Validate SignatureSha256 for MSIX packages during the manifest valida…

…tion (#2384)

src/AppInstallerCLICore/Commands/HashCommand.cpp

@@ -51,8 +51,7 @@ namespace AppInstaller::CLI
                 try
                 {
                     Msix::MsixInfo msixInfo{ inputFile };
-                    auto signature = msixInfo.GetSignature();
-                    auto signatureHash = Utility::SHA256::ComputeHash(signature.data(), static_cast<uint32_t>(signature.size()));
+                    auto signatureHash = msixInfo.GetSignatureHash();
 
                     context.Reporter.Info() << "SignatureSha256: "_liv << Utility::LocIndString{ Utility::SHA256::ConvertToString(signatureHash) } << std::endl;
                 }

src/AppInstallerCLICore/Workflows/DownloadFlow.cpp

@@ -293,9 +293,7 @@ namespace AppInstaller::CLI::Workflow
             const auto& installer = context.Get<Execution::Data::Installer>().value();
 
             Msix::MsixInfo msixInfo(installer.Url);
-            auto signature = msixInfo.GetSignature();
-
-            auto signatureHash = SHA256::ComputeHash(signature.data(), static_cast<uint32_t>(signature.size()));
+            auto signatureHash = msixInfo.GetSignatureHash();
 
             context.Add<Execution::Data::HashPair>(std::make_pair(installer.SignatureSha256, signatureHash));
         }

src/AppInstallerCLITests/AppInstallerCLITests.vcxproj

@@ -297,7 +297,7 @@
     </CopyFileToFolders>
     <CopyFileToFolders Include="TestData\InstallFlowTest_Zip_MultipleNonPortableNestedInstallers.yaml">
       <DeploymentContent>true</DeploymentContent>
-    </CopyFileToFolders>    
+    </CopyFileToFolders>
     <CopyFileToFolders Include="TestData\ImportFile-Bad-Invalid.json">
       <DeploymentContent>true</DeploymentContent>
     </CopyFileToFolders>
@@ -624,7 +624,7 @@
     </CopyFileToFolders>
     <CopyFileToFolders Include="TestData\UpdateFlowTest_ZipWithExe.yaml">
       <DeploymentContent>true</DeploymentContent>
-    </CopyFileToFolders>    
+    </CopyFileToFolders>
     <CopyFileToFolders Include="TestData\InputNames.txt">
       <DeploymentContent>true</DeploymentContent>
     </CopyFileToFolders>
@@ -730,6 +730,30 @@
     <CopyFileToFolders Include="TestData\Installer-Good.msixbundle">
       <DeploymentContent>true</DeploymentContent>
     </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Installer-Signed-Good.msix">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Installer-Signed-Good.msixbundle">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Bad-InconsistentSignedMsixInstallerFields.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Good-SignedMsixInstaller.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Good-MsixBundleInstaller.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Bad-InconsistentMsixBundleInstallerFields.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Good-SignedMsixBundleInstaller.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Bad-InconsistentSignedMsixBundleInstallerFields.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\AppInstallerCLICore\AppInstallerCLICore.vcxproj">

src/AppInstallerCLITests/AppInstallerCLITests.vcxproj.filters

@@ -218,10 +218,10 @@
     <ClCompile Include="Archive.cpp">
       <Filter>Source Files\Common</Filter>
     </ClCompile>
-    <ClCompile Include="FolderFileWatcher.cpp">
-      <Filter>Source Files\Common</Filter>
-    </ClCompile>
     <ClCompile Include="Filesystem.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="FolderFileWatcher.cpp">
       <Filter>Source Files\Common</Filter>
     </ClCompile>
   </ItemGroup>
@@ -699,12 +699,38 @@
     <CopyFileToFolders Include="TestData\Manifest-Bad-NoSupportedPlatforms.yaml">
       <DeploymentContent>true</DeploymentContent>
     </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Installer-Bad-NoSupportedPlatforms.msix">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
     <CopyFileToFolders Include="TestData\Installer-Good.msix">
       <DeploymentContent>true</DeploymentContent>
     </CopyFileToFolders>
     <CopyFileToFolders Include="TestData\Installer-Good.msixbundle">
       <DeploymentContent>true</DeploymentContent>
     </CopyFileToFolders>
-    <CopyFileToFolders Include="TestData\Installer-Bad-NoSupportedPlatforms.msix" />
+    <CopyFileToFolders Include="TestData\Installer-Signed-Good.msix">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Installer-Signed-Good.msixbundle">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Bad-InconsistentSignedMsixInstallerFields.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Good-SignedMsixInstaller.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Good-MsixBundleInstaller.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Bad-InconsistentMsixBundleInstallerFields.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Good-SignedMsixBundleInstaller.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
+    <CopyFileToFolders Include="TestData\Manifest-Bad-InconsistentSignedMsixBundleInstallerFields.yaml">
+      <DeploymentContent>true</DeploymentContent>
+    </CopyFileToFolders>
   </ItemGroup>
 </Project>

src/AppInstallerCLITests/TestData/Manifest-Bad-InconsistentMsixBundleInstallerFields.yaml

@@ -0,0 +1,15 @@
+# Bad manifest: Inconsistent field values in unsigned MSIX bundle
+PackageIdentifier: AppInstallerCliTest.InconsistentMsixBundleInstallerFields
+PackageVersion: 1.2.3.4                           # Mismatching value with msix installer
+PackageLocale: es-MX
+PackageName: es-MX package name
+Publisher: es-MX publisher
+PackageFamilyName: FakeInstallerForTesting_Bad    # Mismatching value with msix installer
+MinimumOSVersion: 5.6.7.8                         # Mismatching value with msix installer
+InstallerType: msix
+Installers: 
+    - Architecture: x64
+      InstallerUrl: Installer-Good.msixbundle
+      SignatureSha256: 0000000000000000000000000000000000000000000000000000000000000000 # Unexpected value for unsigned msix installer
+ManifestType: merged
+ManifestVersion: 1.0.0

src/AppInstallerCLITests/TestData/Manifest-Bad-InconsistentMsixInstallerFields.yaml

@@ -1,3 +1,4 @@
+# Bad manifest: Inconsistent field values in unsigned MSIX
 PackageIdentifier: AppInstallerCliTest.InconsistentMsixInstallerFields
 PackageVersion: 1.2.3.4                           # Mismatching value with msix installer
 PackageLocale: es-MX
@@ -9,5 +10,6 @@ InstallerType: msix
 Installers: 
     - Architecture: x64
       InstallerUrl: Installer-Good.msix
+      SignatureSha256: 0000000000000000000000000000000000000000000000000000000000000000 # Unexpected value for unsigned msix installer
 ManifestType: merged
 ManifestVersion: 1.0.0

src/AppInstallerCLITests/TestData/Manifest-Bad-InconsistentSignedMsixBundleInstallerFields.yaml

@@ -0,0 +1,15 @@
+# Bad manifest: Inconsistent field values in signed MSIX bundle
+PackageIdentifier: AppInstallerCliTest.InconsistentMsixBundleInstallerFields
+PackageVersion: 1.2.3.4                           # Mismatching value with msix installer
+PackageLocale: es-MX
+PackageName: es-MX package name
+Publisher: es-MX publisher
+PackageFamilyName: FakeInstallerForTesting_Bad    # Mismatching value with msix installer
+MinimumOSVersion: 5.6.7.8                         # Mismatching value with msix installer
+InstallerType: msix
+Installers: 
+    - Architecture: x64
+      InstallerUrl: Installer-Signed-Good.msixbundle
+      SignatureSha256: 0000000000000000000000000000000000000000000000000000000000000000 # Inconsistent signature hash
+ManifestType: merged
+ManifestVersion: 1.0.0

src/AppInstallerCLITests/TestData/Manifest-Bad-InconsistentSignedMsixInstallerFields.yaml

@@ -0,0 +1,15 @@
+# Bad manifest: Inconsistent field values in signed MSIX
+PackageIdentifier: AppInstallerCliTest.InconsistentMsixInstallerFields
+PackageVersion: 1.2.3.4                           # Mismatching value with msix installer
+PackageLocale: es-MX
+PackageName: es-MX package name
+Publisher: es-MX publisher
+PackageFamilyName: FakeInstallerForTesting_Bad    # Mismatching value with msix installer
+MinimumOSVersion: 5.6.7.8                         # Mismatching value with msix installer
+InstallerType: msix
+Installers: 
+    - Architecture: x64
+      InstallerUrl: Installer-Signed-Good.msix
+      SignatureSha256: 0000000000000000000000000000000000000000000000000000000000000000 # Inconsistent signature hash
+ManifestType: merged
+ManifestVersion: 1.0.0

src/AppInstallerCLITests/TestData/Manifest-Good-MsixBundleInstaller.yaml

@@ -0,0 +1,13 @@
+PackageIdentifier: AppInstallerCliTest.GoodMsixBundleInstaller
+PackageVersion: 43690.48059.52428.56797
+PackageLocale: es-MX
+PackageName: es-MX package name
+Publisher: es-MX publisher
+PackageFamilyName: FakeInstallerForTesting_125rzkzqaqjwj
+MinimumOSVersion: 10.0.16299.0
+InstallerType: msix
+Installers: 
+    - Architecture: x64
+      InstallerUrl: Installer-Good.msixbundle
+ManifestType: merged
+ManifestVersion: 1.0.0

src/AppInstallerCLITests/TestData/Manifest-Good-SignedMsixBundleInstaller.yaml

@@ -0,0 +1,14 @@
+PackageIdentifier: AppInstallerCliTest.GoodSignedMsixBundleInstaller
+PackageVersion: 43690.48059.52428.56797
+PackageLocale: es-MX
+PackageName: es-MX package name
+Publisher: es-MX publisher
+PackageFamilyName: FakeInstallerForTesting_125rzkzqaqjwj
+MinimumOSVersion: 10.0.16299.0
+InstallerType: msix
+Installers: 
+    - Architecture: x64
+      InstallerUrl: Installer-Signed-Good.msixbundle
+      SignatureSha256: d70bd623f87b6ce4ddba4506c6000cf43ef3af4ab1207f5579ec43400de1623f
+ManifestType: merged
+ManifestVersion: 1.0.0

src/AppInstallerCLITests/TestData/Manifest-Good-SignedMsixInstaller.yaml

@@ -0,0 +1,14 @@
+PackageIdentifier: AppInstallerCliTest.GoodSignedMsixInstaller
+PackageVersion: 43690.48059.52428.56797
+PackageLocale: es-MX
+PackageName: es-MX package name
+Publisher: es-MX publisher
+PackageFamilyName: FakeInstallerForTesting_125rzkzqaqjwj
+MinimumOSVersion: 10.0.0.0
+InstallerType: msix
+Installers: 
+    - Architecture: x64
+      InstallerUrl: Installer-Signed-Good.msix
+      SignatureSha256: 50562001202c8dad456474d3f20903138d0a15c44ee497c3d4f82e85edbf2f97
+ManifestType: merged
+ManifestVersion: 1.0.0