Add certificate content type checking to Signature.cs (#42025)

As per recommendation from dotnet/docs#41662 (comment)
dotnet · Jul 10, 2024 · 25d4ca2 · 25d4ca2
1 parent 7fbff0f
commit 25d4ca2
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/Cli/dotnet/Installer/Windows/Security/Signature.cs b/src/Cli/dotnet/Installer/Windows/Security/Signature.cs
@@ -29,8 +29,14 @@ internal static class Signature
         /// <remarks>This method does not perform any other chain validation like revocation checks, timestamping, etc.</remarks>
         internal static unsafe int HasMicrosoftTrustedRoot(string path)
         {
+            var certContentType = X509Certificate2.GetCertContentType(path);
+            if (certContentType != X509ContentType.Authenticode)
+            {
+                throw new CryptographicException($"Unexpected certificate content type, got '{certContentType}' instead of Authenticode.");
+            }
+
             // Create an X509Certificate2 instance so we can access the certificate context and create a chain context.
-#pragma warning disable SYSLIB0057 // can't use X509CertificateLoader here since it tries to parse the file as a certificate
+#pragma warning disable SYSLIB0057 // we need Authenticode support which isn't available from X509CertificateLoader
             using X509Certificate2 certificate = new(path);
 #pragma warning restore SYSLIB0057