/// <summary> /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency /// errors found when examining the zip archive. /// </summary> private bool TryBuildWixData(FileSignInfo msiFileSignInfo, out ZipData zipData) { // Treat msi as an archive where the filename is the name of the msi, but its contents are from the corresponding wixpack return(TryBuildZipData(msiFileSignInfo, out zipData, msiFileSignInfo.WixContentFilePath)); }
/// <summary> /// Determine the file signing info of this file. /// </summary> /// <param name="fullPath">Full path to the file</param> /// <param name="collisionPriorityId">ID used to disambiguate file signing info for nested files.</param> /// <param name="contentHash">Content hash of the file</param> /// <param name="wixContentFilePath">If a wix container, the corresponding wix pack zip</param> /// <param name="parentContainerPath">Path to the parent container. If this is a non-nested container, this should be null</param> /// <param name="parentContainerHash">Hash of the parent container. If this is a non-nested container, this should be null</param> /// <returns>File signing information for this file.</returns> private FileSignInfo ExtractSignInfo( PathWithHash file, PathWithHash parentContainer, string collisionPriorityId, string wixContentFilePath) { var extension = Path.GetExtension(file.FileName); string explicitCertificateName = null; var fileSpec = string.Empty; var isAlreadySigned = false; var matchedNameTokenFramework = false; var matchedNameToken = false; var matchedName = false; PEInfo peInfo = null; SignedFileContentKey signedFileContentKey = new SignedFileContentKey(file.ContentHash, file.FileName); // handle multi-part extensions like ".symbols.nupkg" specified in FileExtensionSignInfo if (_fileExtensionSignInfo != null) { extension = _fileExtensionSignInfo.OrderByDescending(o => o.Key.Length).FirstOrDefault(f => file.FileName.EndsWith(f.Key, StringComparison.OrdinalIgnoreCase)).Key ?? extension; } // Asset is nested asset part of a container. Try to get it from the visited assets first if (string.IsNullOrEmpty(collisionPriorityId) && parentContainer != null) { if (!_hashToCollisionIdMap.TryGetValue(signedFileContentKey, out collisionPriorityId)) { Debug.Assert(parentContainer.FullPath != file.FullPath); // Hash doesn't exist so we use the CollisionPriorityId from the parent container SignedFileContentKey parentSignedFileContentKey = new SignedFileContentKey(parentContainer.ContentHash, parentContainer.FileName); collisionPriorityId = _hashToCollisionIdMap[parentSignedFileContentKey]; } } // Update the hash map if (!_hashToCollisionIdMap.ContainsKey(signedFileContentKey)) { _hashToCollisionIdMap.Add(signedFileContentKey, collisionPriorityId); } else { string existingCollisionId = _hashToCollisionIdMap[signedFileContentKey]; // If we find that there is an asset which already was processed which has a lower // collision id, we use that and update the map so we give it precedence if (string.Compare(collisionPriorityId, existingCollisionId) < 0) { _hashToCollisionIdMap[signedFileContentKey] = collisionPriorityId; } } // Try to determine default certificate name by the extension of the file. Since there might be dupes // we get the one which maps a collision id or the first of the returned ones in case there is no // collision id bool hasSignInfos = _fileExtensionSignInfo.TryGetValue(extension, out var signInfos); SignInfo signInfo = SignInfo.Ignore; bool hasSignInfo = false; if (hasSignInfos) { if (!string.IsNullOrEmpty(collisionPriorityId)) { hasSignInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).Any(); signInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault(); } else { hasSignInfo = true; signInfo = signInfos.FirstOrDefault(); } } if (FileSignInfo.IsPEFile(file.FullPath)) { using (var stream = File.OpenRead(file.FullPath)) { isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream); } peInfo = GetPEInfo(file.FullPath); if (peInfo.IsManaged && _strongNameInfo.TryGetValue(peInfo.PublicKeyToken, out var pktBasedSignInfos)) { // Get the default sign info based on the PKT, if applicable. Since there might be dupes // we get the one which maps a collision id or the first of the returned ones in case there is no // collision id SignInfo pktBasedSignInfo = SignInfo.Ignore; if (!string.IsNullOrEmpty(collisionPriorityId)) { pktBasedSignInfo = pktBasedSignInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault(); } else { pktBasedSignInfo = pktBasedSignInfos.FirstOrDefault(); } if (peInfo.IsCrossgened) { signInfo = new SignInfo(pktBasedSignInfo.Certificate, collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]); } else { signInfo = pktBasedSignInfo; } hasSignInfo = true; } // Check if we have more specific sign info: matchedNameTokenFramework = _fileSignInfo.TryGetValue( new ExplicitCertificateKey(file.FileName, peInfo.PublicKeyToken, peInfo.TargetFramework, _hashToCollisionIdMap[signedFileContentKey]), out explicitCertificateName); matchedNameToken = !matchedNameTokenFramework && _fileSignInfo.TryGetValue( new ExplicitCertificateKey(file.FileName, peInfo.PublicKeyToken, collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]), out explicitCertificateName); fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {peInfo.PublicKeyToken}, Framework = {peInfo.TargetFramework})" : matchedNameToken ? $" (PublicKeyToken = {peInfo.PublicKeyToken})" : string.Empty; } else if (FileSignInfo.IsNupkg(file.FullPath) || FileSignInfo.IsVsix(file.FullPath)) { isAlreadySigned = VerifySignatures.IsSignedContainer(file.FullPath); if (!isAlreadySigned) { _log.LogMessage(MessageImportance.Low, $"Container {file.FullPath} does not have a signature marker."); } else { _log.LogMessage(MessageImportance.Low, $"Container {file.FullPath} has a signature marker."); } } else if (FileSignInfo.IsWix(file.FullPath)) { isAlreadySigned = VerifySignatures.IsDigitallySigned(file.FullPath); if (!isAlreadySigned) { _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is not digitally signed."); } else { _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is digitally signed."); } } else if (FileSignInfo.IsPowerShellScript(file.FullPath)) { isAlreadySigned = VerifySignatures.VerifySignedPowerShellFile(file.FullPath); if (!isAlreadySigned) { _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} does not have a signature block."); } else { _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} has a signature block."); } } // We didn't find any specific information for PE files using PKT + TargetFramework if (explicitCertificateName == null) { matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(file.FileName, collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]), out explicitCertificateName); } // If has overriding info, is it for ignoring the file? if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase)) { _log.LogMessage(MessageImportance.Low, $"File configured to not be signed: {file.FullPath}{fileSpec}"); return(new FileSignInfo(file, SignInfo.Ignore)); } // Do we have an explicit certificate after all? if (explicitCertificateName != null) { signInfo = signInfo.WithCertificateName(explicitCertificateName, _hashToCollisionIdMap[signedFileContentKey]); hasSignInfo = true; } if (hasSignInfo) { bool dualCerts = _dualCertificates .Where(d => d.ItemSpec == signInfo.Certificate && (d.GetMetadata(SignToolConstants.CollisionPriorityId) == "" || d.GetMetadata(SignToolConstants.CollisionPriorityId) == _hashToCollisionIdMap[signedFileContentKey])).Any(); if (isAlreadySigned && !dualCerts) { return(new FileSignInfo(file, signInfo.WithIsAlreadySigned(isAlreadySigned), wixContentFilePath: wixContentFilePath)); } // TODO: implement this check for native PE files as well: // extract copyright from native resource (.rsrc section) if (signInfo.ShouldSign && peInfo != null && peInfo.IsManaged) { bool isMicrosoftLibrary = IsMicrosoftLibrary(peInfo.Copyright); bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate); if (isMicrosoftLibrary != isMicrosoftCertificate) { if (isMicrosoftLibrary) { LogWarning(SigningToolErrorCode.SIGN001, $"Signing Microsoft library '{file.FullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{peInfo.Copyright}'."); } else { LogWarning(SigningToolErrorCode.SIGN001, $"Signing 3rd party library '{file.FullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{peInfo.Copyright}'."); } } } return(new FileSignInfo(file, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, wixContentFilePath: wixContentFilePath)); } if (SignToolConstants.SignableExtensions.Contains(extension) || SignToolConstants.SignableOSXExtensions.Contains(extension)) { // Extract the relative path inside the package / otherwise just return the full path of the file LogError(SigningToolErrorCode.SIGN002, signedFileContentKey); } else { _log.LogMessage(MessageImportance.Low, $"Ignoring non-signable file: {file.FullPath}"); } return(new FileSignInfo(file, SignInfo.Ignore, wixContentFilePath: wixContentFilePath)); }
/// <summary> /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency /// errors found when examining the zip archive. /// </summary> private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData, string alternativeArchivePath = null) { string archivePath = zipFileSignInfo.FullPath; if (alternativeArchivePath != null) { archivePath = alternativeArchivePath; Debug.Assert(Path.GetExtension(archivePath) == ".zip"); } else { Debug.Assert(zipFileSignInfo.IsZipContainer()); } try { using (var archive = new ZipArchive(File.OpenRead(archivePath), ZipArchiveMode.Read)) { var nestedParts = new Dictionary <string, ZipPart>(); foreach (ZipArchiveEntry entry in archive.Entries) { string relativePath = entry.FullName; // `entry` might be just a pointer to a folder. We skip those. if (relativePath.EndsWith("/") && entry.Name == "") { continue; } using (var entryStream = entry.Open()) using (MemoryStream entryMemoryStream = new MemoryStream((int)entry.Length)) { entryStream.CopyTo(entryMemoryStream); entryMemoryStream.Position = 0; ImmutableArray <byte> contentHash = ContentUtil.GetContentHash(entryMemoryStream); var fileUniqueKey = new SignedFileContentKey(contentHash, Path.GetFileName(relativePath)); if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages)) { packages = new HashSet <string>(); } packages.Add(Path.GetFileName(archivePath)); _whichPackagesTheFileIsIn[fileUniqueKey] = packages; // if we already encountered file that has the same content we can reuse its signed version when repackaging the container. var fileName = Path.GetFileName(relativePath); if (!_filesByContentKey.TryGetValue(fileUniqueKey, out var fileSignInfo)) { string extractPathRoot = _useHashInExtractionPath ? fileUniqueKey.StringHash : _filesByContentKey.Count().ToString(); string tempPath = Path.Combine(_pathToContainerUnpackingDirectory, extractPathRoot, relativePath); _log.LogMessage($"Extracting file '{fileName}' from '{archivePath}' to '{tempPath}'."); Directory.CreateDirectory(Path.GetDirectoryName(tempPath)); entryMemoryStream.Position = 0; using (var tempFileStream = File.OpenWrite(tempPath)) { entryMemoryStream.CopyTo(tempFileStream); } _hashToCollisionIdMap.TryGetValue(fileUniqueKey, out string collisionPriorityId); PathWithHash nestedFile = new PathWithHash(tempPath, contentHash); fileSignInfo = TrackFile(nestedFile, zipFileSignInfo.File, collisionPriorityId); } if (fileSignInfo.ShouldTrack) { nestedParts.Add(relativePath, new ZipPart(relativePath, fileSignInfo)); } } } zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableDictionary()); return(true); } } catch (Exception e) { _log.LogErrorFromException(e); zipData = null; return(false); } }
private FileSignInfo ExtractSignInfo(string fullPath, ImmutableArray <byte> hash, bool forceRepack = false) { // Try to determine default certificate name by the extension of the file var hasSignInfo = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfo); var fileName = Path.GetFileName(fullPath); var extension = Path.GetExtension(fullPath); string explicitCertificateName = null; var fileSpec = string.Empty; var isAlreadySigned = false; var matchedNameTokenFramework = false; var matchedNameToken = false; var matchedName = false; PEInfo peInfo = null; if (FileSignInfo.IsPEFile(fullPath)) { using (var stream = File.OpenRead(fullPath)) { isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream); } peInfo = GetPEInfo(fullPath); // Get the default sign info based on the PKT, if applicable: if (peInfo.IsManaged && _strongNameInfo.TryGetValue(peInfo.PublicKeyToken, out var pktBasedSignInfo)) { if (peInfo.IsCrossgened) { signInfo = new SignInfo(pktBasedSignInfo.Certificate); } else { signInfo = pktBasedSignInfo; } hasSignInfo = true; } // Check if we have more specific sign info: matchedNameTokenFramework = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken, peInfo.TargetFramework), out explicitCertificateName); matchedNameToken = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken), out explicitCertificateName); fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {peInfo.PublicKeyToken}, Framework = {peInfo.TargetFramework})" : matchedNameToken ? $" (PublicKeyToken = {peInfo.PublicKeyToken})" : string.Empty; } // We didn't find any specific information for PE files using PKT + TargetFramework if (explicitCertificateName == null) { matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName), out explicitCertificateName); } // If has overriding info, is it for ignoring the file? if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase)) { _log.LogMessage($"File configured to not be signed: {fileName}{fileSpec}"); return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack)); } // Do we have an explicit certificate after all? if (explicitCertificateName != null) { signInfo = signInfo.WithCertificateName(explicitCertificateName); hasSignInfo = true; } if (hasSignInfo) { if (isAlreadySigned && !_dualCertificates.Contains(signInfo.Certificate)) { return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned, forceRepack: forceRepack)); } // TODO: implement this check for native PE files as well: // extract copyright from native resource (.rsrc section) if (signInfo.ShouldSign && peInfo != null && peInfo.IsManaged) { bool isMicrosoftLibrary = IsMicrosoftLibrary(peInfo.Copyright); bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate); if (isMicrosoftLibrary != isMicrosoftCertificate) { if (isMicrosoftLibrary) { LogWarning(SigningToolErrorCode.SIGN001, $"Signing Microsoft library '{fullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{peInfo.Copyright}'."); } else { LogWarning(SigningToolErrorCode.SIGN001, $"Signing 3rd party library '{fullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{peInfo.Copyright}'."); } } } return(new FileSignInfo(fullPath, hash, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, forceRepack: forceRepack)); } if (SignToolConstants.SignableExtensions.Contains(extension) || SignToolConstants.SignableOSXExtensions.Contains(extension)) { // Extract the relative path inside the package / otherwise just return the full path of the file var contentHash = ContentUtil.GetContentHash(fullPath); var tempDir = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash)); var relativePath = fullPath.Replace($@"{tempDir}\", ""); LogError(SigningToolErrorCode.SIGN002, new SignedFileContentKey(contentHash, relativePath)); } else { _log.LogMessage($"Ignoring non-signable file: {fullPath}"); } return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack)); }
/// <summary> /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency /// errors found when examining the zip archive. /// </summary> private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData) { Debug.Assert(zipFileSignInfo.IsZipContainer()); try { using (var archive = new ZipArchive(File.OpenRead(zipFileSignInfo.FullPath), ZipArchiveMode.Read)) { var nestedParts = new List <ZipPart>(); foreach (ZipArchiveEntry entry in archive.Entries) { string relativePath = entry.FullName; // `entry` might be just a pointer to a folder. We skip those. if (relativePath.EndsWith("/") && entry.Name == "") { continue; } ImmutableArray <byte> contentHash; using (var stream = entry.Open()) { contentHash = ContentUtil.GetContentHash(stream); } var fileUniqueKey = new SignedFileContentKey(contentHash, relativePath); if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages)) { packages = new HashSet <string>(); } packages.Add(zipFileSignInfo.FileName); _whichPackagesTheFileIsIn[fileUniqueKey] = packages; // if we already encountered file that hash the same content we can reuse its signed version when repackaging the container. var fileName = Path.GetFileName(relativePath); if (!_filesByContentKey.TryGetValue(new SignedFileContentKey(contentHash, fileName), out var fileSignInfo)) { string extractPathRoot = _useHashInExtractionPath ? ContentUtil.HashToString(contentHash) : _filesByContentKey.Count().ToString(); string tempPath = Path.Combine(_pathToContainerUnpackingDirectory, extractPathRoot, relativePath); _log.LogMessage($"Extracting file '{fileName}' from '{zipFileSignInfo.FullPath}' to '{tempPath}'."); Directory.CreateDirectory(Path.GetDirectoryName(tempPath)); using (var stream = entry.Open()) using (var tempFileStream = File.OpenWrite(tempPath)) { stream.CopyTo(tempFileStream); } fileSignInfo = TrackFile(tempPath, contentHash, isNested: true); } if (fileSignInfo.SignInfo.ShouldSign || fileSignInfo.ForceRepack) { nestedParts.Add(new ZipPart(relativePath, fileSignInfo)); } } zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableArray()); return(true); } } catch (Exception e) { _log.LogErrorFromException(e); zipData = null; return(false); } }
internal ZipData(FileSignInfo fileSignInfo, ImmutableArray <ZipPart> nestedBinaryParts) { FileSignInfo = fileSignInfo; NestedParts = nestedBinaryParts; }
private void VerifyAfterSign(FileSignInfo file) { if (file.IsPEFile()) { using (var stream = File.OpenRead(file.FullPath)) { if (!_signTool.VerifySignedPEFile(stream)) { _log.LogError($"Assembly {file.FullPath} is NOT signed properly"); } else { _log.LogMessage(MessageImportance.Low, $"Assembly {file.FullPath} is signed properly"); } } } else if (file.IsPowerShellScript()) { if (!_signTool.VerifySignedPowerShellFile(file.FullPath)) { _log.LogError($"Powershell file {file.FullPath} does not have a signature mark."); } } else if (file.IsZipContainer()) { var zipData = _batchData.ZipDataMap[file.FileContentKey]; bool signedContainer = false; using (var archive = new ZipArchive(File.OpenRead(file.FullPath), ZipArchiveMode.Read)) { foreach (ZipArchiveEntry entry in archive.Entries) { string relativeName = entry.FullName; if (!SkipZipContainerSignatureMarkerCheck) { if (file.IsNupkg() && _signTool.VerifySignedNugetFileMarker(relativeName)) { signedContainer = true; } else if (file.IsVsix() && _signTool.VerifySignedVSIXFileMarker(relativeName)) { signedContainer = true; } } var zipPart = zipData.FindNestedPart(relativeName); if (!zipPart.HasValue) { continue; } VerifyAfterSign(zipPart.Value.FileSignInfo); } } if (!SkipZipContainerSignatureMarkerCheck) { if ((file.IsNupkg() || file.IsVsix()) && !signedContainer) { _log.LogError($"Container {file.FullPath} does not have signature marker."); } else { _log.LogMessage(MessageImportance.Low, $"Container {file.FullPath} has a signature marker."); } } } }
/// <summary> /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency /// errors found when examining the zip archive. /// </summary> private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData) { Debug.Assert(zipFileSignInfo.IsZipContainer()); try { using (var archive = new ZipArchive(File.OpenRead(zipFileSignInfo.FullPath), ZipArchiveMode.Read)) { var nestedParts = new List <ZipPart>(); foreach (ZipArchiveEntry entry in archive.Entries) { string relativePath = entry.FullName; // `entry` might be just a pointer to a folder. We skip those. if (relativePath.EndsWith("/") && entry.Name == "") { continue; } ImmutableArray <byte> contentHash; using (var stream = entry.Open()) { contentHash = ContentUtil.GetContentHash(stream); } // if we already encountered file that hash the same content we can reuse its signed version when repackaging the container. string fileName = Path.GetFileName(relativePath); if (!_filesByContentKey.TryGetValue(new SignedFileContentKey(contentHash, fileName), out var fileSignInfo)) { string tempDir = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash)); string tempPath = Path.Combine(tempDir, Path.GetFileName(relativePath)); Directory.CreateDirectory(tempDir); using (var stream = entry.Open()) using (var tempFileStream = File.OpenWrite(tempPath)) { stream.CopyTo(tempFileStream); } fileSignInfo = TrackFile(tempPath, contentHash, isNested: true); } if (fileSignInfo.SignInfo.ShouldSign) { nestedParts.Add(new ZipPart(relativePath, fileSignInfo)); } } zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableArray()); return(true); } } catch (Exception e) { _log.LogErrorFromException(e); zipData = null; return(false); } }
private FileSignInfo ExtractSignInfo(string fullPath, ImmutableArray <byte> hash) { // Try to determine default certificate name by the extension of the file var hasSignInfo = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfo); var fileName = Path.GetFileName(fullPath); var extension = Path.GetExtension(fullPath); string explicitCertificateName = null; string copyright = string.Empty; var targetFramework = string.Empty; var fileSpec = string.Empty; var isAlreadySigned = false; var matchedNameTokenFramework = false; var matchedNameToken = false; var matchedName = false; var isManagedPE = false; if (FileSignInfo.IsPEFile(fullPath)) { using (var stream = File.OpenRead(fullPath)) { isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream); } GetPEInfo(fullPath, out isManagedPE, out var publicKeyToken, out targetFramework, out copyright); // Get the default sign info based on the PKT, if applicable: if (isManagedPE && _strongNameInfo.TryGetValue(publicKeyToken, out var pktBasedSignInfo)) { signInfo = pktBasedSignInfo; hasSignInfo = true; } // Check if we have more specific sign info: matchedNameTokenFramework = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken, targetFramework), out explicitCertificateName); matchedNameToken = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken), out explicitCertificateName); fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {publicKeyToken}, Framework = {targetFramework})" : matchedNameToken ? $" (PublicKeyToken = {publicKeyToken})" : string.Empty; } // We didn't find any specific information for PE files using PKT + TargetFramework if (explicitCertificateName == null) { matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName), out explicitCertificateName); } // If has overriding info, is it for ignoring the file? if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase)) { _log.LogMessage($"File configurated to not be signed: {fileName}{fileSpec}"); return(new FileSignInfo(fullPath, hash, SignInfo.Ignore)); } // Do we have an explicit certificate after all? if (explicitCertificateName != null) { signInfo = signInfo.WithCertificateName(explicitCertificateName); hasSignInfo = true; } if (hasSignInfo) { if (isAlreadySigned && !_dualCertificates.Contains(signInfo.Certificate)) { return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned)); } // TODO: implement this check for native PE files as well: // extract copyright from native resource (.rsrc section) if (signInfo.ShouldSign && isManagedPE) { bool isMicrosoftLibrary = IsMicrosoftLibrary(copyright); bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate); if (isMicrosoftLibrary != isMicrosoftCertificate) { if (isMicrosoftLibrary) { LogWarning("SIGN001", $"Signing Microsoft library '{fullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{copyright}'."); } else { LogWarning("SIGN001", $"Signing 3rd party library '{fullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{copyright}'."); } } } return(new FileSignInfo(fullPath, hash, signInfo, (targetFramework != "") ? targetFramework : null)); } if (SignToolConstants.SignableExtensions.Contains(extension)) { _log.LogError($"Couldn't determine certificate name for signable file: {fullPath}"); } else { _log.LogMessage($"Ignoring non-signable file: {fullPath}"); } return(new FileSignInfo(fullPath, hash, SignInfo.Ignore)); }
/// <summary> /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency /// errors found when examining the zip archive. /// </summary> private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData) { Debug.Assert(zipFileSignInfo.IsZipContainer()); try { using (var archive = new ZipArchive(File.OpenRead(zipFileSignInfo.FullPath), ZipArchiveMode.Read)) { var nestedParts = new List <ZipPart>(); foreach (ZipArchiveEntry entry in archive.Entries) { string relativePath = entry.FullName; string extension = Path.GetExtension(relativePath); if (!FileSignInfo.IsZipContainer(relativePath) && (!_fileExtensionSignInfo.TryGetValue(extension, out var extensionSignInfo) || !extensionSignInfo.ShouldSign)) { var reason = extensionSignInfo.ShouldIgnore ? "configuration tells to ignore this extension" : "its extension isn't on recognizable signing extension list"; _log.LogMessage($"Ignoring this file because {reason} : {relativePath}"); continue; } ImmutableArray <byte> contentHash; using (var stream = entry.Open()) { contentHash = ContentUtil.GetContentHash(stream); } // if we already encountered file that hash the same content we can reuse its signed version when repackaging the container. string fileName = Path.GetFileName(relativePath); if (!_filesByContentKey.TryGetValue(new SignedFileContentKey(contentHash, fileName), out var fileSignInfo)) { string tempDir = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash)); string tempPath = Path.Combine(tempDir, Path.GetFileName(relativePath)); Directory.CreateDirectory(tempDir); using (var stream = entry.Open()) using (var tempFileStream = File.OpenWrite(tempPath)) { stream.CopyTo(tempFileStream); } fileSignInfo = TrackFile(tempPath, contentHash, isNested: true); } if (fileSignInfo.SignInfo.ShouldSign) { nestedParts.Add(new ZipPart(relativePath, fileSignInfo)); } } zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableArray()); return(true); } } catch (Exception e) { _log.LogErrorFromException(e); zipData = null; return(false); } }
private FileSignInfo ExtractSignInfo(string fullPath, ImmutableArray <byte> hash) { var targetFramework = string.Empty; // Try to determine default certificate name by the extension of the file var hasSignInfo = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfo); var isAlreadySigned = false; if (FileSignInfo.IsPEFile(fullPath)) { using (var stream = File.OpenRead(fullPath)) { isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream); } GetPEInfo(fullPath, out var isManaged, out var publicKeyToken, out targetFramework); // Get the default sign info based on the PKT, if applicable: if (isManaged && _defaultSignInfoForPublicKeyToken.TryGetValue(publicKeyToken, out var pktBasedSignInfo)) { signInfo = pktBasedSignInfo; hasSignInfo = true; } var fileName = Path.GetFileName(fullPath); var first = false; var second = false; // Check if we have more specific sign info: if ((first = _explicitCertificates.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken, targetFramework), out var overridingCertificate)) || (second = _explicitCertificates.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken), out overridingCertificate)) || _explicitCertificates.TryGetValue(new ExplicitCertificateKey(fileName), out overridingCertificate)) { // If has overriding info, is it for ignoring the file? if (overridingCertificate.Equals(SignToolConstants.IgnoreFileCertificateSentinel, StringComparison.OrdinalIgnoreCase)) { var fileSpec = first ? $" (PublicKeyToken = {publicKeyToken}, Framework = {targetFramework})" : second ? $" (PublicKeyToken = {publicKeyToken})" : string.Empty; _log.LogMessage($"File configurated to not be signed: {fileName}{fileSpec}"); return(new FileSignInfo(fullPath, hash, SignInfo.Ignore)); } signInfo = signInfo.WithCertificateName(overridingCertificate); hasSignInfo = true; } } if (hasSignInfo) { if (isAlreadySigned && !_dualCertificates.Contains(signInfo.Certificate)) { return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned)); } return(new FileSignInfo(fullPath, hash, signInfo, (targetFramework != "") ? targetFramework : null)); } _log.LogWarning($"Couldn't determine signing information for this file: {fullPath}"); return(new FileSignInfo(fullPath, hash, SignInfo.Ignore)); }
private FileSignInfo ExtractSignInfo( string fullPath, string collisionPriorityId, ImmutableArray <byte> hash, bool forceRepack = false, string wixContentFilePath = null, string containerPath = null) { var fileName = Path.GetFileName(fullPath); var extension = Path.GetExtension(fullPath); string explicitCertificateName = null; var fileSpec = string.Empty; var isAlreadySigned = false; var matchedNameTokenFramework = false; var matchedNameToken = false; var matchedName = false; PEInfo peInfo = null; string stringHash = ContentUtil.HashToString(hash); // Asset is nested asset part of a container. Try to get it from the visited assets first if (string.IsNullOrEmpty(collisionPriorityId) && !string.IsNullOrEmpty(containerPath)) { if (!_hashToCollisionIdMap.TryGetValue(stringHash, out collisionPriorityId)) { // Hash doesn't exist so we use the CollisionPriorityId from the parent container string parentStringHash = ContentUtil.HashToString(ContentUtil.GetContentHash(containerPath)); collisionPriorityId = _hashToCollisionIdMap[parentStringHash]; } } // Update the hash map if (!_hashToCollisionIdMap.ContainsKey(stringHash)) { _hashToCollisionIdMap.Add(stringHash, collisionPriorityId); } else { string existingCollisionId = _hashToCollisionIdMap[stringHash]; // If we find that there is an asset which already was processed which has a lower // collision id, we use that and update the map so we give it precedence if (string.Compare(collisionPriorityId, existingCollisionId) < 0) { _hashToCollisionIdMap[stringHash] = collisionPriorityId; } } // Try to determine default certificate name by the extension of the file. Since there might be dupes // we get the one which maps a collision id or the first of the returned ones in case there is no // collision id bool hasSignInfos = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfos); SignInfo signInfo = SignInfo.Ignore; bool hasSignInfo = false; if (hasSignInfos) { if (!string.IsNullOrEmpty(collisionPriorityId)) { hasSignInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).Any(); signInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault(); } else { hasSignInfo = true; signInfo = signInfos.FirstOrDefault(); } } if (FileSignInfo.IsPEFile(fullPath)) { using (var stream = File.OpenRead(fullPath)) { isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream); } peInfo = GetPEInfo(fullPath); if (peInfo.IsManaged && _strongNameInfo.TryGetValue(peInfo.PublicKeyToken, out var pktBasedSignInfos)) { // Get the default sign info based on the PKT, if applicable. Since there might be dupes // we get the one which maps a collision id or the first of the returned ones in case there is no // collision id SignInfo pktBasedSignInfo = SignInfo.Ignore; if (!string.IsNullOrEmpty(collisionPriorityId)) { pktBasedSignInfo = pktBasedSignInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault(); } else { pktBasedSignInfo = pktBasedSignInfos.FirstOrDefault(); } if (peInfo.IsCrossgened) { signInfo = new SignInfo(pktBasedSignInfo.Certificate, collisionPriorityId: _hashToCollisionIdMap[stringHash]); } else { signInfo = pktBasedSignInfo; } hasSignInfo = true; } // Check if we have more specific sign info: matchedNameTokenFramework = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken, peInfo.TargetFramework, _hashToCollisionIdMap[stringHash]), out explicitCertificateName); matchedNameToken = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken, collisionPriorityId: _hashToCollisionIdMap[stringHash]), out explicitCertificateName); fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {peInfo.PublicKeyToken}, Framework = {peInfo.TargetFramework})" : matchedNameToken ? $" (PublicKeyToken = {peInfo.PublicKeyToken})" : string.Empty; } // We didn't find any specific information for PE files using PKT + TargetFramework if (explicitCertificateName == null) { matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, collisionPriorityId: _hashToCollisionIdMap[stringHash]), out explicitCertificateName); } // If has overriding info, is it for ignoring the file? if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase)) { _log.LogMessage($"File configured to not be signed: {fileName}{fileSpec}"); return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack)); } // Do we have an explicit certificate after all? if (explicitCertificateName != null) { signInfo = signInfo.WithCertificateName(explicitCertificateName, _hashToCollisionIdMap[stringHash]); hasSignInfo = true; } if (hasSignInfo) { bool dualCerts = _dualCertificates .Where(d => d.ItemSpec == signInfo.Certificate && d.GetMetadata(SignToolConstants.CollisionPriorityId) == _hashToCollisionIdMap[stringHash]).Any(); if (isAlreadySigned && !dualCerts) { return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned, forceRepack: forceRepack, wixContentFilePath: wixContentFilePath)); } // TODO: implement this check for native PE files as well: // extract copyright from native resource (.rsrc section) if (signInfo.ShouldSign && peInfo != null && peInfo.IsManaged) { bool isMicrosoftLibrary = IsMicrosoftLibrary(peInfo.Copyright); bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate); if (isMicrosoftLibrary != isMicrosoftCertificate) { if (isMicrosoftLibrary) { LogWarning(SigningToolErrorCode.SIGN001, $"Signing Microsoft library '{fullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{peInfo.Copyright}'."); } else { LogWarning(SigningToolErrorCode.SIGN001, $"Signing 3rd party library '{fullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{peInfo.Copyright}'."); } } } return(new FileSignInfo(fullPath, hash, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, forceRepack: forceRepack, wixContentFilePath: wixContentFilePath)); } if (SignToolConstants.SignableExtensions.Contains(extension) || SignToolConstants.SignableOSXExtensions.Contains(extension)) { // Extract the relative path inside the package / otherwise just return the full path of the file var contentHash = ContentUtil.GetContentHash(fullPath); var tempDir = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash)); var relativePath = fullPath.Replace($@"{tempDir}\", ""); LogError(SigningToolErrorCode.SIGN002, new SignedFileContentKey(contentHash, relativePath)); } else { _log.LogMessage($"Ignoring non-signable file: {fullPath}"); } return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack, wixContentFilePath: wixContentFilePath)); }