internal void ReadExistingContainerSigningCache()
{
_log.LogMessage("Loading existing files from cache");
foreach (var file in Directory.EnumerateFiles(_pathToContainerUnpackingDirectory, "*.*", SearchOption.AllDirectories))
{
string cacheRelative = file.Replace(_pathToContainerUnpackingDirectory + Path.DirectorySeparatorChar, "");
int indexOfHash = cacheRelative.IndexOf(Path.DirectorySeparatorChar);
if (indexOfHash <= 0)
{
continue;
}
// When reading from an existing cache use the already computed hash from the directory
// structure instead of computing it from the file because things like signing
// might have changed the hash but we want to still use the same hash of the unsigned
// file that originally built the cache.
string stringHash = cacheRelative.Substring(0, indexOfHash);
try
{
ImmutableArray <byte> contentHash = ContentUtil.StringToHash(stringHash);
}
catch {
_log.LogMessage($"Failed to parse the content hash from path '{file}' so skipping it.");
continue;
}
TrackFile(file, ContentUtil.StringToHash(stringHash), false);
}
_log.LogMessage("Done loading existing files from cache");
}
public SignedFileContentKey(ImmutableArray <byte> contentHash, string fileName)
{
Debug.Assert(!contentHash.IsDefault);
Debug.Assert(fileName != null);
StringHash = ContentUtil.HashToString(contentHash);
FileName = fileName;
}
internal BatchSignInput GenerateListOfFiles()
{
Stopwatch gatherInfoTime = Stopwatch.StartNew();
foreach (var itemToSign in _itemsToSign)
{
string fullPath = itemToSign.ItemSpec;
string collisionPriorityId = itemToSign.GetMetadata(SignToolConstants.CollisionPriorityId);
var contentHash = ContentUtil.GetContentHash(fullPath);
var fileUniqueKey = new SignedFileContentKey(contentHash, Path.GetFileName(fullPath));
if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
{
packages = new HashSet <string>();
}
packages.Add(fullPath);
_whichPackagesTheFileIsIn[fileUniqueKey] = packages;
PathWithHash pathWithHash = new PathWithHash(fullPath, contentHash);
TrackFile(pathWithHash, null, collisionPriorityId);
}
gatherInfoTime.Stop();
if (_telemetry != null)
{
_telemetry.AddMetric("Gather file info duration (s)", gatherInfoTime.ElapsedMilliseconds / 1000);
}
if (_errors.Any())
{
// Iterate over each pair of <error code, unique file identity>.
// We can be sure here that the same file won't have the same error code twice.
foreach (var errorGroup in _errors)
{
switch (errorGroup.Key)
{
case SigningToolErrorCode.SIGN002:
_log.LogError("Could not determine certificate name for signable file(s):");
break;
}
// For each file that had that error
foreach (var erroredFile in errorGroup.Value)
{
_log.LogError($"\tFile: {erroredFile.FileName}");
// Get a list of all containers where the file showed up
foreach (var containerName in _whichPackagesTheFileIsIn[erroredFile])
{
_log.LogError($"\t\t{containerName}");
}
}
}
}
return(new BatchSignInput(_filesToSign.ToImmutableArray(), _zipDataMap.ToImmutableDictionary(), _filesToCopy.ToImmutableArray()));
}
internal BatchSignInput GenerateListOfFiles()
{
foreach (var fullPath in _itemsToSign)
{
TrackFile(fullPath, ContentUtil.GetContentHash(fullPath), isNested: false);
}
return(new BatchSignInput(_filesToSign.ToImmutableArray(), _zipDataMap.ToImmutableDictionary(ByteSequenceComparer.Instance), _filesToCopy.ToImmutableArray()));
}
private FileSignInfo ExtractSignInfo(string fullPath, ImmutableArray <byte> hash)
{
var targetFramework = string.Empty;
// Try to determine default certificate name by the extension of the file
var hasSignInfo = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfo);
var isAlreadySigned = false;
if (FileSignInfo.IsPEFile(fullPath))
{
using (var stream = File.OpenRead(fullPath))
{
isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
}
GetPEInfo(fullPath, out var isManaged, out var publicKeyToken, out targetFramework);
// Get the default sign info based on the PKT, if applicable:
if (isManaged && _defaultSignInfoForPublicKeyToken.TryGetValue(publicKeyToken, out var pktBasedSignInfo))
{
signInfo = pktBasedSignInfo;
hasSignInfo = true;
}
// Check if we have more specific sign info:
var fileName = Path.GetFileName(fullPath);
if (_explicitCertificates.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken, targetFramework), out var overridingCertificate) ||
_explicitCertificates.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken), out overridingCertificate) ||
_explicitCertificates.TryGetValue(new ExplicitCertificateKey(fileName), out overridingCertificate))
{
// If has overriding info, is it for ignoring the file?
if (overridingCertificate.Equals(SignToolConstants.IgnoreFileCertificateSentinel, StringComparison.OrdinalIgnoreCase))
{
return(new FileSignInfo(fullPath, hash, SignInfo.Ignore));
}
signInfo = signInfo.WithCertificateName(overridingCertificate);
hasSignInfo = true;
}
}
if (hasSignInfo)
{
if (isAlreadySigned &&
!signInfo.Certificate.Equals(SignToolConstants.Certificate_Microsoft3rdPartyAppComponentDual, StringComparison.OrdinalIgnoreCase) &&
!signInfo.Certificate.Equals(SignToolConstants.Certificate_Microsoft3rdPartyAppComponentSha2, StringComparison.OrdinalIgnoreCase))
{
return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned));
}
return(new FileSignInfo(fullPath, hash, signInfo, (targetFramework != "") ? targetFramework : null));
}
_log.LogWarning($"Couldn't determine signing information for this file: {fullPath}");
return(new FileSignInfo(fullPath, hash, SignInfo.Ignore));
}
public override bool VerifySignedPEFile(Stream assemblyStream)
{
// The assembly won't verify by design when doing test signing.
if (TestSign)
{
return(true);
}
return(ContentUtil.IsAuthenticodeSigned(assemblyStream));
}
internal BatchSignInput GenerateListOfFiles()
{
foreach (var itemToSign in _itemsToSign)
{
string fullPath = itemToSign.ItemSpec;
string collisionPriorityId = itemToSign.GetMetadata(SignToolConstants.CollisionPriorityId);
var fileUniqueKey = new SignedFileContentKey(ContentUtil.GetContentHash(fullPath), fullPath);
if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
{
packages = new HashSet <string>();
}
packages.Add(fullPath);
_whichPackagesTheFileIsIn[fileUniqueKey] = packages;
TrackFile(fullPath, collisionPriorityId, ContentUtil.GetContentHash(fullPath), isNested: false);
}
if (_errors.Any())
{
// Iterate over each pair of <error code, unique file identity>.
// We can be sure here that the same file won't have the same error code twice.
foreach (var errorGroup in _errors)
{
switch (errorGroup.Key)
{
case SigningToolErrorCode.SIGN002:
_log.LogError("Could not determine certificate name for signable file(s):");
break;
}
// For each file that had that error
foreach (var erroredFile in errorGroup.Value)
{
_log.LogError($"\tFile: {erroredFile.FileName}");
// Get a list of all containers where the file showed up
foreach (var containerName in _whichPackagesTheFileIsIn[erroredFile])
{
_log.LogError($"\t\t{containerName}");
}
}
}
}
return(new BatchSignInput(_filesToSign.ToImmutableArray(), _zipDataMap.ToImmutableDictionary(ByteSequenceComparer.Instance), _filesToCopy.ToImmutableArray()));
}
public override void RemovePublicSign(string assemblyPath)
{
using (var stream = new FileStream(assemblyPath, FileMode.Open, FileAccess.ReadWrite, FileShare.Read))
using (var peReader = new PEReader(stream))
using (var writer = new BinaryWriter(stream))
{
if (!ContentUtil.IsPublicSigned(peReader))
{
return;
}
stream.Position = peReader.PEHeaders.CorHeaderStartOffset + OffsetFromStartOfCorHeaderToFlags;
writer.Write((UInt32)(peReader.PEHeaders.CorHeader.Flags & ~CorFlags.StrongNameSigned));
}
}
private static PEInfo GetPEInfo(string fullPath)
{
bool isManaged = ContentUtil.IsManaged(fullPath);
if (!isManaged)
{
return(new PEInfo(isManaged));
}
bool isCrossgened = ContentUtil.IsCrossgened(fullPath);
string publicKeyToken = ContentUtil.GetPublicKeyToken(fullPath);
GetTargetFrameworkAndCopyright(fullPath, out string targetFramework, out string copyright);
return(new PEInfo(isManaged, isCrossgened, copyright, publicKeyToken, targetFramework));
}
private static void GetPEInfo(string fullPath, out bool isManaged, out string publicKeyToken, out string targetFramework, out string copyright)
{
isManaged = ContentUtil.IsManaged(fullPath);
if (!isManaged)
{
publicKeyToken = string.Empty;
targetFramework = string.Empty;
copyright = string.Empty;
return;
}
AssemblyName assemblyName = AssemblyName.GetAssemblyName(fullPath);
var pktBytes = assemblyName.GetPublicKeyToken();
publicKeyToken = (pktBytes == null || pktBytes.Length == 0) ? string.Empty : string.Join("", pktBytes.Select(b => b.ToString("x2")));
GetTargetFrameworkAndCopyright(fullPath, out targetFramework, out copyright);
}
internal void ReadExistingContainerSigningCache()
{
_log.LogMessage("Loading existing files from cache");
foreach (var file in Directory.EnumerateFiles(_pathToContainerUnpackingDirectory, "*.*", SearchOption.AllDirectories))
{
string cacheRelative = file.Replace(_pathToContainerUnpackingDirectory + Path.DirectorySeparatorChar, "");
int indexOfHash = cacheRelative.IndexOf(Path.DirectorySeparatorChar);
if (indexOfHash <= 0)
{
continue;
}
// When reading from an existing cache use the already computed hash from the directory
// structure instead of computing it from the file because things like signing
// might have changed the hash but we want to still use the same hash of the unsigned
// file that originally built the cache.
string stringHash = cacheRelative.Substring(0, indexOfHash);
ImmutableArray <byte> contentHash;
try
{
contentHash = ContentUtil.StringToHash(stringHash);
}
catch
{
_log.LogMessage($"Failed to parse the content hash from path '{file}' so skipping it.");
continue;
}
// if the content of the file doesn't match the hash in file path than the file has changed
// which indicates that it was signed so we need to ensure we repack the binary with the signed version
string actualFileHash = ContentUtil.HashToString(ContentUtil.GetContentHash(file));
bool forceRepack = stringHash != actualFileHash;
_hashToCollisionIdMap.TryGetValue(new SignedFileContentKey(contentHash, Path.GetFileName(file)), out string collisionPriorityId);
TrackFile(file, collisionPriorityId, contentHash, false, forceRepack, containerPath: file);
}
_log.LogMessage("Done loading existing files from cache");
}
private void GenerateOrchestrationManifest(BatchSignInput batchData, string outputPath)
{
_log.LogMessage(MessageImportance.High, $"Generating orchestration file manifest into {outputPath}");
OrchestratedFileJson fileJsonWithInfo = new OrchestratedFileJson
{
ExcludeList = Array.Empty <string>()
};
var distinctSigningCombos = batchData.FilesToSign.GroupBy(fileToSign => new { fileToSign.SignInfo.Certificate, fileToSign.SignInfo.StrongName });
var contentUtil = new ContentUtil();
List <OrchestratedFileSignData> newList = new List <OrchestratedFileSignData>();
foreach (var combinationToSign in distinctSigningCombos)
{
var filesInThisGroup = combinationToSign.Select(combination => new FileSignDataEntry()
{
FilePath = combination.FullPath,
SHA256Hash = contentUtil.GetChecksum(combination.FullPath),
PublishToFeedUrl = batchData.PublishUri
});
newList.Add(new OrchestratedFileSignData()
{
Certificate = combinationToSign.Key.Certificate,
StrongName = combinationToSign.Key.StrongName,
FileList = filesInThisGroup.ToArray()
});
}
fileJsonWithInfo.SignList = newList.ToArray();
fileJsonWithInfo.Kind = "orchestration";
using (StreamWriter file = File.CreateText(outputPath))
{
file.Write(JsonConvert.SerializeObject(fileJsonWithInfo, Formatting.Indented));
}
}
internal bool IsCrossgened() => ContentUtil.IsCrossgened(FullPath);
/// <summary>
/// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency
/// errors found when examining the zip archive.
/// </summary>
private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData)
{
Debug.Assert(zipFileSignInfo.IsZipContainer());
try
{
using (var archive = new ZipArchive(File.OpenRead(zipFileSignInfo.FullPath), ZipArchiveMode.Read))
{
var nestedParts = new List <ZipPart>();
foreach (ZipArchiveEntry entry in archive.Entries)
{
string relativePath = entry.FullName;
// `entry` might be just a pointer to a folder. We skip those.
if (relativePath.EndsWith("/") && entry.Name == "")
{
continue;
}
ImmutableArray <byte> contentHash;
using (var stream = entry.Open())
{
contentHash = ContentUtil.GetContentHash(stream);
}
var fileUniqueKey = new SignedFileContentKey(contentHash, relativePath);
if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
{
packages = new HashSet <string>();
}
packages.Add(zipFileSignInfo.FileName);
_whichPackagesTheFileIsIn[fileUniqueKey] = packages;
// if we already encountered file that hash the same content we can reuse its signed version when repackaging the container.
var fileName = Path.GetFileName(relativePath);
if (!_filesByContentKey.TryGetValue(new SignedFileContentKey(contentHash, fileName), out var fileSignInfo))
{
string extractPathRoot = _useHashInExtractionPath ? ContentUtil.HashToString(contentHash) : _filesByContentKey.Count().ToString();
string tempPath = Path.Combine(_pathToContainerUnpackingDirectory, extractPathRoot, relativePath);
_log.LogMessage($"Extracting file '{fileName}' from '{zipFileSignInfo.FullPath}' to '{tempPath}'.");
Directory.CreateDirectory(Path.GetDirectoryName(tempPath));
using (var stream = entry.Open())
using (var tempFileStream = File.OpenWrite(tempPath))
{
stream.CopyTo(tempFileStream);
}
fileSignInfo = TrackFile(tempPath, contentHash, isNested: true);
}
if (fileSignInfo.SignInfo.ShouldSign || fileSignInfo.ForceRepack)
{
nestedParts.Add(new ZipPart(relativePath, fileSignInfo));
}
}
zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableArray());
return(true);
}
}
catch (Exception e)
{
_log.LogErrorFromException(e);
zipData = null;
return(false);
}
}
internal bool IsManaged() => ContentUtil.IsManaged(FullPath);
private FileSignInfo ExtractSignInfo(string fullPath, ImmutableArray <byte> hash, bool forceRepack = false)
{
// Try to determine default certificate name by the extension of the file
var hasSignInfo = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfo);
var fileName = Path.GetFileName(fullPath);
var extension = Path.GetExtension(fullPath);
string explicitCertificateName = null;
var fileSpec = string.Empty;
var isAlreadySigned = false;
var matchedNameTokenFramework = false;
var matchedNameToken = false;
var matchedName = false;
PEInfo peInfo = null;
if (FileSignInfo.IsPEFile(fullPath))
{
using (var stream = File.OpenRead(fullPath))
{
isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
}
peInfo = GetPEInfo(fullPath);
// Get the default sign info based on the PKT, if applicable:
if (peInfo.IsManaged && _strongNameInfo.TryGetValue(peInfo.PublicKeyToken, out var pktBasedSignInfo))
{
if (peInfo.IsCrossgened)
{
signInfo = new SignInfo(pktBasedSignInfo.Certificate);
}
else
{
signInfo = pktBasedSignInfo;
}
hasSignInfo = true;
}
// Check if we have more specific sign info:
matchedNameTokenFramework = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken, peInfo.TargetFramework), out explicitCertificateName);
matchedNameToken = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken), out explicitCertificateName);
fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {peInfo.PublicKeyToken}, Framework = {peInfo.TargetFramework})" :
matchedNameToken ? $" (PublicKeyToken = {peInfo.PublicKeyToken})" : string.Empty;
}
// We didn't find any specific information for PE files using PKT + TargetFramework
if (explicitCertificateName == null)
{
matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName), out explicitCertificateName);
}
// If has overriding info, is it for ignoring the file?
if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase))
{
_log.LogMessage($"File configured to not be signed: {fileName}{fileSpec}");
return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack));
}
// Do we have an explicit certificate after all?
if (explicitCertificateName != null)
{
signInfo = signInfo.WithCertificateName(explicitCertificateName);
hasSignInfo = true;
}
if (hasSignInfo)
{
if (isAlreadySigned && !_dualCertificates.Contains(signInfo.Certificate))
{
return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned, forceRepack: forceRepack));
}
// TODO: implement this check for native PE files as well:
// extract copyright from native resource (.rsrc section)
if (signInfo.ShouldSign && peInfo != null && peInfo.IsManaged)
{
bool?isMicrosoftLibrary = IsMicrosoftLibrary(peInfo.Copyright);
bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate);
if (isMicrosoftLibrary.HasValue && isMicrosoftLibrary != isMicrosoftCertificate)
{
if (isMicrosoftLibrary.Value)
{
LogWarning(SigningToolErrorCode.SIGN001, $"Signing Microsoft library '{fullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{peInfo.Copyright}'.");
}
else
{
LogWarning(SigningToolErrorCode.SIGN001, $"Signing 3rd party library '{fullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{peInfo.Copyright}'.");
}
}
}
return(new FileSignInfo(fullPath, hash, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, forceRepack: forceRepack));
}
if (SignToolConstants.SignableExtensions.Contains(extension) || SignToolConstants.SignableOSXExtensions.Contains(extension))
{
// Extract the relative path inside the package / otherwise just return the full path of the file
var contentHash = ContentUtil.GetContentHash(fullPath);
var tempDir = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash));
var relativePath = fullPath.Replace($@"{tempDir}\", "");
LogError(SigningToolErrorCode.SIGN002, new SignedFileContentKey(contentHash, relativePath));
}
else
{
_log.LogMessage($"Ignoring non-signable file: {fullPath}");
}
return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack));
}
internal bool IsManaged() => ContentUtil.GetAssemblyName(FullPath) != null;
private SignInfo ExtractSignInfo(string fileFullPath)
{
if (FileName.IsPEFile(fileFullPath))
{
using (var stream = File.OpenRead(fileFullPath))
{
if (ContentUtil.IsAssemblyStrongNameSigned(stream))
{
return(SignInfo.AlreadySigned);
}
}
if (!IsManaged(fileFullPath))
{
return(new SignInfo(SignToolConstants.Certificate_MicrosoftSHA2, null));
}
else
{
var fileAsm = System.Reflection.AssemblyName.GetAssemblyName(fileFullPath);
var pktBytes = fileAsm.GetPublicKeyToken();
var publicKeyToken = (pktBytes == null || pktBytes.Length == 0) ? string.Empty : string.Join("", pktBytes.Select(b => b.ToString("x2")));
var targetFramework = GetTargetFrameworkName(fileFullPath).FullName;
var fileName = Path.GetFileName(fileFullPath);
var keyForAllTargets = new ExplicitCertificateKey(fileName, publicKeyToken, SignToolConstants.AllTargetFrameworksSentinel);
var keyForSpecificTarget = new ExplicitCertificateKey(fileName, publicKeyToken, targetFramework);
// Do we need to override the default certificate this file ?
if (_explicitCertificates.TryGetValue(keyForSpecificTarget, out var overridingCertificate) ||
_explicitCertificates.TryGetValue(keyForAllTargets, out overridingCertificate))
{
// If has overriding info, is it for ignoring the file?
if (overridingCertificate != null && overridingCertificate.Equals(SignToolConstants.IgnoreFileCertificateSentinel))
{
return(SignInfo.Ignore); // should ignore this file
}
// Otherwise, just use the overriding info if present
}
if (publicKeyToken == string.Empty)
{
if (string.IsNullOrEmpty(overridingCertificate))
{
_log.LogError($"SignInfo for file ({fileFullPath}) and empty PKT not found. Expected it to be informed in overriding infos.");
return(SignInfo.Empty);
}
return(new SignInfo(overridingCertificate, string.Empty));
}
if (_defaultSignInfoForPublicKeyToken.ContainsKey(publicKeyToken))
{
var signInfo = _defaultSignInfoForPublicKeyToken[publicKeyToken];
var certificate = overridingCertificate ?? signInfo.Certificate;
return(new SignInfo(certificate, signInfo.StrongName, signInfo.ShouldIgnore, signInfo.IsEmpty, signInfo.IsAlreadySigned));
}
_log.LogError($"SignInfo for file ({fileFullPath}) with Public Key Token {publicKeyToken} not found.");
return(SignInfo.Empty);
}
}
else if (FileName.IsZipContainer(fileFullPath))
{
return(new SignInfo(FileName.IsNupkg(fileFullPath) ? SignToolConstants.Certificate_NuGet : SignToolConstants.Certificate_VsixSHA2, null));
}
else
{
_log.LogWarning($"Unidentified artifact type: {fileFullPath}");
return(SignInfo.Ignore);
}
}
/// <summary>
/// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency
/// errors found when examining the zip archive.
/// </summary>
private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData)
{
Debug.Assert(zipFileSignInfo.IsZipContainer());
try
{
using (var archive = new ZipArchive(File.OpenRead(zipFileSignInfo.FullPath), ZipArchiveMode.Read))
{
var nestedParts = new List <ZipPart>();
foreach (ZipArchiveEntry entry in archive.Entries)
{
string relativePath = entry.FullName;
string extension = Path.GetExtension(relativePath);
if (!FileSignInfo.IsZipContainer(relativePath) && (!_fileExtensionSignInfo.TryGetValue(extension, out var extensionSignInfo) || !extensionSignInfo.ShouldSign))
{
var reason = extensionSignInfo.ShouldIgnore ? "configuration tells to ignore this extension" : "its extension isn't on recognizable signing extension list";
_log.LogMessage($"Ignoring this file because {reason} : {relativePath}");
continue;
}
ImmutableArray <byte> contentHash;
using (var stream = entry.Open())
{
contentHash = ContentUtil.GetContentHash(stream);
}
// if we already encountered file that hash the same content we can reuse its signed version when repackaging the container.
string fileName = Path.GetFileName(relativePath);
if (!_filesByContentKey.TryGetValue(new SignedFileContentKey(contentHash, fileName), out var fileSignInfo))
{
string tempDir = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash));
string tempPath = Path.Combine(tempDir, Path.GetFileName(relativePath));
Directory.CreateDirectory(tempDir);
using (var stream = entry.Open())
using (var tempFileStream = File.OpenWrite(tempPath))
{
stream.CopyTo(tempFileStream);
}
fileSignInfo = TrackFile(tempPath, contentHash, isNested: true);
}
if (fileSignInfo.SignInfo.ShouldSign)
{
nestedParts.Add(new ZipPart(relativePath, fileSignInfo));
}
}
zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableArray());
return(true);
}
}
catch (Exception e)
{
_log.LogErrorFromException(e);
zipData = null;
return(false);
}
}
/// <summary>
/// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency
/// errors found when examining the zip archive.
/// </summary>
private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData, string alternativeArchivePath = null)
{
string archivePath = zipFileSignInfo.FullPath;
if (alternativeArchivePath != null)
{
archivePath = alternativeArchivePath;
Debug.Assert(Path.GetExtension(archivePath) == ".zip");
}
else
{
Debug.Assert(zipFileSignInfo.IsZipContainer());
}
try
{
using (var archive = new ZipArchive(File.OpenRead(archivePath), ZipArchiveMode.Read))
{
var nestedParts = new Dictionary <string, ZipPart>();
foreach (ZipArchiveEntry entry in archive.Entries)
{
string relativePath = entry.FullName;
// `entry` might be just a pointer to a folder. We skip those.
if (relativePath.EndsWith("/") && entry.Name == "")
{
continue;
}
using (var entryStream = entry.Open())
using (MemoryStream entryMemoryStream = new MemoryStream((int)entry.Length))
{
entryStream.CopyTo(entryMemoryStream);
entryMemoryStream.Position = 0;
ImmutableArray <byte> contentHash = ContentUtil.GetContentHash(entryMemoryStream);
var fileUniqueKey = new SignedFileContentKey(contentHash, Path.GetFileName(relativePath));
if (!_whichPackagesTheFileIsIn.TryGetValue(fileUniqueKey, out var packages))
{
packages = new HashSet <string>();
}
packages.Add(Path.GetFileName(archivePath));
_whichPackagesTheFileIsIn[fileUniqueKey] = packages;
// if we already encountered file that has the same content we can reuse its signed version when repackaging the container.
var fileName = Path.GetFileName(relativePath);
if (!_filesByContentKey.TryGetValue(fileUniqueKey, out var fileSignInfo))
{
string extractPathRoot = _useHashInExtractionPath ? fileUniqueKey.StringHash : _filesByContentKey.Count().ToString();
string tempPath = Path.Combine(_pathToContainerUnpackingDirectory, extractPathRoot, relativePath);
_log.LogMessage($"Extracting file '{fileName}' from '{archivePath}' to '{tempPath}'.");
Directory.CreateDirectory(Path.GetDirectoryName(tempPath));
entryMemoryStream.Position = 0;
using (var tempFileStream = File.OpenWrite(tempPath))
{
entryMemoryStream.CopyTo(tempFileStream);
}
_hashToCollisionIdMap.TryGetValue(fileUniqueKey, out string collisionPriorityId);
PathWithHash nestedFile = new PathWithHash(tempPath, contentHash);
fileSignInfo = TrackFile(nestedFile, zipFileSignInfo.File, collisionPriorityId);
}
if (fileSignInfo.ShouldTrack)
{
nestedParts.Add(relativePath, new ZipPart(relativePath, fileSignInfo));
}
}
}
zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableDictionary());
return(true);
}
}
catch (Exception e)
{
_log.LogErrorFromException(e);
zipData = null;
return(false);
}
}
/// <summary>
/// Determine the file signing info of this file.
/// </summary>
/// <param name="fullPath">Full path to the file</param>
/// <param name="collisionPriorityId">ID used to disambiguate file signing info for nested files.</param>
/// <param name="contentHash">Content hash of the file</param>
/// <param name="wixContentFilePath">If a wix container, the corresponding wix pack zip</param>
/// <param name="parentContainerPath">Path to the parent container. If this is a non-nested container, this should be null</param>
/// <param name="parentContainerHash">Hash of the parent container. If this is a non-nested container, this should be null</param>
/// <returns>File signing information for this file.</returns>
private FileSignInfo ExtractSignInfo(
PathWithHash file,
PathWithHash parentContainer,
string collisionPriorityId,
string wixContentFilePath)
{
var extension = Path.GetExtension(file.FileName);
string explicitCertificateName = null;
var fileSpec = string.Empty;
var isAlreadySigned = false;
var matchedNameTokenFramework = false;
var matchedNameToken = false;
var matchedName = false;
PEInfo peInfo = null;
SignedFileContentKey signedFileContentKey = new SignedFileContentKey(file.ContentHash, file.FileName);
// handle multi-part extensions like ".symbols.nupkg" specified in FileExtensionSignInfo
if (_fileExtensionSignInfo != null)
{
extension = _fileExtensionSignInfo.OrderByDescending(o => o.Key.Length).FirstOrDefault(f => file.FileName.EndsWith(f.Key, StringComparison.OrdinalIgnoreCase)).Key ?? extension;
}
// Asset is nested asset part of a container. Try to get it from the visited assets first
if (string.IsNullOrEmpty(collisionPriorityId) && parentContainer != null)
{
if (!_hashToCollisionIdMap.TryGetValue(signedFileContentKey, out collisionPriorityId))
{
Debug.Assert(parentContainer.FullPath != file.FullPath);
// Hash doesn't exist so we use the CollisionPriorityId from the parent container
SignedFileContentKey parentSignedFileContentKey =
new SignedFileContentKey(parentContainer.ContentHash, parentContainer.FileName);
collisionPriorityId = _hashToCollisionIdMap[parentSignedFileContentKey];
}
}
// Update the hash map
if (!_hashToCollisionIdMap.ContainsKey(signedFileContentKey))
{
_hashToCollisionIdMap.Add(signedFileContentKey, collisionPriorityId);
}
else
{
string existingCollisionId = _hashToCollisionIdMap[signedFileContentKey];
// If we find that there is an asset which already was processed which has a lower
// collision id, we use that and update the map so we give it precedence
if (string.Compare(collisionPriorityId, existingCollisionId) < 0)
{
_hashToCollisionIdMap[signedFileContentKey] = collisionPriorityId;
}
}
// Try to determine default certificate name by the extension of the file. Since there might be dupes
// we get the one which maps a collision id or the first of the returned ones in case there is no
// collision id
bool hasSignInfos = _fileExtensionSignInfo.TryGetValue(extension, out var signInfos);
SignInfo signInfo = SignInfo.Ignore;
bool hasSignInfo = false;
if (hasSignInfos)
{
if (!string.IsNullOrEmpty(collisionPriorityId))
{
hasSignInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).Any();
signInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault();
}
else
{
hasSignInfo = true;
signInfo = signInfos.FirstOrDefault();
}
}
if (FileSignInfo.IsPEFile(file.FullPath))
{
using (var stream = File.OpenRead(file.FullPath))
{
isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
}
peInfo = GetPEInfo(file.FullPath);
if (peInfo.IsManaged && _strongNameInfo.TryGetValue(peInfo.PublicKeyToken, out var pktBasedSignInfos))
{
// Get the default sign info based on the PKT, if applicable. Since there might be dupes
// we get the one which maps a collision id or the first of the returned ones in case there is no
// collision id
SignInfo pktBasedSignInfo = SignInfo.Ignore;
if (!string.IsNullOrEmpty(collisionPriorityId))
{
pktBasedSignInfo = pktBasedSignInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault();
}
else
{
pktBasedSignInfo = pktBasedSignInfos.FirstOrDefault();
}
if (peInfo.IsCrossgened)
{
signInfo = new SignInfo(pktBasedSignInfo.Certificate, collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]);
}
else
{
signInfo = pktBasedSignInfo;
}
hasSignInfo = true;
}
// Check if we have more specific sign info:
matchedNameTokenFramework = _fileSignInfo.TryGetValue(
new ExplicitCertificateKey(file.FileName, peInfo.PublicKeyToken, peInfo.TargetFramework, _hashToCollisionIdMap[signedFileContentKey]),
out explicitCertificateName);
matchedNameToken = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(
new ExplicitCertificateKey(file.FileName, peInfo.PublicKeyToken, collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]),
out explicitCertificateName);
fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {peInfo.PublicKeyToken}, Framework = {peInfo.TargetFramework})" :
matchedNameToken ? $" (PublicKeyToken = {peInfo.PublicKeyToken})" : string.Empty;
}
else if (FileSignInfo.IsNupkg(file.FullPath) || FileSignInfo.IsVsix(file.FullPath))
{
isAlreadySigned = VerifySignatures.IsSignedContainer(file.FullPath);
if (!isAlreadySigned)
{
_log.LogMessage(MessageImportance.Low, $"Container {file.FullPath} does not have a signature marker.");
}
else
{
_log.LogMessage(MessageImportance.Low, $"Container {file.FullPath} has a signature marker.");
}
}
else if (FileSignInfo.IsWix(file.FullPath))
{
isAlreadySigned = VerifySignatures.IsDigitallySigned(file.FullPath);
if (!isAlreadySigned)
{
_log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is not digitally signed.");
}
else
{
_log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is digitally signed.");
}
}
else if (FileSignInfo.IsPowerShellScript(file.FullPath))
{
isAlreadySigned = VerifySignatures.VerifySignedPowerShellFile(file.FullPath);
if (!isAlreadySigned)
{
_log.LogMessage(MessageImportance.Low, $"File {file.FullPath} does not have a signature block.");
}
else
{
_log.LogMessage(MessageImportance.Low, $"File {file.FullPath} has a signature block.");
}
}
// We didn't find any specific information for PE files using PKT + TargetFramework
if (explicitCertificateName == null)
{
matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(file.FileName,
collisionPriorityId: _hashToCollisionIdMap[signedFileContentKey]), out explicitCertificateName);
}
// If has overriding info, is it for ignoring the file?
if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase))
{
_log.LogMessage(MessageImportance.Low, $"File configured to not be signed: {file.FullPath}{fileSpec}");
return(new FileSignInfo(file, SignInfo.Ignore));
}
// Do we have an explicit certificate after all?
if (explicitCertificateName != null)
{
signInfo = signInfo.WithCertificateName(explicitCertificateName, _hashToCollisionIdMap[signedFileContentKey]);
hasSignInfo = true;
}
if (hasSignInfo)
{
bool dualCerts = _dualCertificates
.Where(d => d.ItemSpec == signInfo.Certificate &&
(d.GetMetadata(SignToolConstants.CollisionPriorityId) == "" ||
d.GetMetadata(SignToolConstants.CollisionPriorityId) == _hashToCollisionIdMap[signedFileContentKey])).Any();
if (isAlreadySigned && !dualCerts)
{
return(new FileSignInfo(file, signInfo.WithIsAlreadySigned(isAlreadySigned), wixContentFilePath: wixContentFilePath));
}
// TODO: implement this check for native PE files as well:
// extract copyright from native resource (.rsrc section)
if (signInfo.ShouldSign && peInfo != null && peInfo.IsManaged)
{
bool isMicrosoftLibrary = IsMicrosoftLibrary(peInfo.Copyright);
bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate);
if (isMicrosoftLibrary != isMicrosoftCertificate)
{
if (isMicrosoftLibrary)
{
LogWarning(SigningToolErrorCode.SIGN001, $"Signing Microsoft library '{file.FullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{peInfo.Copyright}'.");
}
else
{
LogWarning(SigningToolErrorCode.SIGN001, $"Signing 3rd party library '{file.FullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{peInfo.Copyright}'.");
}
}
}
return(new FileSignInfo(file, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, wixContentFilePath: wixContentFilePath));
}
if (SignToolConstants.SignableExtensions.Contains(extension) || SignToolConstants.SignableOSXExtensions.Contains(extension))
{
// Extract the relative path inside the package / otherwise just return the full path of the file
LogError(SigningToolErrorCode.SIGN002, signedFileContentKey);
}
else
{
_log.LogMessage(MessageImportance.Low, $"Ignoring non-signable file: {file.FullPath}");
}
return(new FileSignInfo(file, SignInfo.Ignore, wixContentFilePath: wixContentFilePath));
}
private FileSignInfo ExtractSignInfo(string fullPath, ImmutableArray <byte> hash)
{
// Try to determine default certificate name by the extension of the file
var hasSignInfo = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfo);
var fileName = Path.GetFileName(fullPath);
var extension = Path.GetExtension(fullPath);
string explicitCertificateName = null;
string copyright = string.Empty;
var targetFramework = string.Empty;
var fileSpec = string.Empty;
var isAlreadySigned = false;
var matchedNameTokenFramework = false;
var matchedNameToken = false;
var matchedName = false;
var isManagedPE = false;
if (FileSignInfo.IsPEFile(fullPath))
{
using (var stream = File.OpenRead(fullPath))
{
isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
}
GetPEInfo(fullPath, out isManagedPE, out var publicKeyToken, out targetFramework, out copyright);
// Get the default sign info based on the PKT, if applicable:
if (isManagedPE && _strongNameInfo.TryGetValue(publicKeyToken, out var pktBasedSignInfo))
{
signInfo = pktBasedSignInfo;
hasSignInfo = true;
}
// Check if we have more specific sign info:
matchedNameTokenFramework = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken, targetFramework), out explicitCertificateName);
matchedNameToken = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, publicKeyToken), out explicitCertificateName);
fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {publicKeyToken}, Framework = {targetFramework})" :
matchedNameToken ? $" (PublicKeyToken = {publicKeyToken})" : string.Empty;
}
// We didn't find any specific information for PE files using PKT + TargetFramework
if (explicitCertificateName == null)
{
matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName), out explicitCertificateName);
}
// If has overriding info, is it for ignoring the file?
if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase))
{
_log.LogMessage($"File configurated to not be signed: {fileName}{fileSpec}");
return(new FileSignInfo(fullPath, hash, SignInfo.Ignore));
}
// Do we have an explicit certificate after all?
if (explicitCertificateName != null)
{
signInfo = signInfo.WithCertificateName(explicitCertificateName);
hasSignInfo = true;
}
if (hasSignInfo)
{
if (isAlreadySigned && !_dualCertificates.Contains(signInfo.Certificate))
{
return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned));
}
// TODO: implement this check for native PE files as well:
// extract copyright from native resource (.rsrc section)
if (signInfo.ShouldSign && isManagedPE)
{
bool isMicrosoftLibrary = IsMicrosoftLibrary(copyright);
bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate);
if (isMicrosoftLibrary != isMicrosoftCertificate)
{
if (isMicrosoftLibrary)
{
LogWarning("SIGN001", $"Signing Microsoft library '{fullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{copyright}'.");
}
else
{
LogWarning("SIGN001", $"Signing 3rd party library '{fullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{copyright}'.");
}
}
}
return(new FileSignInfo(fullPath, hash, signInfo, (targetFramework != "") ? targetFramework : null));
}
if (SignToolConstants.SignableExtensions.Contains(extension))
{
_log.LogError($"Couldn't determine certificate name for signable file: {fullPath}");
}
else
{
_log.LogMessage($"Ignoring non-signable file: {fullPath}");
}
return(new FileSignInfo(fullPath, hash, SignInfo.Ignore));
}
/// <summary>
/// Build up the <see cref="ZipData"/> instance for a given zip container. This will also report any consistency
/// errors found when examining the zip archive.
/// </summary>
private bool TryBuildZipData(FileSignInfo zipFileSignInfo, out ZipData zipData)
{
Debug.Assert(zipFileSignInfo.IsZipContainer());
try
{
using (var archive = new ZipArchive(File.OpenRead(zipFileSignInfo.FullPath), ZipArchiveMode.Read))
{
var nestedParts = new List <ZipPart>();
foreach (ZipArchiveEntry entry in archive.Entries)
{
string relativePath = entry.FullName;
// `entry` might be just a pointer to a folder. We skip those.
if (relativePath.EndsWith("/") && entry.Name == "")
{
continue;
}
ImmutableArray <byte> contentHash;
using (var stream = entry.Open())
{
contentHash = ContentUtil.GetContentHash(stream);
}
// if we already encountered file that hash the same content we can reuse its signed version when repackaging the container.
string fileName = Path.GetFileName(relativePath);
if (!_filesByContentKey.TryGetValue(new SignedFileContentKey(contentHash, fileName), out var fileSignInfo))
{
string tempDir = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash));
string tempPath = Path.Combine(tempDir, Path.GetFileName(relativePath));
Directory.CreateDirectory(tempDir);
using (var stream = entry.Open())
using (var tempFileStream = File.OpenWrite(tempPath))
{
stream.CopyTo(tempFileStream);
}
fileSignInfo = TrackFile(tempPath, contentHash, isNested: true);
}
if (fileSignInfo.SignInfo.ShouldSign)
{
nestedParts.Add(new ZipPart(relativePath, fileSignInfo));
}
}
zipData = new ZipData(zipFileSignInfo, nestedParts.ToImmutableArray());
return(true);
}
}
catch (Exception e)
{
_log.LogErrorFromException(e);
zipData = null;
return(false);
}
}
private FileSignInfo ExtractSignInfo(
string fullPath,
string collisionPriorityId,
ImmutableArray <byte> hash,
bool forceRepack = false,
string wixContentFilePath = null,
string containerPath = null)
{
var fileName = Path.GetFileName(fullPath);
var extension = Path.GetExtension(fullPath);
string explicitCertificateName = null;
var fileSpec = string.Empty;
var isAlreadySigned = false;
var matchedNameTokenFramework = false;
var matchedNameToken = false;
var matchedName = false;
PEInfo peInfo = null;
string stringHash = ContentUtil.HashToString(hash);
// Asset is nested asset part of a container. Try to get it from the visited assets first
if (string.IsNullOrEmpty(collisionPriorityId) &&
!string.IsNullOrEmpty(containerPath))
{
if (!_hashToCollisionIdMap.TryGetValue(stringHash, out collisionPriorityId))
{
// Hash doesn't exist so we use the CollisionPriorityId from the parent container
string parentStringHash = ContentUtil.HashToString(ContentUtil.GetContentHash(containerPath));
collisionPriorityId = _hashToCollisionIdMap[parentStringHash];
}
}
// Update the hash map
if (!_hashToCollisionIdMap.ContainsKey(stringHash))
{
_hashToCollisionIdMap.Add(stringHash, collisionPriorityId);
}
else
{
string existingCollisionId = _hashToCollisionIdMap[stringHash];
// If we find that there is an asset which already was processed which has a lower
// collision id, we use that and update the map so we give it precedence
if (string.Compare(collisionPriorityId, existingCollisionId) < 0)
{
_hashToCollisionIdMap[stringHash] = collisionPriorityId;
}
}
// Try to determine default certificate name by the extension of the file. Since there might be dupes
// we get the one which maps a collision id or the first of the returned ones in case there is no
// collision id
bool hasSignInfos = _fileExtensionSignInfo.TryGetValue(Path.GetExtension(fullPath), out var signInfos);
SignInfo signInfo = SignInfo.Ignore;
bool hasSignInfo = false;
if (hasSignInfos)
{
if (!string.IsNullOrEmpty(collisionPriorityId))
{
hasSignInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).Any();
signInfo = signInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault();
}
else
{
hasSignInfo = true;
signInfo = signInfos.FirstOrDefault();
}
}
if (FileSignInfo.IsPEFile(fullPath))
{
using (var stream = File.OpenRead(fullPath))
{
isAlreadySigned = ContentUtil.IsAuthenticodeSigned(stream);
}
peInfo = GetPEInfo(fullPath);
if (peInfo.IsManaged && _strongNameInfo.TryGetValue(peInfo.PublicKeyToken, out var pktBasedSignInfos))
{
// Get the default sign info based on the PKT, if applicable. Since there might be dupes
// we get the one which maps a collision id or the first of the returned ones in case there is no
// collision id
SignInfo pktBasedSignInfo = SignInfo.Ignore;
if (!string.IsNullOrEmpty(collisionPriorityId))
{
pktBasedSignInfo = pktBasedSignInfos.Where(s => s.CollisionPriorityId == collisionPriorityId).FirstOrDefault();
}
else
{
pktBasedSignInfo = pktBasedSignInfos.FirstOrDefault();
}
if (peInfo.IsCrossgened)
{
signInfo = new SignInfo(pktBasedSignInfo.Certificate, collisionPriorityId: _hashToCollisionIdMap[stringHash]);
}
else
{
signInfo = pktBasedSignInfo;
}
hasSignInfo = true;
}
// Check if we have more specific sign info:
matchedNameTokenFramework = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken, peInfo.TargetFramework, _hashToCollisionIdMap[stringHash]), out explicitCertificateName);
matchedNameToken = !matchedNameTokenFramework && _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, peInfo.PublicKeyToken, collisionPriorityId: _hashToCollisionIdMap[stringHash]), out explicitCertificateName);
fileSpec = matchedNameTokenFramework ? $" (PublicKeyToken = {peInfo.PublicKeyToken}, Framework = {peInfo.TargetFramework})" :
matchedNameToken ? $" (PublicKeyToken = {peInfo.PublicKeyToken})" : string.Empty;
}
// We didn't find any specific information for PE files using PKT + TargetFramework
if (explicitCertificateName == null)
{
matchedName = _fileSignInfo.TryGetValue(new ExplicitCertificateKey(fileName, collisionPriorityId: _hashToCollisionIdMap[stringHash]), out explicitCertificateName);
}
// If has overriding info, is it for ignoring the file?
if (SignToolConstants.IgnoreFileCertificateSentinel.Equals(explicitCertificateName, StringComparison.OrdinalIgnoreCase))
{
_log.LogMessage($"File configured to not be signed: {fileName}{fileSpec}");
return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack));
}
// Do we have an explicit certificate after all?
if (explicitCertificateName != null)
{
signInfo = signInfo.WithCertificateName(explicitCertificateName, _hashToCollisionIdMap[stringHash]);
hasSignInfo = true;
}
if (hasSignInfo)
{
bool dualCerts = _dualCertificates
.Where(d => d.ItemSpec == signInfo.Certificate &&
d.GetMetadata(SignToolConstants.CollisionPriorityId) == _hashToCollisionIdMap[stringHash]).Any();
if (isAlreadySigned && !dualCerts)
{
return(new FileSignInfo(fullPath, hash, SignInfo.AlreadySigned, forceRepack: forceRepack, wixContentFilePath: wixContentFilePath));
}
// TODO: implement this check for native PE files as well:
// extract copyright from native resource (.rsrc section)
if (signInfo.ShouldSign && peInfo != null && peInfo.IsManaged)
{
bool isMicrosoftLibrary = IsMicrosoftLibrary(peInfo.Copyright);
bool isMicrosoftCertificate = !IsThirdPartyCertificate(signInfo.Certificate);
if (isMicrosoftLibrary != isMicrosoftCertificate)
{
if (isMicrosoftLibrary)
{
LogWarning(SigningToolErrorCode.SIGN001, $"Signing Microsoft library '{fullPath}' with 3rd party certificate '{signInfo.Certificate}'. The library is considered Microsoft library due to its copyright: '{peInfo.Copyright}'.");
}
else
{
LogWarning(SigningToolErrorCode.SIGN001, $"Signing 3rd party library '{fullPath}' with Microsoft certificate '{signInfo.Certificate}'. The library is considered 3rd party library due to its copyright: '{peInfo.Copyright}'.");
}
}
}
return(new FileSignInfo(fullPath, hash, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, forceRepack: forceRepack, wixContentFilePath: wixContentFilePath));
}
if (SignToolConstants.SignableExtensions.Contains(extension) || SignToolConstants.SignableOSXExtensions.Contains(extension))
{
// Extract the relative path inside the package / otherwise just return the full path of the file
var contentHash = ContentUtil.GetContentHash(fullPath);
var tempDir = Path.Combine(_pathToContainerUnpackingDirectory, ContentUtil.HashToString(contentHash));
var relativePath = fullPath.Replace($@"{tempDir}\", "");
LogError(SigningToolErrorCode.SIGN002, new SignedFileContentKey(contentHash, relativePath));
}
else
{
_log.LogMessage($"Ignoring non-signable file: {fullPath}");
}
return(new FileSignInfo(fullPath, hash, SignInfo.Ignore, forceRepack: forceRepack, wixContentFilePath: wixContentFilePath));
}