Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ArgumentNullException thrown viewing Authenticode signed assembly in NuGet package #1633

Open
martincostello opened this issue Oct 31, 2023 · 2 comments

Comments

@martincostello
Copy link
Contributor

Type (choose one):

  • Bug

NPE version: 6.0.64+c118e46e01

OS version: Windows 11, Version 22H2 (OS Build 22621.2428)

Installed from: Microsoft Store

In case of a BUG:

While trying to publish a new release of Polly today, we encountered a failure when trying to validate the Authenticode signatures of the binaries in our NuGet packages. We do this by compiling AuthenticodeLint from source as the .NET 6 version is not available from NuGet.org (see vcsjones/AuthenticodeLint#34). There was no apparent feedback on what was wrong, just that the tool was failing to verify the signatures. See App-vNext/Polly#1760 for more context.

As part of investigating the issue, attempting to view the binaries inside the NuGet packages that were signed, NuGet Package Explorer fails to load the details for the DLLs, and instead shows this modal:

image

This error seems to correlate with the same exception I uncovered in AuthenticodeLint/AuthenticodeExaminer: vcsjones/AuthenticodeExaminer#19

Unpacking the NuGet package files shows the Authenticode signatures as valid in Windows Explorer, and rebuilding AuthenticodeLint as described in the issue above also then successfully validates the files (successful validation workflow).

I'm not aware of any workarounds to this issue - I expect that a dependency of some kind needs updating and the application recompiled and published for a new version to resolve the underlying code that has an issue with the signatures.

@martincostello
Copy link
Contributor Author

I didn't realise that you depended on AuthenticodeExaminer, so I guess this is just the exact same issue as vcsjones/AuthenticodeExaminer#19:

<PackageReference Include="AuthenticodeExaminer" Version="0.3.0" />

I'm going to see if I can force a package update locally that updates the transient dependency and fixes the issue here.

@martincostello
Copy link
Contributor Author

Looking at the diff, it's not a dependency update that fixes it, but what looks like a bunch of code changes that have happened since v0.3.0 was released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant