/// <summary> /// Determines whether the specified file is signed by a trusted organization. /// </summary> /// <returns><see langword="true"/> if file is signed; <see langword="false"/> otherwise.</returns> internal static bool IsSigned(string path) { if (OperatingSystem.IsWindows()) { return(AuthentiCode.IsSigned(path) && AuthentiCode.IsSignedByTrustedOrganization(path, AuthentiCode.TrustedOrganizations)); } return(false); }
public void AuthentiCodeSignaturesCanBeVerified(string file, bool shouldBeSigned, string expectedError) { bool isSigned = AuthentiCode.IsSigned(Path.Combine(s_testDataPath, file)); Assert.Equal(shouldBeSigned, isSigned); if (!shouldBeSigned) { Assert.Equal(expectedError, new Win32Exception(Marshal.GetLastWin32Error()).Message); } }
private void VerifyPackageSignature(string msiPath) { if (s_IsDotNetSigned) { bool isAuthentiCodeSigned = AuthentiCode.IsSigned(msiPath); // Need to capture the error now as other OS calls might change the last error. uint lastError = !isAuthentiCodeSigned ? unchecked ((uint)Marshal.GetLastWin32Error()) : Error.SUCCESS; bool isTrustedOrganization = AuthentiCode.IsSignedByTrustedOrganization(msiPath, AuthentiCode.TrustedOrganizations); if (isAuthentiCodeSigned && isTrustedOrganization) { Log?.LogMessage($"Successfully verified AuthentiCode signature for {msiPath}."); } else { // Summarize the failure and then report additional details. Log?.LogMessage($"Failed to verify signature for {msiPath}. AuthentiCode signed: {isAuthentiCodeSigned}, Trusted organization: {isTrustedOrganization}."); IEnumerable <X509Certificate2> certificates = AuthentiCode.GetCertificates(msiPath); // Dump all the certificates if there are any. if (certificates.Any()) { Log?.LogMessage($"Certificate(s):"); foreach (X509Certificate2 certificate in certificates) { Log?.LogMessage($" Subject={certificate.Subject}"); Log?.LogMessage($" Issuer={certificate.Issuer}"); Log?.LogMessage($" Not before={certificate.NotBefore}"); Log?.LogMessage($" Not after={certificate.NotAfter}"); Log?.LogMessage($" Thumbprint={certificate.Thumbprint}"); Log?.LogMessage($" Algorithm={certificate.SignatureAlgorithm.FriendlyName}"); } } if (!isAuthentiCodeSigned) { // If it was a WinTrust failure, we can exit using that error code and include a proper message from the OS. ExitOnError(lastError, $"Failed to verify authenticode signature for {msiPath}."); } if (!isTrustedOrganization) { throw new SecurityException(string.Format(LocalizableStrings.AuthentiCodeNoTrustedOrg, msiPath)); } } } else { Log?.LogMessage($"Command is not signed, skipping signature verification for {msiPath}."); } }
static MsiPackageCache() { s_IsDotNetSigned = AuthentiCode.IsSigned(Assembly.GetExecutingAssembly().Location); }