Closed martincostello closed 10 months ago
Looks like there was a new release of the sign tool yesterday - maybe updating that will help.
Investigation so far:
System.ArgumentNullException
HResult=0x80004003
Message=Value cannot be null. Arg_ParamName_Name
Source=System.Private.CoreLib
StackTrace:
at System.Runtime.InteropServices.Marshal.CopyToManaged[T](IntPtr source, T[] destination, Int32 startIndex, Int32 length)
at AuthenticodeExaminer.CmsSignatureBase.ReadAttributes(CRYPT_ATTRIBUTES attributes)
at AuthenticodeExaminer.CmsSignature.InitFromHandles(CryptMsgSafeHandle messageHandle, LocalBufferSafeHandle signerHandle)
at AuthenticodeExaminer.CmsSignature..ctor(AsnEncodedData data, SignatureKind kind)
at AuthenticodeExaminer.CmsSignature.GetNestedSignatures()
at AuthenticodeLint.SignatureExtensions.<VisitAll>d__0.MoveNext() in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\SignatureExtensions.cs:line 10
at AuthenticodeLint.SignatureExtensions.<VisitAll>d__1.MoveNext() in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\SignatureExtensions.cs:line 38
at AuthenticodeLint.Rules.NoWeakFileDigestAlgorithmsRule.Validate(IReadOnlyList`1 graph, SignatureLogger verboseWriter, CheckConfiguration configuration) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\Rules\10002-NoWeakFileDigestAlgorithmsRule.cs:line 20
at AuthenticodeLint.CheckEngine.RunAllRules(String file, IReadOnlyList`1 signatures, List`1 collectors, CheckConfiguration configuration) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\CheckEngine.cs:line 59
at AuthenticodeLint.Program.Main(String[] args) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\Program.cs:line 175
Maybe something in the last two .NET SDK updates broke something in NuGet when packages are signed or something in Azure Sign Service broken something...
Rebuilding the linter from source and building its dependency from source works as expected and validates the signatures.
Short-term fix is to commit that into a fork of the repository and to build and run that version in our release process. Once that's set up and working, I can dig further post-release to find the true root cause of the issue and sort things out in a less string-and-duct-tape way.
Possibly somehow related to https://github.com/dotnet/sdk/issues/33928.
Resolved by #1761 - looks like the code issue is https://github.com/vcsjones/AuthenticodeExaminer/issues/19, which also affects NuGet Package Explorer, but something else changed to trigger that underlying issue.
Describe the bug
Trying to release 8.1.0, the validate-signed-packages job is failing as the Authenticode signatures appear to be invalid: workflow logs.
I've unpublished the release and deleted the tag while I investigate what's going wrong.
Expected behavior
The binaries are signed with a valid Authenticode signature.
Actual behavior
Multiple binaries are not correctly Authenticode signed.
Steps to reproduce
Create a new tag.
Exception(s) (if any)
See workflow logs.
Polly version
No response
.NET Version
No response
Anything else?
No response