示例#1
0
        internal void ReadExistingContainerSigningCache()
        {
            _log.LogMessage("Loading existing files from cache");
            foreach (var file in Directory.EnumerateFiles(_pathToContainerUnpackingDirectory, "*.*", SearchOption.AllDirectories))
            {
                string cacheRelative = file.Replace(_pathToContainerUnpackingDirectory + Path.DirectorySeparatorChar, "");
                int    indexOfHash   = cacheRelative.IndexOf(Path.DirectorySeparatorChar);

                if (indexOfHash <= 0)
                {
                    continue;
                }

                // When reading from an existing cache use the already computed hash from the directory
                // structure instead of computing it from the file because things like signing
                // might have changed the hash but we want to still use the same hash of the unsigned
                // file that originally built the cache.
                string stringHash = cacheRelative.Substring(0, indexOfHash);

                try
                {
                    ImmutableArray <byte> contentHash = ContentUtil.StringToHash(stringHash);
                }
                catch {
                    _log.LogMessage($"Failed to parse the content hash from path '{file}' so skipping it.");
                    continue;
                }

                TrackFile(file, ContentUtil.StringToHash(stringHash), false);
            }
            _log.LogMessage("Done loading existing files from cache");
        }
示例#2
0
        public SignedFileContentKey(ImmutableArray <byte> contentHash, string fileName)
        {
            Debug.Assert(!contentHash.IsDefault);
            Debug.Assert(fileName != null);

            StringHash = ContentUtil.HashToString(contentHash);
            FileName   = fileName;
        }
示例#3
0
        internal BatchSignInput GenerateListOfFiles()
        {
            Stopwatch gatherInfoTime = Stopwatch.StartNew();

            foreach (var itemToSign in _itemsToSign)
            {
                string fullPath            = itemToSign.ItemSpec;
                string collisionPriorityId = itemToSign.GetMetadata(SignToolConstants.CollisionPriorityId);
                var    contentHash         = ContentUtil.GetContentHash(fullPath);
                var    fileUniqueKey       = new SignedFileContentKey(contentHash, Path.GetFileName(fullPath));

                if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
                {
                    packages = new HashSet <string>();
                }

                packages.Add(fullPath);

                _whichPackagesTheFileIsIn[fileUniqueKey] = packages;

                PathWithHash pathWithHash = new PathWithHash(fullPath, contentHash);
                TrackFile(pathWithHash, null, collisionPriorityId);
            }
            gatherInfoTime.Stop();
            if (_telemetry != null)
            {
                _telemetry.AddMetric("Gather file info duration (s)", gatherInfoTime.ElapsedMilliseconds / 1000);
            }

            if (_errors.Any())
            {
                // Iterate over each pair of <error code, unique file identity>.
                // We can be sure here that the same file won't have the same error code twice.
                foreach (var errorGroup in _errors)
                {
                    switch (errorGroup.Key)
                    {
                    case SigningToolErrorCode.SIGN002:
                        _log.LogError("Could not determine certificate name for signable file(s):");
                        break;
                    }

                    // For each file that had that error
                    foreach (var erroredFile in errorGroup.Value)
                    {
                        _log.LogError($"\tFile: {erroredFile.FileName}");

                        // Get a list of all containers where the file showed up
                        foreach (var containerName in _whichPackagesTheFileIsIn[erroredFile])
                        {
                            _log.LogError($"\t\t{containerName}");
                        }
                    }
                }
            }

            return(new BatchSignInput(_filesToSign.ToImmutableArray(), _zipDataMap.ToImmutableDictionary(), _filesToCopy.ToImmutableArray()));
        }
示例#4
0
        internal BatchSignInput GenerateListOfFiles()
        {
            foreach (var fullPath in _itemsToSign)
            {
                TrackFile(fullPath, ContentUtil.GetContentHash(fullPath), isNested: false);
            }

            return(new BatchSignInput(_filesToSign.ToImmutableArray(), _zipDataMap.ToImmutableDictionary(ByteSequenceComparer.Instance), _filesToCopy.ToImmutableArray()));
        }
示例#5
0
        private FileSignInfo ExtractSignInfo(string fullPath, ImmutableArray <byte> hash)
        {
            var targetFramework = string.Empty;

            // Try to determine default certificate name by the extension of the file
            var hasSignInfo = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfo);

            var isAlreadySigned = false;

            if (FileSignInfo.IsPEFile(fullPath))
            {
                using (var stream = File.OpenRead(fullPath))
                {
                    isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
                }

                GetPEInfo(fullPath, out var isManaged, out var publicKeyToken, out targetFramework);

                // Get the default sign info based on the PKT, if applicable:
                if (isManaged && _defaultSignInfoForPublicKeyToken.TryGetValue(publicKeyToken, out var pktBasedSignInfo))
                {
                    signInfo    = pktBasedSignInfo;
                    hasSignInfo = true;
                }

                // Check if we have more specific sign info:
                var fileName = Path.GetFileName(fullPath);
                if (_explicitCertificates.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken, targetFramework), out var overridingCertificate) ||
                    _explicitCertificates.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken), out overridingCertificate) ||
                    _explicitCertificates.TryGetValue(new ExplicitCertificateKey(fileName), out overridingCertificate))
                {
                    // If has overriding info, is it for ignoring the file?
                    if (overridingCertificate.Equals(SignToolConstants.IgnoreFileCertificateSentinel, StringComparison.OrdinalIgnoreCase))
                    {
                        return(new FileSignInfo(fullPath, hash, SignInfo.Ignore));
                    }

                    signInfo    = signInfo.WithCertificateName(overridingCertificate);
                    hasSignInfo = true;
                }
            }

            if (hasSignInfo)
            {
                if (isAlreadySigned &&
                    !signInfo.Certificate.Equals(SignToolConstants.Certificate_Microsoft3rdPartyAppComponentDual, StringComparison.OrdinalIgnoreCase) &&
                    !signInfo.Certificate.Equals(SignToolConstants.Certificate_Microsoft3rdPartyAppComponentSha2, StringComparison.OrdinalIgnoreCase))
                {
                    return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned));
                }

                return(new FileSignInfo(fullPath, hash, signInfo, (targetFramework != "") ? targetFramework : null));
            }

            _log.LogWarning($"Couldn't determine signing information for this file: {fullPath}");
            return(new FileSignInfo(fullPath, hash, SignInfo.Ignore));
        }
示例#6
0
        public override bool VerifySignedPEFile(Stream assemblyStream)
        {
            // The assembly won't verify by design when doing test signing.
            if (TestSign)
            {
                return(true);
            }

            return(ContentUtil.IsAuthenticodeSigned(assemblyStream));
        }
示例#7
0
        internal BatchSignInput GenerateListOfFiles()
        {
            foreach (var itemToSign in _itemsToSign)
            {
                string fullPath            = itemToSign.ItemSpec;
                string collisionPriorityId = itemToSign.GetMetadata(SignToolConstants.CollisionPriorityId);
                var    fileUniqueKey       = new SignedFileContentKey(ContentUtil.GetContentHash(fullPath), fullPath);

                if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
                {
                    packages = new HashSet <string>();
                }

                packages.Add(fullPath);

                _whichPackagesTheFileIsIn[fileUniqueKey] = packages;

                TrackFile(fullPath, collisionPriorityId, ContentUtil.GetContentHash(fullPath), isNested: false);
            }

            if (_errors.Any())
            {
                // Iterate over each pair of <error code, unique file identity>.
                // We can be sure here that the same file won't have the same error code twice.
                foreach (var errorGroup in _errors)
                {
                    switch (errorGroup.Key)
                    {
                    case SigningToolErrorCode.SIGN002:
                        _log.LogError("Could not determine certificate name for signable file(s):");
                        break;
                    }

                    // For each file that had that error
                    foreach (var erroredFile in errorGroup.Value)
                    {
                        _log.LogError($"\tFile: {erroredFile.FileName}");

                        // Get a list of all containers where the file showed up
                        foreach (var containerName in _whichPackagesTheFileIsIn[erroredFile])
                        {
                            _log.LogError($"\t\t{containerName}");
                        }
                    }
                }
            }

            return(new BatchSignInput(_filesToSign.ToImmutableArray(), _zipDataMap.ToImmutableDictionary(ByteSequenceComparer.Instance), _filesToCopy.ToImmutableArray()));
        }
示例#8
0
        public override void RemovePublicSign(string assemblyPath)
        {
            using (var stream = new FileStream(assemblyPath, FileMode.Open, FileAccess.ReadWrite, FileShare.Read))
                using (var peReader = new PEReader(stream))
                    using (var writer = new BinaryWriter(stream))
                    {
                        if (!ContentUtil.IsPublicSigned(peReader))
                        {
                            return;
                        }

                        stream.Position = peReader.PEHeaders.CorHeaderStartOffset + OffsetFromStartOfCorHeaderToFlags;
                        writer.Write((UInt32)(peReader.PEHeaders.CorHeader.Flags & ~CorFlags.StrongNameSigned));
                    }
        }
示例#9
0
        private static PEInfo GetPEInfo(string fullPath)
        {
            bool isManaged = ContentUtil.IsManaged(fullPath);

            if (!isManaged)
            {
                return(new PEInfo(isManaged));
            }

            bool   isCrossgened   = ContentUtil.IsCrossgened(fullPath);
            string publicKeyToken = ContentUtil.GetPublicKeyToken(fullPath);

            GetTargetFrameworkAndCopyright(fullPath, out string targetFramework, out string copyright);
            return(new PEInfo(isManaged, isCrossgened, copyright, publicKeyToken, targetFramework));
        }
示例#10
0
        private static void GetPEInfo(string fullPath, out bool isManaged, out string publicKeyToken, out string targetFramework, out string copyright)
        {
            isManaged = ContentUtil.IsManaged(fullPath);

            if (!isManaged)
            {
                publicKeyToken  = string.Empty;
                targetFramework = string.Empty;
                copyright       = string.Empty;
                return;
            }

            AssemblyName assemblyName = AssemblyName.GetAssemblyName(fullPath);
            var          pktBytes     = assemblyName.GetPublicKeyToken();

            publicKeyToken = (pktBytes == null || pktBytes.Length == 0) ? string.Empty : string.Join("", pktBytes.Select(b => b.ToString("x2")));
            GetTargetFrameworkAndCopyright(fullPath, out targetFramework, out copyright);
        }
示例#11
0
        internal void ReadExistingContainerSigningCache()
        {
            _log.LogMessage("Loading existing files from cache");
            foreach (var file in Directory.EnumerateFiles(_pathToContainerUnpackingDirectory, "*.*", SearchOption.AllDirectories))
            {
                string cacheRelative = file.Replace(_pathToContainerUnpackingDirectory + Path.DirectorySeparatorChar, "");
                int    indexOfHash   = cacheRelative.IndexOf(Path.DirectorySeparatorChar);

                if (indexOfHash <= 0)
                {
                    continue;
                }

                // When reading from an existing cache use the already computed hash from the directory
                // structure instead of computing it from the file because things like signing
                // might have changed the hash but we want to still use the same hash of the unsigned
                // file that originally built the cache.
                string stringHash = cacheRelative.Substring(0, indexOfHash);
                ImmutableArray <byte> contentHash;
                try
                {
                    contentHash = ContentUtil.StringToHash(stringHash);
                }
                catch
                {
                    _log.LogMessage($"Failed to parse the content hash from path '{file}' so skipping it.");
                    continue;
                }

                // if the content of the file doesn't match the hash in file path than the file has changed
                // which indicates that it was signed so we need to ensure we repack the binary with the signed version
                string actualFileHash = ContentUtil.HashToString(ContentUtil.GetContentHash(file));
                bool   forceRepack    = stringHash != actualFileHash;
                _hashToCollisionIdMap.TryGetValue(new SignedFileContentKey(contentHash, Path.GetFileName(file)), out string collisionPriorityId);

                TrackFile(file, collisionPriorityId, contentHash, false, forceRepack, containerPath: file);
            }
            _log.LogMessage("Done loading existing files from cache");
        }
示例#12
0
        private void GenerateOrchestrationManifest(BatchSignInput batchData, string outputPath)
        {
            _log.LogMessage(MessageImportance.High, $"Generating orchestration file manifest into {outputPath}");
            OrchestratedFileJson fileJsonWithInfo = new OrchestratedFileJson
            {
                ExcludeList = Array.Empty <string>()
            };

            var distinctSigningCombos = batchData.FilesToSign.GroupBy(fileToSign => new { fileToSign.SignInfo.Certificate, fileToSign.SignInfo.StrongName });
            var contentUtil           = new ContentUtil();

            List <OrchestratedFileSignData> newList = new List <OrchestratedFileSignData>();

            foreach (var combinationToSign in distinctSigningCombos)
            {
                var filesInThisGroup = combinationToSign.Select(combination => new FileSignDataEntry()
                {
                    FilePath         = combination.FullPath,
                    SHA256Hash       = contentUtil.GetChecksum(combination.FullPath),
                    PublishToFeedUrl = batchData.PublishUri
                });
                newList.Add(new OrchestratedFileSignData()
                {
                    Certificate = combinationToSign.Key.Certificate,
                    StrongName  = combinationToSign.Key.StrongName,
                    FileList    = filesInThisGroup.ToArray()
                });
            }
            fileJsonWithInfo.SignList = newList.ToArray();
            fileJsonWithInfo.Kind     = "orchestration";

            using (StreamWriter file = File.CreateText(outputPath))
            {
                file.Write(JsonConvert.SerializeObject(fileJsonWithInfo, Formatting.Indented));
            }
        }
示例#13
0
 internal bool IsCrossgened() => ContentUtil.IsCrossgened(FullPath);
示例#14
0
        /// <summary>
        /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency
        /// errors found when examining the zip archive.
        /// </summary>
        private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData)
        {
            Debug.Assert(zipFileSignInfo.IsZipContainer());

            try
            {
                using (var archive = new ZipArchive(File.OpenRead(zipFileSignInfo.FullPath), ZipArchiveMode.Read))
                {
                    var nestedParts = new List <ZipPart>();

                    foreach (ZipArchiveEntry entry in archive.Entries)
                    {
                        string relativePath = entry.FullName;

                        // `entry` might be just a pointer to a folder. We skip those.
                        if (relativePath.EndsWith("/") && entry.Name == "")
                        {
                            continue;
                        }

                        ImmutableArray <byte> contentHash;
                        using (var stream = entry.Open())
                        {
                            contentHash = ContentUtil.GetContentHash(stream);
                        }

                        var fileUniqueKey = new SignedFileContentKey(contentHash, relativePath);

                        if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
                        {
                            packages = new HashSet <string>();
                        }

                        packages.Add(zipFileSignInfo.FileName);
                        _whichPackagesTheFileIsIn[fileUniqueKey] = packages;

                        // if we already encountered file that hash the same content we can reuse its signed version when repackaging the container.
                        var fileName = Path.GetFileName(relativePath);
                        if (!_filesByContentKey.TryGetValue(new SignedFileContentKey(contentHash, fileName), out var fileSignInfo))
                        {
                            string extractPathRoot = _useHashInExtractionPath ? ContentUtil.HashToString(contentHash) : _filesByContentKey.Count().ToString();
                            string tempPath        = Path.Combine(_pathToContainerUnpackingDirectory, extractPathRoot, relativePath);
                            _log.LogMessage($"Extracting file '{fileName}' from '{zipFileSignInfo.FullPath}' to '{tempPath}'.");

                            Directory.CreateDirectory(Path.GetDirectoryName(tempPath));

                            using (var stream = entry.Open())
                                using (var tempFileStream = File.OpenWrite(tempPath))
                                {
                                    stream.CopyTo(tempFileStream);
                                }

                            fileSignInfo = TrackFile(tempPath, contentHash, isNested: true);
                        }

                        if (fileSignInfo.SignInfo.ShouldSign || fileSignInfo.ForceRepack)
                        {
                            nestedParts.Add(new ZipPart(relativePath, fileSignInfo));
                        }
                    }

                    zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableArray());

                    return(true);
                }
            }
            catch (Exception e)
            {
                _log.LogErrorFromException(e);
                zipData = null;
                return(false);
            }
        }
示例#15
0
 internal bool IsManaged() => ContentUtil.IsManaged(FullPath);
示例#16
0
        private FileSignInfo ExtractSignInfo(string fullPath, ImmutableArray <byte> hash, bool forceRepack = false)
        {
            // Try to determine default certificate name by the extension of the file
            var    hasSignInfo               = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfo);
            var    fileName                  = Path.GetFileName(fullPath);
            var    extension                 = Path.GetExtension(fullPath);
            string explicitCertificateName   = null;
            var    fileSpec                  = string.Empty;
            var    isAlreadySigned           = false;
            var    matchedNameTokenFramework = false;
            var    matchedNameToken          = false;
            var    matchedName               = false;
            PEInfo peInfo = null;

            if (FileSignInfo.IsPEFile(fullPath))
            {
                using (var stream = File.OpenRead(fullPath))
                {
                    isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
                }

                peInfo = GetPEInfo(fullPath);

                // Get the default sign info based on the PKT, if applicable:
                if (peInfo.IsManaged && _strongNameInfo.TryGetValue(peInfo.PublicKeyToken, out var pktBasedSignInfo))
                {
                    if (peInfo.IsCrossgened)
                    {
                        signInfo = new SignInfo(pktBasedSignInfo.Certificate);
                    }
                    else
                    {
                        signInfo = pktBasedSignInfo;
                    }
                    hasSignInfo = true;
                }

                // Check if we have more specific sign info:
                matchedNameTokenFramework = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken, peInfo.TargetFramework), out explicitCertificateName);
                matchedNameToken          = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken), out explicitCertificateName);

                fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {peInfo.PublicKeyToken}, Framework = {peInfo.TargetFramework})" :
                           matchedNameToken ? $" (PublicKeyToken = {peInfo.PublicKeyToken})" : string.Empty;
            }

            // We didn't find any specific information for PE files using PKT + TargetFramework
            if (explicitCertificateName == null)
            {
                matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName), out explicitCertificateName);
            }

            // If has overriding info, is it for ignoring the file?
            if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase))
            {
                _log.LogMessage($"File configured to not be signed: {fileName}{fileSpec}");
                return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack));
            }

            // Do we have an explicit certificate after all?
            if (explicitCertificateName != null)
            {
                signInfo    = signInfo.WithCertificateName(explicitCertificateName);
                hasSignInfo = true;
            }

            if (hasSignInfo)
            {
                if (isAlreadySigned && !_dualCertificates.Contains(signInfo.Certificate))
                {
                    return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned, forceRepack: forceRepack));
                }

                // TODO: implement this check for native PE files as well:
                // extract copyright from native resource (.rsrc section)
                if (signInfo.ShouldSign && peInfo != null && peInfo.IsManaged)
                {
                    bool?isMicrosoftLibrary     = IsMicrosoftLibrary(peInfo.Copyright);
                    bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate);
                    if (isMicrosoftLibrary.HasValue && isMicrosoftLibrary != isMicrosoftCertificate)
                    {
                        if (isMicrosoftLibrary.Value)
                        {
                            LogWarning(SigningToolErrorCode.SIGN001, $"Signing Microsoft library '{fullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{peInfo.Copyright}'.");
                        }
                        else
                        {
                            LogWarning(SigningToolErrorCode.SIGN001, $"Signing 3rd party library '{fullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{peInfo.Copyright}'.");
                        }
                    }
                }

                return(new FileSignInfo(fullPath, hash, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, forceRepack: forceRepack));
            }

            if (SignToolConstants.SignableExtensions.Contains(extension) || SignToolConstants.SignableOSXExtensions.Contains(extension))
            {
                // Extract the relative path inside the package / otherwise just return the full path of the file
                var contentHash  = ContentUtil.GetContentHash(fullPath);
                var tempDir      = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash));
                var relativePath = fullPath.Replace($@"{tempDir}\", "");
                LogError(SigningToolErrorCode.SIGN002, new SignedFileContentKey(contentHash, relativePath));
            }
            else
            {
                _log.LogMessage($"Ignoring non-signable file: {fullPath}");
            }

            return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack));
        }
示例#17
0
 internal bool IsManaged() => ContentUtil.GetAssemblyName(FullPath) != null;
示例#18
0
        private SignInfo ExtractSignInfo(string fileFullPath)
        {
            if (FileName.IsPEFile(fileFullPath))
            {
                using (var stream = File.OpenRead(fileFullPath))
                {
                    if (ContentUtil.IsAssemblyStrongNameSigned(stream))
                    {
                        return(SignInfo.AlreadySigned);
                    }
                }

                if (!IsManaged(fileFullPath))
                {
                    return(new SignInfo(SignToolConstants.Certificate_MicrosoftSHA2, null));
                }
                else
                {
                    var fileAsm         = System.Reflection.AssemblyName.GetAssemblyName(fileFullPath);
                    var pktBytes        = fileAsm.GetPublicKeyToken();
                    var publicKeyToken  = (pktBytes == null || pktBytes.Length == 0) ? string.Empty : string.Join("", pktBytes.Select(b => b.ToString("x2")));
                    var targetFramework = GetTargetFrameworkName(fileFullPath).FullName;
                    var fileName        = Path.GetFileName(fileFullPath);

                    var keyForAllTargets     = new ExplicitCertificateKey(fileName, publicKeyToken, SignToolConstants.AllTargetFrameworksSentinel);
                    var keyForSpecificTarget = new ExplicitCertificateKey(fileName, publicKeyToken, targetFramework);

                    // Do we need to override the default certificate this file ?
                    if (_explicitCertificates.TryGetValue(keyForSpecificTarget, out var overridingCertificate) ||
                        _explicitCertificates.TryGetValue(keyForAllTargets, out overridingCertificate))
                    {
                        // If has overriding info, is it for ignoring the file?
                        if (overridingCertificate != null && overridingCertificate.Equals(SignToolConstants.IgnoreFileCertificateSentinel))
                        {
                            return(SignInfo.Ignore); // should ignore this file
                        }
                        // Otherwise, just use the overriding info if present
                    }

                    if (publicKeyToken == string.Empty)
                    {
                        if (string.IsNullOrEmpty(overridingCertificate))
                        {
                            _log.LogError($"SignInfo for file ({fileFullPath}) and empty PKT not found. Expected it to be informed in overriding infos.");
                            return(SignInfo.Empty);
                        }

                        return(new SignInfo(overridingCertificate, string.Empty));
                    }

                    if (_defaultSignInfoForPublicKeyToken.ContainsKey(publicKeyToken))
                    {
                        var signInfo = _defaultSignInfoForPublicKeyToken[publicKeyToken];

                        var certificate = overridingCertificate ?? signInfo.Certificate;

                        return(new SignInfo(certificate, signInfo.StrongName, signInfo.ShouldIgnore, signInfo.IsEmpty, signInfo.IsAlreadySigned));
                    }

                    _log.LogError($"SignInfo for file ({fileFullPath}) with Public Key Token {publicKeyToken} not found.");
                    return(SignInfo.Empty);
                }
            }
            else if (FileName.IsZipContainer(fileFullPath))
            {
                return(new SignInfo(FileName.IsNupkg(fileFullPath) ? SignToolConstants.Certificate_NuGet : SignToolConstants.Certificate_VsixSHA2, null));
            }
            else
            {
                _log.LogWarning($"Unidentified artifact type: {fileFullPath}");
                return(SignInfo.Ignore);
            }
        }
示例#19
0
        /// <summary>
        /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency
        /// errors found when examining the zip archive.
        /// </summary>
        private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData)
        {
            Debug.Assert(zipFileSignInfo.IsZipContainer());

            try
            {
                using (var archive = new ZipArchive(File.OpenRead(zipFileSignInfo.FullPath), ZipArchiveMode.Read))
                {
                    var nestedParts = new List <ZipPart>();

                    foreach (ZipArchiveEntry entry in archive.Entries)
                    {
                        string relativePath = entry.FullName;
                        string extension    = Path.GetExtension(relativePath);

                        if (!FileSignInfo.IsZipContainer(relativePath) && (!_fileExtensionSignInfo.TryGetValue(extension, out var extensionSignInfo) || !extensionSignInfo.ShouldSign))
                        {
                            var reason = extensionSignInfo.ShouldIgnore ? "configuration tells to ignore this extension" : "its extension isn't on recognizable signing extension list";
                            _log.LogMessage($"Ignoring this file because {reason} : {relativePath}");
                            continue;
                        }

                        ImmutableArray <byte> contentHash;
                        using (var stream = entry.Open())
                        {
                            contentHash = ContentUtil.GetContentHash(stream);
                        }

                        // if we already encountered file that hash the same content we can reuse its signed version when repackaging the container.
                        string fileName = Path.GetFileName(relativePath);
                        if (!_filesByContentKey.TryGetValue(new SignedFileContentKey(contentHash, fileName), out var fileSignInfo))
                        {
                            string tempDir  = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash));
                            string tempPath = Path.Combine(tempDir, Path.GetFileName(relativePath));
                            Directory.CreateDirectory(tempDir);

                            using (var stream = entry.Open())
                                using (var tempFileStream = File.OpenWrite(tempPath))
                                {
                                    stream.CopyTo(tempFileStream);
                                }

                            fileSignInfo = TrackFile(tempPath, contentHash, isNested: true);
                        }

                        if (fileSignInfo.SignInfo.ShouldSign)
                        {
                            nestedParts.Add(new ZipPart(relativePath, fileSignInfo));
                        }
                    }

                    zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableArray());

                    return(true);
                }
            }
            catch (Exception e)
            {
                _log.LogErrorFromException(e);
                zipData = null;
                return(false);
            }
        }
示例#20
0
        /// <summary>
        /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency
        /// errors found when examining the zip archive.
        /// </summary>
        private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData, string alternativeArchivePath = null)
        {
            string archivePath = zipFileSignInfo.FullPath;

            if (alternativeArchivePath != null)
            {
                archivePath = alternativeArchivePath;
                Debug.Assert(Path.GetExtension(archivePath) == ".zip");
            }
            else
            {
                Debug.Assert(zipFileSignInfo.IsZipContainer());
            }

            try
            {
                using (var archive = new ZipArchive(File.OpenRead(archivePath), ZipArchiveMode.Read))
                {
                    var nestedParts = new Dictionary <string, ZipPart>();


                    foreach (ZipArchiveEntry entry in archive.Entries)
                    {
                        string relativePath = entry.FullName;

                        // `entry` might be just a pointer to a folder. We skip those.
                        if (relativePath.EndsWith("/") && entry.Name == "")
                        {
                            continue;
                        }

                        using (var entryStream = entry.Open())
                            using (MemoryStream entryMemoryStream = new MemoryStream((int)entry.Length))
                            {
                                entryStream.CopyTo(entryMemoryStream);
                                entryMemoryStream.Position = 0;
                                ImmutableArray <byte> contentHash = ContentUtil.GetContentHash(entryMemoryStream);

                                var fileUniqueKey = new SignedFileContentKey(contentHash, Path.GetFileName(relativePath));

                                if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
                                {
                                    packages = new HashSet <string>();
                                }

                                packages.Add(Path.GetFileName(archivePath));

                                _whichPackagesTheFileIsIn[fileUniqueKey] = packages;

                                // if we already encountered file that has the same content we can reuse its signed version when repackaging the container.
                                var fileName = Path.GetFileName(relativePath);
                                if (!_filesByContentKey.TryGetValue(fileUniqueKey, out var fileSignInfo))
                                {
                                    string extractPathRoot = _useHashInExtractionPath ? fileUniqueKey.StringHash : _filesByContentKey.Count().ToString();
                                    string tempPath        = Path.Combine(_pathToContainerUnpackingDirectory, extractPathRoot, relativePath);
                                    _log.LogMessage($"Extracting file '{fileName}' from '{archivePath}' to '{tempPath}'.");

                                    Directory.CreateDirectory(Path.GetDirectoryName(tempPath));

                                    entryMemoryStream.Position = 0;
                                    using (var tempFileStream = File.OpenWrite(tempPath))
                                    {
                                        entryMemoryStream.CopyTo(tempFileStream);
                                    }

                                    _hashToCollisionIdMap.TryGetValue(fileUniqueKey, out string collisionPriorityId);
                                    PathWithHash nestedFile = new PathWithHash(tempPath, contentHash);
                                    fileSignInfo = TrackFile(nestedFile, zipFileSignInfo.File, collisionPriorityId);
                                }

                                if (fileSignInfo.ShouldTrack)
                                {
                                    nestedParts.Add(relativePath, new ZipPart(relativePath, fileSignInfo));
                                }
                            }
                    }

                    zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableDictionary());

                    return(true);
                }
            }
            catch (Exception e)
            {
                _log.LogErrorFromException(e);
                zipData = null;
                return(false);
            }
        }
示例#21
0
        /// <summary>
        ///     Determine the file signing info of this file.
        /// </summary>
        /// <param name="fullPath">Full path to the file</param>
        /// <param name="collisionPriorityId">ID used to disambiguate file signing info for nested files.</param>
        /// <param name="contentHash">Content hash of the file</param>
        /// <param name="wixContentFilePath">If a wix container, the corresponding wix pack zip</param>
        /// <param name="parentContainerPath">Path to the parent container. If this is a non-nested container, this should be null</param>
        /// <param name="parentContainerHash">Hash of the parent container. If this is a non-nested container, this should be null</param>
        /// <returns>File signing information for this file.</returns>
        private FileSignInfo ExtractSignInfo(
            PathWithHash file,
            PathWithHash parentContainer,
            string collisionPriorityId,
            string wixContentFilePath)
        {
            var    extension = Path.GetExtension(file.FileName);
            string explicitCertificateName = null;
            var    fileSpec                  = string.Empty;
            var    isAlreadySigned           = false;
            var    matchedNameTokenFramework = false;
            var    matchedNameToken          = false;
            var    matchedName               = false;
            PEInfo peInfo = null;
            SignedFileContentKey signedFileContentKey = new SignedFileContentKey(file.ContentHash, file.FileName);

            // handle multi-part extensions like ".symbols.nupkg" specified in FileExtensionSignInfo
            if (_fileExtensionSignInfo != null)
            {
                extension = _fileExtensionSignInfo.OrderByDescending(o => o.Key.Length).FirstOrDefault(f => file.FileName.EndsWith(f.Key, StringComparison.OrdinalIgnoreCase)).Key ?? extension;
            }

            // Asset is nested asset part of a container. Try to get it from the visited assets first
            if (string.IsNullOrEmpty(collisionPriorityId) && parentContainer != null)
            {
                if (!_hashToCollisionIdMap.TryGetValue(signedFileContentKey, out collisionPriorityId))
                {
                    Debug.Assert(parentContainer.FullPath != file.FullPath);

                    // Hash doesn't exist so we use the CollisionPriorityId from the parent container
                    SignedFileContentKey parentSignedFileContentKey =
                        new SignedFileContentKey(parentContainer.ContentHash, parentContainer.FileName);
                    collisionPriorityId = _hashToCollisionIdMap[parentSignedFileContentKey];
                }
            }

            // Update the hash map
            if (!_hashToCollisionIdMap.ContainsKey(signedFileContentKey))
            {
                _hashToCollisionIdMap.Add(signedFileContentKey, collisionPriorityId);
            }
            else
            {
                string existingCollisionId = _hashToCollisionIdMap[signedFileContentKey];

                // If we find that there is an asset which already was processed which has a lower
                // collision id, we use that and update the map so we give it precedence
                if (string.Compare(collisionPriorityId, existingCollisionId) < 0)
                {
                    _hashToCollisionIdMap[signedFileContentKey] = collisionPriorityId;
                }
            }

            // Try to determine default certificate name by the extension of the file. Since there might be dupes
            // we get the one which maps a collision id or the first of the returned ones in case there is no
            // collision id
            bool     hasSignInfos = _fileExtensionSignInfo.TryGetValue(extension, out var signInfos);
            SignInfo signInfo     = SignInfo.Ignore;
            bool     hasSignInfo  = false;

            if (hasSignInfos)
            {
                if (!string.IsNullOrEmpty(collisionPriorityId))
                {
                    hasSignInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).Any();
                    signInfo    = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault();
                }
                else
                {
                    hasSignInfo = true;
                    signInfo    = signInfos.FirstOrDefault();
                }
            }

            if (FileSignInfo.IsPEFile(file.FullPath))
            {
                using (var stream = File.OpenRead(file.FullPath))
                {
                    isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
                }

                peInfo = GetPEInfo(file.FullPath);

                if (peInfo.IsManaged && _strongNameInfo.TryGetValue(peInfo.PublicKeyToken, out var pktBasedSignInfos))
                {
                    // Get the default sign info based on the PKT, if applicable. Since there might be dupes
                    // we get the one which maps a collision id or the first of the returned ones in case there is no
                    // collision id
                    SignInfo pktBasedSignInfo = SignInfo.Ignore;

                    if (!string.IsNullOrEmpty(collisionPriorityId))
                    {
                        pktBasedSignInfo = pktBasedSignInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault();
                    }
                    else
                    {
                        pktBasedSignInfo = pktBasedSignInfos.FirstOrDefault();
                    }

                    if (peInfo.IsCrossgened)
                    {
                        signInfo = new SignInfo(pktBasedSignInfo.Certificate, collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]);
                    }
                    else
                    {
                        signInfo = pktBasedSignInfo;
                    }

                    hasSignInfo = true;
                }

                // Check if we have more specific sign info:
                matchedNameTokenFramework = _fileSignInfo.TryGetValue(
                    new ExplicitCertificateKey(file.FileName, peInfo.PublicKeyToken, peInfo.TargetFramework, _hashToCollisionIdMap[signedFileContentKey]),
                    out explicitCertificateName);
                matchedNameToken = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(
                    new ExplicitCertificateKey(file.FileName, peInfo.PublicKeyToken, collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]),
                    out explicitCertificateName);

                fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {peInfo.PublicKeyToken}, Framework = {peInfo.TargetFramework})" :
                           matchedNameToken ? $" (PublicKeyToken = {peInfo.PublicKeyToken})" : string.Empty;
            }
            else if (FileSignInfo.IsNupkg(file.FullPath) || FileSignInfo.IsVsix(file.FullPath))
            {
                isAlreadySigned = VerifySignatures.IsSignedContainer(file.FullPath);
                if (!isAlreadySigned)
                {
                    _log.LogMessage(MessageImportance.Low, $"Container {file.FullPath} does not have a signature marker.");
                }
                else
                {
                    _log.LogMessage(MessageImportance.Low, $"Container {file.FullPath} has a signature marker.");
                }
            }
            else if (FileSignInfo.IsWix(file.FullPath))
            {
                isAlreadySigned = VerifySignatures.IsDigitallySigned(file.FullPath);
                if (!isAlreadySigned)
                {
                    _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is not digitally signed.");
                }
                else
                {
                    _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is digitally signed.");
                }
            }
            else if (FileSignInfo.IsPowerShellScript(file.FullPath))
            {
                isAlreadySigned = VerifySignatures.VerifySignedPowerShellFile(file.FullPath);
                if (!isAlreadySigned)
                {
                    _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} does not have a signature block.");
                }
                else
                {
                    _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} has a signature block.");
                }
            }

            // We didn't find any specific information for PE files using PKT + TargetFramework
            if (explicitCertificateName == null)
            {
                matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(file.FileName,
                                                                                   collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]), out explicitCertificateName);
            }

            // If has overriding info, is it for ignoring the file?
            if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase))
            {
                _log.LogMessage(MessageImportance.Low, $"File configured to not be signed: {file.FullPath}{fileSpec}");
                return(new FileSignInfo(file, SignInfo.Ignore));
            }

            // Do we have an explicit certificate after all?
            if (explicitCertificateName != null)
            {
                signInfo    = signInfo.WithCertificateName(explicitCertificateName, _hashToCollisionIdMap[signedFileContentKey]);
                hasSignInfo = true;
            }

            if (hasSignInfo)
            {
                bool dualCerts = _dualCertificates
                                 .Where(d => d.ItemSpec == signInfo.Certificate &&
                                        (d.GetMetadata(SignToolConstants.CollisionPriorityId) == "" ||
                                         d.GetMetadata(SignToolConstants.CollisionPriorityId) == _hashToCollisionIdMap[signedFileContentKey])).Any();

                if (isAlreadySigned && !dualCerts)
                {
                    return(new FileSignInfo(file, signInfo.WithIsAlreadySigned(isAlreadySigned), wixContentFilePath: wixContentFilePath));
                }

                // TODO: implement this check for native PE files as well:
                // extract copyright from native resource (.rsrc section)
                if (signInfo.ShouldSign && peInfo != null && peInfo.IsManaged)
                {
                    bool isMicrosoftLibrary     = IsMicrosoftLibrary(peInfo.Copyright);
                    bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate);
                    if (isMicrosoftLibrary != isMicrosoftCertificate)
                    {
                        if (isMicrosoftLibrary)
                        {
                            LogWarning(SigningToolErrorCode.SIGN001, $"Signing Microsoft library '{file.FullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{peInfo.Copyright}'.");
                        }
                        else
                        {
                            LogWarning(SigningToolErrorCode.SIGN001, $"Signing 3rd party library '{file.FullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{peInfo.Copyright}'.");
                        }
                    }
                }

                return(new FileSignInfo(file, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, wixContentFilePath: wixContentFilePath));
            }

            if (SignToolConstants.SignableExtensions.Contains(extension) || SignToolConstants.SignableOSXExtensions.Contains(extension))
            {
                // Extract the relative path inside the package / otherwise just return the full path of the file
                LogError(SigningToolErrorCode.SIGN002, signedFileContentKey);
            }
            else
            {
                _log.LogMessage(MessageImportance.Low, $"Ignoring non-signable file: {file.FullPath}");
            }

            return(new FileSignInfo(file, SignInfo.Ignore, wixContentFilePath: wixContentFilePath));
        }
示例#22
0
        private FileSignInfo ExtractSignInfo(string fullPath, ImmutableArray <byte> hash)
        {
            // Try to determine default certificate name by the extension of the file
            var    hasSignInfo               = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfo);
            var    fileName                  = Path.GetFileName(fullPath);
            var    extension                 = Path.GetExtension(fullPath);
            string explicitCertificateName   = null;
            string copyright                 = string.Empty;
            var    targetFramework           = string.Empty;
            var    fileSpec                  = string.Empty;
            var    isAlreadySigned           = false;
            var    matchedNameTokenFramework = false;
            var    matchedNameToken          = false;
            var    matchedName               = false;
            var    isManagedPE               = false;

            if (FileSignInfo.IsPEFile(fullPath))
            {
                using (var stream = File.OpenRead(fullPath))
                {
                    isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
                }

                GetPEInfo(fullPath, out isManagedPE, out var publicKeyToken, out targetFramework, out copyright);

                // Get the default sign info based on the PKT, if applicable:
                if (isManagedPE && _strongNameInfo.TryGetValue(publicKeyToken, out var pktBasedSignInfo))
                {
                    signInfo    = pktBasedSignInfo;
                    hasSignInfo = true;
                }

                // Check if we have more specific sign info:
                matchedNameTokenFramework = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken, targetFramework), out explicitCertificateName);
                matchedNameToken          = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken), out explicitCertificateName);

                fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {publicKeyToken}, Framework = {targetFramework})" :
                           matchedNameToken ? $" (PublicKeyToken = {publicKeyToken})" : string.Empty;
            }

            // We didn't find any specific information for PE files using PKT + TargetFramework
            if (explicitCertificateName == null)
            {
                matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName), out explicitCertificateName);
            }

            // If has overriding info, is it for ignoring the file?
            if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase))
            {
                _log.LogMessage($"File configurated to not be signed: {fileName}{fileSpec}");
                return(new FileSignInfo(fullPath, hash, SignInfo.Ignore));
            }

            // Do we have an explicit certificate after all?
            if (explicitCertificateName != null)
            {
                signInfo    = signInfo.WithCertificateName(explicitCertificateName);
                hasSignInfo = true;
            }

            if (hasSignInfo)
            {
                if (isAlreadySigned && !_dualCertificates.Contains(signInfo.Certificate))
                {
                    return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned));
                }

                // TODO: implement this check for native PE files as well:
                // extract copyright from native resource (.rsrc section)
                if (signInfo.ShouldSign && isManagedPE)
                {
                    bool isMicrosoftLibrary     = IsMicrosoftLibrary(copyright);
                    bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate);
                    if (isMicrosoftLibrary != isMicrosoftCertificate)
                    {
                        if (isMicrosoftLibrary)
                        {
                            LogWarning("SIGN001", $"Signing Microsoft library '{fullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{copyright}'.");
                        }
                        else
                        {
                            LogWarning("SIGN001", $"Signing 3rd party library '{fullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{copyright}'.");
                        }
                    }
                }

                return(new FileSignInfo(fullPath, hash, signInfo, (targetFramework != "") ? targetFramework : null));
            }

            if (SignToolConstants.SignableExtensions.Contains(extension))
            {
                _log.LogError($"Couldn't determine certificate name for signable file: {fullPath}");
            }
            else
            {
                _log.LogMessage($"Ignoring non-signable file: {fullPath}");
            }

            return(new FileSignInfo(fullPath, hash, SignInfo.Ignore));
        }
示例#23
0
        /// <summary>
        /// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency
        /// errors found when examining the zip archive.
        /// </summary>
        private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData)
        {
            Debug.Assert(zipFileSignInfo.IsZipContainer());

            try
            {
                using (var archive = new ZipArchive(File.OpenRead(zipFileSignInfo.FullPath), ZipArchiveMode.Read))
                {
                    var nestedParts = new List <ZipPart>();

                    foreach (ZipArchiveEntry entry in archive.Entries)
                    {
                        string relativePath = entry.FullName;

                        // `entry` might be just a pointer to a folder. We skip those.
                        if (relativePath.EndsWith("/") && entry.Name == "")
                        {
                            continue;
                        }

                        ImmutableArray <byte> contentHash;
                        using (var stream = entry.Open())
                        {
                            contentHash = ContentUtil.GetContentHash(stream);
                        }

                        // if we already encountered file that hash the same content we can reuse its signed version when repackaging the container.
                        string fileName = Path.GetFileName(relativePath);
                        if (!_filesByContentKey.TryGetValue(new SignedFileContentKey(contentHash, fileName), out var fileSignInfo))
                        {
                            string tempDir  = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash));
                            string tempPath = Path.Combine(tempDir, Path.GetFileName(relativePath));
                            Directory.CreateDirectory(tempDir);

                            using (var stream = entry.Open())
                                using (var tempFileStream = File.OpenWrite(tempPath))
                                {
                                    stream.CopyTo(tempFileStream);
                                }

                            fileSignInfo = TrackFile(tempPath, contentHash, isNested: true);
                        }

                        if (fileSignInfo.SignInfo.ShouldSign)
                        {
                            nestedParts.Add(new ZipPart(relativePath, fileSignInfo));
                        }
                    }

                    zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableArray());

                    return(true);
                }
            }
            catch (Exception e)
            {
                _log.LogErrorFromException(e);
                zipData = null;
                return(false);
            }
        }
示例#24
0
        private FileSignInfo ExtractSignInfo(
            string fullPath,
            string collisionPriorityId,
            ImmutableArray <byte> hash,
            bool forceRepack          = false,
            string wixContentFilePath = null,
            string containerPath      = null)
        {
            var    fileName  = Path.GetFileName(fullPath);
            var    extension = Path.GetExtension(fullPath);
            string explicitCertificateName = null;
            var    fileSpec                  = string.Empty;
            var    isAlreadySigned           = false;
            var    matchedNameTokenFramework = false;
            var    matchedNameToken          = false;
            var    matchedName               = false;
            PEInfo peInfo     = null;
            string stringHash = ContentUtil.HashToString(hash);

            // Asset is nested asset part of a container. Try to get it from the visited assets first
            if (string.IsNullOrEmpty(collisionPriorityId) &&
                !string.IsNullOrEmpty(containerPath))
            {
                if (!_hashToCollisionIdMap.TryGetValue(stringHash, out collisionPriorityId))
                {
                    // Hash doesn't exist so we use the CollisionPriorityId from the parent container
                    string parentStringHash = ContentUtil.HashToString(ContentUtil.GetContentHash(containerPath));
                    collisionPriorityId = _hashToCollisionIdMap[parentStringHash];
                }
            }

            // Update the hash map
            if (!_hashToCollisionIdMap.ContainsKey(stringHash))
            {
                _hashToCollisionIdMap.Add(stringHash, collisionPriorityId);
            }
            else
            {
                string existingCollisionId = _hashToCollisionIdMap[stringHash];

                // If we find that there is an asset which already was processed which has a lower
                // collision id, we use that and update the map so we give it precedence
                if (string.Compare(collisionPriorityId, existingCollisionId) < 0)
                {
                    _hashToCollisionIdMap[stringHash] = collisionPriorityId;
                }
            }

            // Try to determine default certificate name by the extension of the file. Since there might be dupes
            // we get the one which maps a collision id or the first of the returned ones in case there is no
            // collision id
            bool     hasSignInfos = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfos);
            SignInfo signInfo     = SignInfo.Ignore;
            bool     hasSignInfo  = false;

            if (hasSignInfos)
            {
                if (!string.IsNullOrEmpty(collisionPriorityId))
                {
                    hasSignInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).Any();
                    signInfo    = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault();
                }
                else
                {
                    hasSignInfo = true;
                    signInfo    = signInfos.FirstOrDefault();
                }
            }

            if (FileSignInfo.IsPEFile(fullPath))
            {
                using (var stream = File.OpenRead(fullPath))
                {
                    isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
                }

                peInfo = GetPEInfo(fullPath);

                if (peInfo.IsManaged && _strongNameInfo.TryGetValue(peInfo.PublicKeyToken, out var pktBasedSignInfos))
                {
                    // Get the default sign info based on the PKT, if applicable. Since there might be dupes
                    // we get the one which maps a collision id or the first of the returned ones in case there is no
                    // collision id
                    SignInfo pktBasedSignInfo = SignInfo.Ignore;

                    if (!string.IsNullOrEmpty(collisionPriorityId))
                    {
                        pktBasedSignInfo = pktBasedSignInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault();
                    }
                    else
                    {
                        pktBasedSignInfo = pktBasedSignInfos.FirstOrDefault();
                    }

                    if (peInfo.IsCrossgened)
                    {
                        signInfo = new SignInfo(pktBasedSignInfo.Certificate, collisionPriorityId: _hashToCollisionIdMap[stringHash]);
                    }
                    else
                    {
                        signInfo = pktBasedSignInfo;
                    }

                    hasSignInfo = true;
                }

                // Check if we have more specific sign info:
                matchedNameTokenFramework = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken, peInfo.TargetFramework, _hashToCollisionIdMap[stringHash]), out explicitCertificateName);
                matchedNameToken          = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken, collisionPriorityId: _hashToCollisionIdMap[stringHash]), out explicitCertificateName);

                fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {peInfo.PublicKeyToken}, Framework = {peInfo.TargetFramework})" :
                           matchedNameToken ? $" (PublicKeyToken = {peInfo.PublicKeyToken})" : string.Empty;
            }

            // We didn't find any specific information for PE files using PKT + TargetFramework
            if (explicitCertificateName == null)
            {
                matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, collisionPriorityId: _hashToCollisionIdMap[stringHash]), out explicitCertificateName);
            }

            // If has overriding info, is it for ignoring the file?
            if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase))
            {
                _log.LogMessage($"File configured to not be signed: {fileName}{fileSpec}");
                return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack));
            }

            // Do we have an explicit certificate after all?
            if (explicitCertificateName != null)
            {
                signInfo    = signInfo.WithCertificateName(explicitCertificateName, _hashToCollisionIdMap[stringHash]);
                hasSignInfo = true;
            }

            if (hasSignInfo)
            {
                bool dualCerts = _dualCertificates
                                 .Where(d => d.ItemSpec == signInfo.Certificate &&
                                        d.GetMetadata(SignToolConstants.CollisionPriorityId) == _hashToCollisionIdMap[stringHash]).Any();

                if (isAlreadySigned && !dualCerts)
                {
                    return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned, forceRepack: forceRepack, wixContentFilePath: wixContentFilePath));
                }

                // TODO: implement this check for native PE files as well:
                // extract copyright from native resource (.rsrc section)
                if (signInfo.ShouldSign && peInfo != null && peInfo.IsManaged)
                {
                    bool isMicrosoftLibrary     = IsMicrosoftLibrary(peInfo.Copyright);
                    bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate);
                    if (isMicrosoftLibrary != isMicrosoftCertificate)
                    {
                        if (isMicrosoftLibrary)
                        {
                            LogWarning(SigningToolErrorCode.SIGN001, $"Signing Microsoft library '{fullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{peInfo.Copyright}'.");
                        }
                        else
                        {
                            LogWarning(SigningToolErrorCode.SIGN001, $"Signing 3rd party library '{fullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{peInfo.Copyright}'.");
                        }
                    }
                }

                return(new FileSignInfo(fullPath, hash, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, forceRepack: forceRepack, wixContentFilePath: wixContentFilePath));
            }

            if (SignToolConstants.SignableExtensions.Contains(extension) || SignToolConstants.SignableOSXExtensions.Contains(extension))
            {
                // Extract the relative path inside the package / otherwise just return the full path of the file
                var contentHash  = ContentUtil.GetContentHash(fullPath);
                var tempDir      = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash));
                var relativePath = fullPath.Replace($@"{tempDir}\", "");
                LogError(SigningToolErrorCode.SIGN002, new SignedFileContentKey(contentHash, relativePath));
            }
            else
            {
                _log.LogMessage($"Ignoring non-signable file: {fullPath}");
            }

            return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack, wixContentFilePath: wixContentFilePath));
        }