Closed Tim-Utelogy closed 2 years ago
dougbu
commented
2 years ago @Tim-Utelogy which binaries are you seeing this with❔ I checked a few packages and found all are consistently signed using a SHA256 certificate.
The files I checked do use a SHA1 hash algorithm for the strong name key but this matches other assemblies Microsoft ships e.g. Microsoft.AspNetCore.Mvc.NewtonsoftJson v7.0.0-preview3:
blowdart
commented
2 years ago The binary in the package is signed using the newer SHA256 root, which doesn't expire until 2036
What indicates this is signed (not strong named) with SHA1?
Tim-Utelogy
commented
2 years ago Wow, thank you for the quick response, and apologies for the wild goose chase!
To narrow down the list of binaries I needed to look at, I created a powershell script based on Get-AuthenticodeSignature. When I had the list of sha1 signed binaries, I looked for updated versions and manually checked them using ilspy as it looks like @dougbu did above. It didn't occur to me that different hashing algos would be used for the strong name and authenticode so I assumed ilspy was indicating the algo hadn't been updated. When I use Get-AuthenticodeSignature I see that it is indeed signed with Sha256.
Given the long time between 5.2.7 and 5.2.8 is it safe to assume that this certificate issue was the main reason for the new version?
blowdart
commented
2 years ago Your script may also get tripped up by dual signing. which we've done for older frameworks to ensure they kept working on unpatched Win7 boxes, because people make me sad.
Tim-Utelogy
commented
2 years ago Indeed, I was trying to fix that limitation when I saw your message. I ended up modifying the script here to get at the secondary signing certificate: https://www.sysadmins.lv/blog-en/reading-multiple-signatures-from-signed-file-with-powershell.aspx
Now the only web related assembly I can't seem to find a version with updated signing for is System.Web.Optimization
The documentation seems to indicate that any cert that chains to a Microsoft SHA-1 cert should be updated before old .net versions are retired on April 26, 2022. Presuming a site is running in 4.6.2 runtime or above and referencing the sha1 signed libraries in this package, should we expect have any errors as described here? Will you be updating to SHA-2?