public void IsSignedBytTrustedOrganizationVerifiesNestedSignatures()
{
Assert.True(AuthentiCode.IsSignedByTrustedOrganization(Path.Combine(s_testDataPath, "dual_signed.dll"),
"Foo", "Bar", "Microsoft Corporation"));;
Assert.True(AuthentiCode.IsSignedByTrustedOrganization(Path.Combine(s_testDataPath, "dual_signed.dll"),
"Foo", "Bar", "WiX Toolset (.NET Foundation)"));
}
/// <summary>
/// Determines whether the specified file is signed by a trusted organization.
/// </summary>
/// <returns><see langword="true"/> if file is signed; <see langword="false"/> otherwise.</returns>
internal static bool IsSigned(string path)
{
if (OperatingSystem.IsWindows())
{
return(AuthentiCode.IsSigned(path) &&
AuthentiCode.IsSignedByTrustedOrganization(path, AuthentiCode.TrustedOrganizations));
}
return(false);
}
public void GetCertificatesRetrievesNestedSignatures()
{
var certificates = AuthentiCode.GetCertificates(Path.Combine(s_testDataPath, "triple_signed.dll")).ToArray();
Assert.Equal("CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", certificates[0].Subject);
Assert.Equal("sha1RSA", certificates[0].SignatureAlgorithm.FriendlyName);
Assert.Equal("CN=Microsoft 3rd Party Application Component, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", certificates[1].Subject);
Assert.Equal("sha256RSA", certificates[1].SignatureAlgorithm.FriendlyName);
Assert.Equal("CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", certificates[2].Subject);
Assert.Equal("sha256RSA", certificates[2].SignatureAlgorithm.FriendlyName);
}
public void AuthentiCodeSignaturesCanBeVerified(string file, bool shouldBeSigned, string expectedError)
{
bool isSigned = AuthentiCode.IsSigned(Path.Combine(s_testDataPath, file));
Assert.Equal(shouldBeSigned, isSigned);
if (!shouldBeSigned)
{
Assert.Equal(expectedError, new Win32Exception(Marshal.GetLastWin32Error()).Message);
}
}
private void VerifyPackageSignature(string msiPath)
{
if (s_IsDotNetSigned)
{
bool isAuthentiCodeSigned = AuthentiCode.IsSigned(msiPath);
// Need to capture the error now as other OS calls might change the last error.
uint lastError = !isAuthentiCodeSigned ? unchecked ((uint)Marshal.GetLastWin32Error()) : Error.SUCCESS;
bool isTrustedOrganization = AuthentiCode.IsSignedByTrustedOrganization(msiPath, AuthentiCode.TrustedOrganizations);
if (isAuthentiCodeSigned && isTrustedOrganization)
{
Log?.LogMessage($"Successfully verified AuthentiCode signature for {msiPath}.");
}
else
{
// Summarize the failure and then report additional details.
Log?.LogMessage($"Failed to verify signature for {msiPath}. AuthentiCode signed: {isAuthentiCodeSigned}, Trusted organization: {isTrustedOrganization}.");
IEnumerable <X509Certificate2> certificates = AuthentiCode.GetCertificates(msiPath);
// Dump all the certificates if there are any.
if (certificates.Any())
{
Log?.LogMessage($"Certificate(s):");
foreach (X509Certificate2 certificate in certificates)
{
Log?.LogMessage($" Subject={certificate.Subject}");
Log?.LogMessage($" Issuer={certificate.Issuer}");
Log?.LogMessage($" Not before={certificate.NotBefore}");
Log?.LogMessage($" Not after={certificate.NotAfter}");
Log?.LogMessage($" Thumbprint={certificate.Thumbprint}");
Log?.LogMessage($" Algorithm={certificate.SignatureAlgorithm.FriendlyName}");
}
}
if (!isAuthentiCodeSigned)
{
// If it was a WinTrust failure, we can exit using that error code and include a proper message from the OS.
ExitOnError(lastError, $"Failed to verify authenticode signature for {msiPath}.");
}
if (!isTrustedOrganization)
{
throw new SecurityException(string.Format(LocalizableStrings.AuthentiCodeNoTrustedOrg, msiPath));
}
}
}
else
{
Log?.LogMessage($"Command is not signed, skipping signature verification for {msiPath}.");
}
}
public void GetCertificatesRetrievesNothingForUnsignedFiles()
{
var certificates = AuthentiCode.GetCertificates(Assembly.GetExecutingAssembly().Location);
Assert.Empty(certificates);
}
static MsiPackageCache()
{
s_IsDotNetSigned = AuthentiCode.IsSigned(Assembly.GetExecutingAssembly().Location);
}
public void IsSignedByTrustedOrganizationOnlyVerifiesTheSubjectOrganization(string file)
{
Assert.True(AuthentiCode.IsSignedByTrustedOrganization(Path.Combine(s_testDataPath, file), AuthentiCode.TrustedOrganizations));
}
