You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While trying to publish a new release of Polly today, we encountered a failure when trying to validate the Authenticode signatures of the binaries in our NuGet packages. We do this by compiling AuthenticodeLint from source as the .NET 6 version is not available from NuGet.org (see vcsjones/AuthenticodeLint#34). There was no apparent feedback on what was wrong, just that the tool was failing to verify the signatures. See App-vNext/Polly#1760 for more context.
Running the tool locally against the signed artifacts in Visual Studio shows that an exception is being thrown from the GetNestedSignatures() method:
System.ArgumentNullException
HResult=0x80004003
Message=Value cannot be null. Arg_ParamName_Name
Source=System.Private.CoreLib
StackTrace:
at System.Runtime.InteropServices.Marshal.CopyToManaged[T](IntPtr source, T[] destination, Int32 startIndex, Int32 length)
at AuthenticodeExaminer.CmsSignatureBase.ReadAttributes(CRYPT_ATTRIBUTES attributes)
at AuthenticodeExaminer.CmsSignature.InitFromHandles(CryptMsgSafeHandle messageHandle, LocalBufferSafeHandle signerHandle)
at AuthenticodeExaminer.CmsSignature..ctor(AsnEncodedData data, SignatureKind kind)
at AuthenticodeExaminer.CmsSignature.GetNestedSignatures()
at AuthenticodeLint.SignatureExtensions.<VisitAll>d__0.MoveNext() in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\SignatureExtensions.cs:line 10
at AuthenticodeLint.SignatureExtensions.<VisitAll>d__1.MoveNext() in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\SignatureExtensions.cs:line 38
at AuthenticodeLint.Rules.NoWeakFileDigestAlgorithmsRule.Validate(IReadOnlyList`1 graph, SignatureLogger verboseWriter, CheckConfiguration configuration) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\Rules\10002-NoWeakFileDigestAlgorithmsRule.cs:line 20
at AuthenticodeLint.CheckEngine.RunAllRules(String file, IReadOnlyList`1 signatures, List`1 collectors, CheckConfiguration configuration) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\CheckEngine.cs:line 59
at AuthenticodeLint.Program.Main(String[] args) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\Program.cs:line 175
Rebuilding AuthenticodeLint locally with a project reference to the latest commit of AuthenticodeExaminer, instead of referencing version 0.3.0 from NuGet, resolves the issue. I'm guessing that it's some sort of bug in a dependency that the library is compiled against that occurs without either it or the consuming application being explicitly updated/recompiled to bump the reference to wherever the bug resides.
The application had no issues on the 28th of September when we released Polly 8.0.0, so I guess that there's also been a change somewhere to the .NET Foundation Authenticode signing infrastructure somewhere that's caused the signature generated to vary in some way compared to then that triggers this issue.
Trying to view assemblies within our NuGet packages shows a similar issue in NuGet Package Explorer.
Ideally, a new release of this library can be made that updates the appropriate dependency and is published to NuGet, and then AuthenticodeLint is updated to consume it in the .NET 6 version, and then that version is published to NuGet.org.
The text was updated successfully, but these errors were encountered:
Having looked at the diff since v0.3.0, it seems like referencing it in code just means I pick up all the bug fixes that have been made since then, and that's the reason doing that fixes things.
While trying to publish a new release of Polly today, we encountered a failure when trying to validate the Authenticode signatures of the binaries in our NuGet packages. We do this by compiling AuthenticodeLint from source as the .NET 6 version is not available from NuGet.org (see vcsjones/AuthenticodeLint#34). There was no apparent feedback on what was wrong, just that the tool was failing to verify the signatures. See App-vNext/Polly#1760 for more context.
Running the tool locally against the signed artifacts in Visual Studio shows that an exception is being thrown from the
GetNestedSignatures()
method:Rebuilding AuthenticodeLint locally with a project reference to the latest commit of AuthenticodeExaminer, instead of referencing version 0.3.0 from NuGet, resolves the issue. I'm guessing that it's some sort of bug in a dependency that the library is compiled against that occurs without either it or the consuming application being explicitly updated/recompiled to bump the reference to wherever the bug resides.
The application had no issues on the 28th of September when we released Polly 8.0.0, so I guess that there's also been a change somewhere to the .NET Foundation Authenticode signing infrastructure somewhere that's caused the signature generated to vary in some way compared to then that triggers this issue.
Trying to view assemblies within our NuGet packages shows a similar issue in NuGet Package Explorer.
Ideally, a new release of this library can be made that updates the appropriate dependency and is published to NuGet, and then AuthenticodeLint is updated to consume it in the .NET 6 version, and then that version is published to NuGet.org.
The text was updated successfully, but these errors were encountered: