Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SignCheck failing to validated javascript files are signed #7238

Closed
1 of 2 tasks
michellemcdaniel opened this issue Apr 14, 2021 · 7 comments · Fixed by #7241
Closed
1 of 2 tasks

SignCheck failing to validated javascript files are signed #7238

michellemcdaniel opened this issue Apr 14, 2021 · 7 comments · Fixed by #7241

Comments

@michellemcdaniel
Copy link
Contributor

michellemcdaniel commented Apr 14, 2021

  • This issue is blocking
  • This issue is causing unreasonable pain

There are a few javascript files in runtime that we sign, that appear to get successfully signed (they have a signature), but that signcheck fails on: https://dev.azure.com/dnceng/internal/_build/results?buildId=1082658&view=logs&j=99de65b0-5466-527c-2773-3bea55ba597d&t=2939c30a-036c-51e0-0258-8924602c5671&l=128

SignCheck uses AuthentiCode -> WinVerifyTrust to verify that javascript files are signed. Something in this process is failing.

@michellemcdaniel
Copy link
Contributor Author

@chcosta none of us really know anything about SignCheck or why it might be failing for javascript files. Can you take a look?

@chcosta
Copy link
Member

chcosta commented Apr 14, 2021

Ack, looking

@chcosta
Copy link
Member

chcosta commented Apr 14, 2021

Haven't figured this out yet. For some reason, the behavior is different when running as a task versus running the signcheck app directly, and when running as a task, we're getting the TRUST_E_NOSIGNATURE error code even though I wouldn't expect any behavioral difference here. I'm still investigating.

@chcosta
Copy link
Member

chcosta commented Apr 14, 2021

Side note, this is https://github.com/dotnet/core-eng/issues/9933, which was never resolved. If you need to unblock something, then you'd need to add exclusions for these files. Either way, I'll spend a little more time investigating unless @joeloff has a solution.

@joeloff
Copy link
Member

joeloff commented Apr 14, 2021

We did fix this. The problem is that we need to ensure that we're running under a single threaded apartment, otherwise the code to which WinVerifyTrust calls into ends up failing. There was a fix I made in SignCheck last year to add the STAThread attribute to it. If you're running from a task, that's probably executing on an msbuild node.

@rainersigwald do tasks in msbuild use single threaded apartments?

Here's the PR: #5840

@rainersigwald
Copy link
Member

do tasks in msbuild use single threaded apartments?

Only if opted in by applying the [RunInSTA] attribute to the task's class definition.

@chcosta
Copy link
Member

chcosta commented Apr 14, 2021

Spot on, that fixes it. Thanks all, I'll prepare a PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants