Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign .deb files #15216

Merged
merged 9 commits into from
Nov 8, 2024
Merged

Sign .deb files #15216

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
f142457
Sign .deb files
ellahathaway Nov 4, 2024
949dafc
Set CollisionPriorityId
ellahathaway Nov 4, 2024
05ecf2c
Log failing signing validation task
ellahathaway Nov 5, 2024
bb46880
Don't return true when running on Windows
ellahathaway Nov 7, 2024
9752401
Remove CollisionPriorityId
ellahathaway Nov 7, 2024
bd82974
PR Feedback
ellahathaway Nov 8, 2024
24c7de5
Nit
ellahathaway Nov 8, 2024
0cccccd
Increase timeout to 10 seconds
ellahathaway Nov 8, 2024
2035960
Merge branch 'main' into sign-debs
ellahathaway Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Directory.Packages.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
<PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(MicrosoftExtensionsDependencyInjectionAbstractionsVersion)" />
<PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionVersion)" />
<PackageVersion Include="Microsoft.Extensions.DependencyModel" Version="$(MicrosoftExtensionsDependencyModelVersion)" />
<PackageVersion Include="Microsoft.Extensions.Http" Version="$(MicrosoftExtensionsHttpVersion)" />
<PackageVersion Include="Microsoft.Extensions.FileProviders.Abstractions" Version="$(MicrosoftExtensionsFileProvidersAbstractionsVersion)" />
<PackageVersion Include="Microsoft.Extensions.FileSystemGlobbing" Version="$(MicrosoftExtensionsFileSystemGlobbingVersion)" />
<PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="$(MicrosoftExtensionsLoggingConsoleVersion)" />
Expand Down
1 change: 1 addition & 0 deletions eng/BuildTask.Packages.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
<PackageVersion Update="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.0" />
<PackageVersion Update="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
<PackageVersion Update="Microsoft.Extensions.DependencyModel" Version="8.0.0" />
<PackageVersion Update="Microsoft.Extensions.Http" Version="8.0.0" />
<PackageVersion Update="Microsoft.Extensions.Logging.Console" Version="8.0.0" />
</ItemGroup>

Expand Down
4 changes: 4 additions & 0 deletions eng/Version.Details.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,10 @@
<Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
<Sha>990ebf52fc408ca45929fd176d2740675a67fab8</Sha>
</Dependency>
<Dependency Name="Microsoft.Extensions.Http" Version="9.0.0-rc.2.24473.5">
<Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
<Sha>990ebf52fc408ca45929fd176d2740675a67fab8</Sha>
</Dependency>
<Dependency Name="Microsoft.Extensions.FileProviders.Abstractions" Version="9.0.0-rc.2.24473.5">
<Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
<Sha>990ebf52fc408ca45929fd176d2740675a67fab8</Sha>
Expand Down
1 change: 1 addition & 0 deletions eng/Versions.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
<MicrosoftBclAsyncInterfacesVersion>9.0.0-rc.2.24473.5</MicrosoftBclAsyncInterfacesVersion>
<MicrosoftExtensionsDependencyInjectionAbstractionsVersion>9.0.0-rc.2.24473.5</MicrosoftExtensionsDependencyInjectionAbstractionsVersion>
<MicrosoftExtensionsDependencyInjectionVersion>9.0.0-rc.2.24473.5</MicrosoftExtensionsDependencyInjectionVersion>
<MicrosoftExtensionsHttpVersion>9.0.0-rc.2.24473.5</MicrosoftExtensionsHttpVersion>
<MicrosoftExtensionsDependencyModelVersion>9.0.0-rc.2.24473.5</MicrosoftExtensionsDependencyModelVersion>
<MicrosoftExtensionsFileProvidersAbstractionsVersion>9.0.0-rc.2.24473.5</MicrosoftExtensionsFileProvidersAbstractionsVersion>
<MicrosoftExtensionsFileSystemGlobbingVersion>9.0.0-rc.2.24473.5</MicrosoftExtensionsFileSystemGlobbingVersion>
Expand Down
1 change: 1 addition & 0 deletions src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
a public key token.
The certificate can be overriden using the StrongNameSignInfo or the FileSignInfo item group.
-->
<FileExtensionSignInfo Include=".deb" CertificateName="LinuxSign" />
ellahathaway marked this conversation as resolved.
Show resolved Hide resolved
<FileExtensionSignInfo Include=".jar" CertificateName="MicrosoftJARSHA2" />
<FileExtensionSignInfo Include=".js;.ps1;.psd1;.psm1;.psc1;.py" CertificateName="Microsoft400" />
<FileExtensionSignInfo Include=".dll;.exe;.mibc" CertificateName="Microsoft400" />
Expand Down
5 changes: 5 additions & 0 deletions src/Microsoft.DotNet.SignTool.Tests/FakeSignTool.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,11 @@ private static void SignPEFile(string path)
}
}

public override bool VerifySignedDeb(TaskLoggingHelper log, string filePath)
{
return true;
}

public override bool VerifySignedPowerShellFile(string filePath)
{
return true;
Expand Down
Binary file added src/Microsoft.DotNet.SignTool.Tests/Resources/test.deb
View file
Open in desktop
Binary file not shown.
40 changes: 39 additions & 1 deletion src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ public class SignToolTests : IDisposable
{".psm1", new List<SignInfo>{ new SignInfo("PSMCertificate") } },
{".psc1", new List<SignInfo>{ new SignInfo("PSCCertificate") } },
{".dylib", new List<SignInfo>{ new SignInfo("DylibCertificate") } },
{".deb", new List<SignInfo>{ new SignInfo("LinuxSign") } },
{".dll", new List<SignInfo>{ new SignInfo("Microsoft400") } }, // lgtm [cs/common-default-passwords] Safe, these are certificate names
{".exe", new List<SignInfo>{ new SignInfo("Microsoft400") } }, // lgtm [cs/common-default-passwords] Safe, these are certificate names
{".msi", new List<SignInfo>{ new SignInfo("Microsoft400") } }, // lgtm [cs/common-default-passwords] Safe, these are certificate names
Expand All @@ -51,6 +52,7 @@ public class SignToolTests : IDisposable
{ ".psm1", new List<SignInfo>{ new SignInfo("PSMCertificate", collisionPriorityId: "123") } },
{ ".psc1", new List<SignInfo>{ new SignInfo("PSCCertificate", collisionPriorityId: "123") } },
{ ".dylib", new List<SignInfo>{ new SignInfo("DylibCertificate", collisionPriorityId: "123") } },
{ ".deb", new List<SignInfo>{ new SignInfo("LinuxSign", collisionPriorityId: "123") } },
{ ".dll", new List<SignInfo>
{
new SignInfo("Microsoft400", collisionPriorityId: "123"), // lgtm [cs/common-default-passwords] Safe, these are certificate names
Expand Down Expand Up @@ -97,6 +99,10 @@ public class SignToolTests : IDisposable
{ "CertificateName", "DylibCertificate" },
{ SignToolConstants.CollisionPriorityId, "123" }
}),
new TaskItem(".deb", new Dictionary<string, string> {
{ "CertificateName", "LinuxSign" },
{ SignToolConstants.CollisionPriorityId, "123" }
}),
new TaskItem(".dll", new Dictionary<string, string> {
{ "CertificateName", "Microsoft400" }, // lgtm [cs/common-default-passwords] Safe, these are certificate names
{ SignToolConstants.CollisionPriorityId, "123" }
Expand Down Expand Up @@ -231,7 +237,9 @@ public class SignToolTests : IDisposable
".esd",

".py",
".pyd"
".pyd",

".deb",
};

public static IEnumerable<object[]> GetSignableExtensions()
Expand Down Expand Up @@ -1206,6 +1214,36 @@ public void SignedSymbolsNupkg()
});
}

[Fact]
public void CheckDebSigning()
{
// List of files to be considered for signing
var itemsToSign = new ITaskItem[]
{
new TaskItem(GetResourcePath("test.deb"))
};

// Default signing information
var strongNameSignInfo = new Dictionary<string, List<SignInfo>>();

// Overriding information
var fileSignInfo = new Dictionary<ExplicitCertificateKey, string>();

ValidateFileSignInfos(itemsToSign, strongNameSignInfo, fileSignInfo, s_fileExtensionSignInfo, new[]
{
"File 'test.deb' Certificate='LinuxSign'"
});

ValidateGeneratedProject(itemsToSign, strongNameSignInfo, fileSignInfo, s_fileExtensionSignInfo, new[]
{
$@"
<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "test.deb"))}"">
<Authenticode>LinuxSign</Authenticode>
</FilesToSign>
"
});
}

[Fact]
public void CheckPowershellSigning()
{
Expand Down
2 changes: 2 additions & 0 deletions src/Microsoft.DotNet.SignTool/Microsoft.DotNet.SignTool.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@
<PackageReference Include="Microsoft.ApplicationInsights" />
<PackageReference Include="Microsoft.Build.Framework" />
<PackageReference Include="Microsoft.Build.Utilities.Core" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection" />
<PackageReference Include="Microsoft.Extensions.Http" />
<PackageReference Include="NuGet.Packaging" />
</ItemGroup>

Expand Down
31 changes: 28 additions & 3 deletions src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
using System.IO;
using System.IO.Compression;
using System.Linq;
using System.Runtime.InteropServices;
using System.Threading.Tasks;
using TaskLoggingHelper = Microsoft.Build.Utilities.TaskLoggingHelper;

Expand Down Expand Up @@ -84,7 +85,7 @@ internal void Go(bool doStrongNameCheck)
// This is a recursive process since we process nested containers.
foreach (var file in _batchData.FilesToSign)
{
VerifyAfterSign(file);
VerifyAfterSign(_log, file);
}

if (_log.HasLoggedErrors)
Expand Down Expand Up @@ -495,6 +496,17 @@ private void VerifyCertificates(TaskLoggingHelper log)
log.LogError($"VSIX {fileName} cannot be strong name signed.");
}
}
else if (fileName.IsDeb())
{
if (isInvalidEmptyCertificate)
{
log.LogError($"Deb package {fileName} should have a certificate name.");
}
if (!IsLinuxSignCertificate(fileName.SignInfo.Certificate))
{
log.LogError($"Deb package {fileName} must be signed with a LinuxSign certificate.");
}
}
else if (fileName.IsNupkg())
{
if(isInvalidEmptyCertificate)
Expand Down Expand Up @@ -534,7 +546,7 @@ private void VerifyCertificates(TaskLoggingHelper log)
}
}

private void VerifyAfterSign(FileSignInfo file)
private void VerifyAfterSign(TaskLoggingHelper log, FileSignInfo file)
{
if (file.IsPEFile())
{
Expand All @@ -550,6 +562,17 @@ private void VerifyAfterSign(FileSignInfo file)
}
}
}
else if (file.IsDeb())
{
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
_log.LogMessage(MessageImportance.Low, $"Skipping signature verification of {file.FullPath} on Windows.");
}
else if (!_signTool.VerifySignedDeb(log, file.FullPath))
{
_log.LogError($"Deb package {file.FullPath} is not signed properly.");
}
}
else if (file.IsPowerShellScript())
{
if (!_signTool.VerifySignedPowerShellFile(file.FullPath))
Expand Down Expand Up @@ -582,7 +605,7 @@ private void VerifyAfterSign(FileSignInfo file)
continue;
}

VerifyAfterSign(zipPart.Value.FileSignInfo);
VerifyAfterSign(_log, zipPart.Value.FileSignInfo);
}

if (!SkipZipContainerSignatureMarkerCheck)
Expand Down Expand Up @@ -621,5 +644,7 @@ private void VerifyStrongNameSigning()
}

private static bool IsVsixCertificate(string certificate) => certificate.StartsWith("Vsix", StringComparison.OrdinalIgnoreCase);

private static bool IsLinuxSignCertificate(string certificate) => certificate.StartsWith("LinuxSign", StringComparison.OrdinalIgnoreCase);
}
}
12 changes: 12 additions & 0 deletions src/Microsoft.DotNet.SignTool/src/Configuration.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -418,6 +418,18 @@ private FileSignInfo ExtractSignInfo(
_log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is digitally signed.");
}
}
else if(FileSignInfo.IsDeb(file.FullPath))
{
isAlreadySigned = VerifySignatures.VerifySignedDeb(_log, file.FullPath);
if (!isAlreadySigned)
{
_log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is not signed.");
}
else
{
_log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is signed.");
}
}
else if(FileSignInfo.IsPowerShellScript(file.FullPath))
{
isAlreadySigned = VerifySignatures.VerifySignedPowerShellFile(file.FullPath);
Expand Down
5 changes: 5 additions & 0 deletions src/Microsoft.DotNet.SignTool/src/FileSignInfo.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ internal readonly struct FileSignInfo
// optional file information that allows to disambiguate among multiple files with the same name:
internal readonly string TargetFramework;

internal static bool IsDeb(string path)
=> Path.GetExtension(path) == ".deb";

internal static bool IsPEFile(string path)
=> Path.GetExtension(path) == ".exe" || Path.GetExtension(path) == ".dll";

Expand Down Expand Up @@ -59,6 +62,8 @@ internal static bool IsPackage(string path)
internal static bool IsZipContainer(string path)
=> IsPackage(path) || IsMPack(path) || IsZip(path) || IsTarGZip(path);

internal bool IsDeb() => IsDeb(FileName);

internal bool IsPEFile() => IsPEFile(FileName);

internal bool IsManaged() => ContentUtil.IsManaged(FullPath);
Expand Down
5 changes: 5 additions & 0 deletions src/Microsoft.DotNet.SignTool/src/RealSignTool.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,11 @@ public override bool VerifyStrongNameSign(string fileFullPath)
return process.ExitCode == 0;
}

public override bool VerifySignedDeb(TaskLoggingHelper log, string filePath)
{
return VerifySignatures.VerifySignedDeb(log, filePath);
}

public override bool VerifySignedPowerShellFile(string filePath)
{
return VerifySignatures.VerifySignedPowerShellFile(filePath);
Expand Down
1 change: 1 addition & 0 deletions src/Microsoft.DotNet.SignTool/src/SignTool.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ internal SignTool(SignToolArgs args, TaskLoggingHelper log)

public abstract bool LocalStrongNameSign(IBuildEngine buildEngine, int round, IEnumerable<FileSignInfo> files);

public abstract bool VerifySignedDeb(TaskLoggingHelper log, string filePath);
public abstract bool VerifySignedPEFile(Stream stream);
public abstract bool VerifySignedPowerShellFile(string filePath);
public abstract bool VerifySignedNugetFileMarker(string filePath);
Expand Down
5 changes: 4 additions & 1 deletion src/Microsoft.DotNet.SignTool/src/SignToolConstants.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ internal static class SignToolConstants
public const string MsiEngineExtension = "-engine.exe";
/// <summary>
/// List of known signable extensions. Copied, removing duplicates, from here:
/// https://microsoft.sharepoint.com/teams/codesigninfo/Wiki/Signable%20Files.aspx
/// https://microsoft.sharepoint.com/teams/prss/Codesign/SitePages/Signable%20Files.aspx
/// ".deb" is not in the list linked above, but it is a known signable extension.
/// </summary>
public static readonly HashSet<string> SignableExtensions = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
{
Expand Down Expand Up @@ -110,6 +111,8 @@ internal static class SignToolConstants

".py",
".pyd",

".deb",
};

/// <summary>
Expand Down
3 changes: 3 additions & 0 deletions src/Microsoft.DotNet.SignTool/src/ValidationOnlySignTool.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ public override void RemovePublicSign(string assemblyPath)
{
}

public override bool VerifySignedDeb(TaskLoggingHelper log, string filePath)
=> true;

public override bool VerifySignedPEFile(Stream assemblyStream)
=> true;

Expand Down
Loading
Loading