Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ArgumentNullException thrown from GetNestedSignatures() #19

Open
martincostello opened this issue Oct 31, 2023 · 3 comments
Open

ArgumentNullException thrown from GetNestedSignatures() #19

martincostello opened this issue Oct 31, 2023 · 3 comments

Comments

@martincostello
Copy link

While trying to publish a new release of Polly today, we encountered a failure when trying to validate the Authenticode signatures of the binaries in our NuGet packages. We do this by compiling AuthenticodeLint from source as the .NET 6 version is not available from NuGet.org (see vcsjones/AuthenticodeLint#34). There was no apparent feedback on what was wrong, just that the tool was failing to verify the signatures. See App-vNext/Polly#1760 for more context.

Running the tool locally against the signed artifacts in Visual Studio shows that an exception is being thrown from the GetNestedSignatures() method:

System.ArgumentNullException
  HResult=0x80004003
  Message=Value cannot be null. Arg_ParamName_Name
  Source=System.Private.CoreLib
  StackTrace:
   at System.Runtime.InteropServices.Marshal.CopyToManaged[T](IntPtr source, T[] destination, Int32 startIndex, Int32 length)
   at AuthenticodeExaminer.CmsSignatureBase.ReadAttributes(CRYPT_ATTRIBUTES attributes)
   at AuthenticodeExaminer.CmsSignature.InitFromHandles(CryptMsgSafeHandle messageHandle, LocalBufferSafeHandle signerHandle)
   at AuthenticodeExaminer.CmsSignature..ctor(AsnEncodedData data, SignatureKind kind)
   at AuthenticodeExaminer.CmsSignature.GetNestedSignatures()
   at AuthenticodeLint.SignatureExtensions.<VisitAll>d__0.MoveNext() in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\SignatureExtensions.cs:line 10
   at AuthenticodeLint.SignatureExtensions.<VisitAll>d__1.MoveNext() in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\SignatureExtensions.cs:line 38
   at AuthenticodeLint.Rules.NoWeakFileDigestAlgorithmsRule.Validate(IReadOnlyList`1 graph, SignatureLogger verboseWriter, CheckConfiguration configuration) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\Rules\10002-NoWeakFileDigestAlgorithmsRule.cs:line 20
   at AuthenticodeLint.CheckEngine.RunAllRules(String file, IReadOnlyList`1 signatures, List`1 collectors, CheckConfiguration configuration) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\CheckEngine.cs:line 59
   at AuthenticodeLint.Program.Main(String[] args) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\Program.cs:line 175

Rebuilding AuthenticodeLint locally with a project reference to the latest commit of AuthenticodeExaminer, instead of referencing version 0.3.0 from NuGet, resolves the issue. I'm guessing that it's some sort of bug in a dependency that the library is compiled against that occurs without either it or the consuming application being explicitly updated/recompiled to bump the reference to wherever the bug resides.

The application had no issues on the 28th of September when we released Polly 8.0.0, so I guess that there's also been a change somewhere to the .NET Foundation Authenticode signing infrastructure somewhere that's caused the signature generated to vary in some way compared to then that triggers this issue.

Trying to view assemblies within our NuGet packages shows a similar issue in NuGet Package Explorer.

Ideally, a new release of this library can be made that updates the appropriate dependency and is published to NuGet, and then AuthenticodeLint is updated to consume it in the .NET 6 version, and then that version is published to NuGet.org.

@martincostello
Copy link
Author

Having looked at the diff since v0.3.0, it seems like referencing it in code just means I pick up all the bug fixes that have been made since then, and that's the reason doing that fixes things.

@benmcgarry
Copy link

benmcgarry commented May 26, 2024

I would advise to everyone, not to click that link and auth to GitHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@martincostello @benmcgarry and others