModifiedCount;
                    telemetryRepackedTime.Start();
                    repackGroup(trackList, out fileModifiedCount);
                    telemetryRepackedTime.Stop();
                    telemetryTotalFilesRepacked += fileModifiedCount;

                    try
                    {
                        telemetrySignedTime.Start();
                        if (!signEngines(trackList, out fileModifiedCount))
                        {
                            return(false);
                        }
                        if (fileModifiedCount > 0)
                        {
                            round++;
                            telemetryTotalFilesSigned += fileModifiedCount;
                        }

                        if (!signGroup(trackList, out fileModifiedCount))
                        {
                            return(false);
                        }
                        if (fileModifiedCount > 0)
                        {
                            round++;
                            telemetryTotalFilesSigned += fileModifiedCount;
                        }
                    }
                    finally
                    {
                        telemetrySignedTime.Stop();
                    }

                    trackList.ForEach(x => trackedSet.Add(x.FileContentKey));
                }
            }
            finally
            {
                if (_telemetry != null)
                {
                    _telemetry.AddMetric("Signed file count", telemetryTotalFilesSigned);
                    _telemetry.AddMetric("Repacked file count", telemetryTotalFilesRepacked);
                    _telemetry.AddMetric("Signing duration (s)", telemetrySignedTime.ElapsedMilliseconds / 1000);
                    _telemetry.AddMetric("Repacking duration (s)", telemetryRepackedTime.ElapsedMilliseconds / 1000);
                }
            }

            return(true);
        }
Esempio n. 10
0
        /// <summary>
        /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency
        /// errors found when examining the zip archive.
        /// </summary>
        private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData)
        {
            Debug.Assert(zipFileSignInfo.IsZipContainer());

            try
            {
                using (var archive = new ZipArchive(File.OpenRead(zipFileSignInfo.FullPath), ZipArchiveMode.Read))
                {
                    var nestedParts = new List <ZipPart>();

                    foreach (ZipArchiveEntry entry in archive.Entries)
                    {
                        string relativePath = entry.FullName;

                        // `entry` might be just a pointer to a folder. We skip those.
                        if (relativePath.EndsWith("/") && entry.Name == "")
                        {
                            continue;
                        }

                        ImmutableArray <byte> contentHash;
                        using (var stream = entry.Open())
                        {
                            contentHash = ContentUtil.GetContentHash(stream);
                        }

                        var fileUniqueKey = new SignedFileContentKey(contentHash, relativePath);

                        if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
                        {
                            packages = new HashSet <string>();
                        }

                        packages.Add(zipFileSignInfo.FileName);
                        _whichPackagesTheFileIsIn[fileUniqueKey] = packages;

                        // if we already encountered file that hash the same content we can reuse its signed version when repackaging the container.
                        var fileName = Path.GetFileName(relativePath);
                        if (!_filesByContentKey.TryGetValue(new SignedFileContentKey(contentHash, fileName), out var fileSignInfo))
                        {
                            string extractPathRoot = _useHashInExtractionPath ? ContentUtil.HashToString(contentHash) : _filesByContentKey.Count().ToString();
                            string tempPath        = Path.Combine(_pathToContainerUnpackingDirectory, extractPathRoot, relativePath);
                            _log.LogMessage($"Extracting file '{fileName}' from '{zipFileSignInfo.FullPath}' to '{tempPath}'.");

                            Directory.CreateDirectory(Path.GetDirectoryName(tempPath));

                            using (var stream = entry.Open())
                                using (var tempFileStream = File.OpenWrite(tempPath))
                                {
                                    stream.CopyTo(tempFileStream);
                                }

                            fileSignInfo = TrackFile(tempPath, contentHash, isNested: true);
                        }

                        if (fileSignInfo.SignInfo.ShouldSign || fileSignInfo.ForceRepack)
                        {
                            nestedParts.Add(new ZipPart(relativePath, fileSignInfo));
                        }
                    }

                    zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableArray());

                    return(true);
                }
            }
            catch (Exception e)
            {
                _log.LogErrorFromException(e);
                zipData = null;
                return(false);
            }
        }
Esempio n. 11
0
        /// <summary>
        /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency
        /// errors found when examining the zip archive.
        /// </summary>
        private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData, string alternativeArchivePath = null)
        {
            string archivePath = zipFileSignInfo.FullPath;

            if (alternativeArchivePath != null)
            {
                archivePath = alternativeArchivePath;
                Debug.Assert(Path.GetExtension(archivePath) == ".zip");
            }
            else
            {
                Debug.Assert(zipFileSignInfo.IsZipContainer());
            }

            try
            {
                using (var archive = new ZipArchive(File.OpenRead(archivePath), ZipArchiveMode.Read))
                {
                    var nestedParts = new Dictionary <string, ZipPart>();


                    foreach (ZipArchiveEntry entry in archive.Entries)
                    {
                        string relativePath = entry.FullName;

                        // `entry` might be just a pointer to a folder. We skip those.
                        if (relativePath.EndsWith("/") && entry.Name == "")
                        {
                            continue;
                        }

                        using (var entryStream = entry.Open())
                            using (MemoryStream entryMemoryStream = new MemoryStream((int)entry.Length))
                            {
                                entryStream.CopyTo(entryMemoryStream);
                                entryMemoryStream.Position = 0;
                                ImmutableArray <byte> contentHash = ContentUtil.GetContentHash(entryMemoryStream);

                                var fileUniqueKey = new SignedFileContentKey(contentHash, Path.GetFileName(relativePath));

                                if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
                                {
                                    packages = new HashSet <string>();
                                }

                                packages.Add(Path.GetFileName(archivePath));

                                _whichPackagesTheFileIsIn[fileUniqueKey] = packages;

                                // if we already encountered file that has the same content we can reuse its signed version when repackaging the container.
                                var fileName = Path.GetFileName(relativePath);
                                if (!_filesByContentKey.TryGetValue(fileUniqueKey, out var fileSignInfo))
                                {
                                    string extractPathRoot = _useHashInExtractionPath ? fileUniqueKey.StringHash : _filesByContentKey.Count().ToString();
                                    string tempPath        = Path.Combine(_pathToContainerUnpackingDirectory, extractPathRoot, relativePath);
                                    _log.LogMessage($"Extracting file '{fileName}' from '{archivePath}' to '{tempPath}'.");

                                    Directory.CreateDirectory(Path.GetDirectoryName(tempPath));

                                    entryMemoryStream.Position = 0;
                                    using (var tempFileStream = File.OpenWrite(tempPath))
                                    {
                                        entryMemoryStream.CopyTo(tempFileStream);
                                    }

                                    _hashToCollisionIdMap.TryGetValue(fileUniqueKey, out string collisionPriorityId);
                                    PathWithHash nestedFile = new PathWithHash(tempPath, contentHash);
                                    fileSignInfo = TrackFile(nestedFile, zipFileSignInfo.File, collisionPriorityId);
                                }

                                if (fileSignInfo.ShouldTrack)
                                {
                                    nestedParts.Add(relativePath, new ZipPart(relativePath, fileSignInfo));
                                }
                            }
                    }

                    zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableDictionary());

                    return(true);
                }
            }
            catch (Exception e)
            {
                _log.LogErrorFromException(e);
                zipData = null;
                return(false);
            }
        }
Esempio n. 12
0
        /// <summary>
        ///     Determine the file signing info of this file.
        /// </summary>
        /// <param name="fullPath">Full path to the file</param>
        /// <param name="collisionPriorityId">ID used to disambiguate file signing info for nested files.</param>
        /// <param name="contentHash">Content hash of the file</param>
        /// <param name="wixContentFilePath">If a wix container, the corresponding wix pack zip</param>
        /// <param name="parentContainerPath">Path to the parent container. If this is a non-nested container, this should be null</param>
        /// <param name="parentContainerHash">Hash of the parent container. If this is a non-nested container, this should be null</param>
        /// <returns>File signing information for this file.</returns>
        private FileSignInfo ExtractSignInfo(
            PathWithHash file,
            PathWithHash parentContainer,
            string collisionPriorityId,
            string wixContentFilePath)
        {
            var    extension = Path.GetExtension(file.FileName);
            string explicitCertificateName = null;
            var    fileSpec                  = string.Empty;
            var    isAlreadySigned           = false;
            var    matchedNameTokenFramework = false;
            var    matchedNameToken          = false;
            var    matchedName               = false;
            PEInfo peInfo = null;
            SignedFileContentKey signedFileContentKey = new SignedFileContentKey(file.ContentHash, file.FileName);

            // handle multi-part extensions like ".symbols.nupkg" specified in FileExtensionSignInfo
            if (_fileExtensionSignInfo != null)
            {
                extension = _fileExtensionSignInfo.OrderByDescending(o => o.Key.Length).FirstOrDefault(f => file.FileName.EndsWith(f.Key, StringComparison.OrdinalIgnoreCase)).Key ?? extension;
            }

            // Asset is nested asset part of a container. Try to get it from the visited assets first
            if (string.IsNullOrEmpty(collisionPriorityId) && parentContainer != null)
            {
                if (!_hashToCollisionIdMap.TryGetValue(signedFileContentKey, out collisionPriorityId))
                {
                    Debug.Assert(parentContainer.FullPath != file.FullPath);

                    // Hash doesn't exist so we use the CollisionPriorityId from the parent container
                    SignedFileContentKey parentSignedFileContentKey =
                        new SignedFileContentKey(parentContainer.ContentHash, parentContainer.FileName);
                    collisionPriorityId = _hashToCollisionIdMap[parentSignedFileContentKey];
                }
            }

            // Update the hash map
            if (!_hashToCollisionIdMap.ContainsKey(signedFileContentKey))
            {
                _hashToCollisionIdMap.Add(signedFileContentKey, collisionPriorityId);
            }
            else
            {
                string existingCollisionId = _hashToCollisionIdMap[signedFileContentKey];

                // If we find that there is an asset which already was processed which has a lower
                // collision id, we use that and update the map so we give it precedence
                if (string.Compare(collisionPriorityId, existingCollisionId) < 0)
                {
                    _hashToCollisionIdMap[signedFileContentKey] = collisionPriorityId;
                }
            }

            // Try to determine default certificate name by the extension of the file. Since there might be dupes
            // we get the one which maps a collision id or the first of the returned ones in case there is no
            // collision id
            bool     hasSignInfos = _fileExtensionSignInfo.TryGetValue(extension, out var signInfos);
            SignInfo signInfo     = SignInfo.Ignore;
            bool     hasSignInfo  = false;

            if (hasSignInfos)
            {
                if (!string.IsNullOrEmpty(collisionPriorityId))
                {
                    hasSignInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).Any();
                    signInfo    = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault();
                }
                else
                {
                    hasSignInfo = true;
                    signInfo    = signInfos.FirstOrDefault();
                }
            }

            if (FileSignInfo.IsPEFile(file.FullPath))
            {
                using (var stream = File.OpenRead(file.FullPath))
                {
                    isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
                }

                peInfo = GetPEInfo(file.FullPath);

                if (peInfo.IsManaged && _strongNameInfo.TryGetValue(peInfo.PublicKeyToken, out var pktBasedSignInfos))
                {
                    // Get the default sign info based on the PKT, if applicable. Since there might be dupes
                    // we get the one which maps a collision id or the first of the returned ones in case there is no
                    // collision id
                    SignInfo pktBasedSignInfo = SignInfo.Ignore;

                    if (!string.IsNullOrEmpty(collisionPriorityId))
                    {
                        pktBasedSignInfo = pktBasedSignInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault();
                    }
                    else
                    {
                        pktBasedSignInfo = pktBasedSignInfos.FirstOrDefault();
                    }

                    if (peInfo.IsCrossgened)
                    {
                        signInfo = new SignInfo(pktBasedSignInfo.Certificate, collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]);
                    }
                    else
                    {
                        signInfo = pktBasedSignInfo;
                    }

                    hasSignInfo = true;
                }

                // Check if we have more specific sign info:
                matchedNameTokenFramework = _fileSignInfo.TryGetValue(
                    new ExplicitCertificateKey(file.FileName, peInfo.PublicKeyToken, peInfo.TargetFramework, _hashToCollisionIdMap[signedFileContentKey]),
                    out explicitCertificateName);
                matchedNameToken = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(
                    new ExplicitCertificateKey(file.FileName, peInfo.PublicKeyToken, collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]),
                    out explicitCertificateName);

                fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {peInfo.PublicKeyToken}, Framework = {peInfo.TargetFramework})" :
                           matchedNameToken ? $" (PublicKeyToken = {peInfo.PublicKeyToken})" : string.Empty;
            }
            else if (FileSignInfo.IsNupkg(file.FullPath) || FileSignInfo.IsVsix(file.FullPath))
            {
                isAlreadySigned = VerifySignatures.IsSignedContainer(file.FullPath);
                if (!isAlreadySigned)
                {
                    _log.LogMessage(MessageImportance.Low, $"Container {file.FullPath} does not have a signature marker.");
                }
                else
                {
                    _log.LogMessage(MessageImportance.Low, $"Container {file.FullPath} has a signature marker.");
                }
            }
            else if (FileSignInfo.IsWix(file.FullPath))
            {
                isAlreadySigned = VerifySignatures.IsDigitallySigned(file.FullPath);
                if (!isAlreadySigned)
                {
                    _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is not digitally signed.");
                }
                else
                {
                    _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is digitally signed.");
                }
            }
            else if (FileSignInfo.IsPowerShellScript(file.FullPath))
            {
                isAlreadySigned = VerifySignatures.VerifySignedPowerShellFile(file.FullPath);
                if (!isAlreadySigned)
                {
                    _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} does not have a signature block.");
                }
                else
                {
                    _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} has a signature block.");
                }
            }

            // We didn't find any specific information for PE files using PKT + TargetFramework
            if (explicitCertificateName == null)
            {
                matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(file.FileName,
                                                                                   collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]), out explicitCertificateName);
            }

            // If has overriding info, is it for ignoring the file?
            if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase))
            {
                _log.LogMessage(MessageImportance.Low, $"File configured to not be signed: {file.FullPath}{fileSpec}");
                return(new FileSignInfo(file, SignInfo.Ignore));
            }

            // Do we have an explicit certificate after all?
            if (explicitCertificateName != null)
            {
                signInfo    = signInfo.WithCertificateName(explicitCertificateName, _hashToCollisionIdMap[signedFileContentKey]);
                hasSignInfo = true;
            }

            if (hasSignInfo)
            {
                bool dualCerts = _dualCertificates
                                 .Where(d => d.ItemSpec == signInfo.Certificate &&
                                        (d.GetMetadata(SignToolConstants.CollisionPriorityId) == "" ||
                                         d.GetMetadata(SignToolConstants.CollisionPriorityId) == _hashToCollisionIdMap[signedFileContentKey])).Any();

                if (isAlreadySigned && !dualCerts)
                {
                    return(new FileSignInfo(file, signInfo.WithIsAlreadySigned(isAlreadySigned), wixContentFilePath: wixContentFilePath));
                }

                // TODO: implement this check for native PE files as well:
                // extract copyright from native resource (.rsrc section)
                if (signInfo.ShouldSign && peInfo != null && peInfo.IsManaged)
                {
                    bool isMicrosoftLibrary     = IsMicrosoftLibrary(peInfo.Copyright);
                    bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate);
                    if (isMicrosoftLibrary != isMicrosoftCertificate)
                    {
                        if (isMicrosoftLibrary)
                        {
                            LogWarning(SigningToolErrorCode.SIGN001, $"Signing Microsoft library '{file.FullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{peInfo.Copyright}'.");
                        }
                        else
                        {
                            LogWarning(SigningToolErrorCode.SIGN001, $"Signing 3rd party library '{file.FullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{peInfo.Copyright}'.");
                        }
                    }
                }

                return(new FileSignInfo(file, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, wixContentFilePath: wixContentFilePath));
            }

            if (SignToolConstants.SignableExtensions.Contains(extension) || SignToolConstants.SignableOSXExtensions.Contains(extension))
            {
                // Extract the relative path inside the package / otherwise just return the full path of the file
                LogError(SigningToolErrorCode.SIGN002, signedFileContentKey);
            }
            else
            {
                _log.LogMessage(MessageImportance.Low, $"Ignoring non-signable file: {file.FullPath}");
            }

            return(new FileSignInfo(file, SignInfo.Ignore, wixContentFilePath: wixContentFilePath));
        }