ArgumentNullException thrown from GetNestedSignatures()

[martincostello]

While trying to publish a new release of Polly today, we encountered a failure when trying to validate the Authenticode signatures of the binaries in our NuGet packages. We do this by compiling AuthenticodeLint from source as the .NET 6 version is not available from NuGet.org (see https://github.com/vcsjones/AuthenticodeLint/issues/34). There was no apparent feedback on what was wrong, just that the tool was failing to verify the signatures. See https://github.com/App-vNext/Polly/issues/1760 for more context.

Running the tool locally against the signed artifacts in Visual Studio shows that an exception is being thrown from the GetNestedSignatures() method:

System.ArgumentNullException
  HResult=0x80004003
  Message=Value cannot be null. Arg_ParamName_Name
  Source=System.Private.CoreLib
  StackTrace:
   at System.Runtime.InteropServices.Marshal.CopyToManaged[T](IntPtr source, T[] destination, Int32 startIndex, Int32 length)
   at AuthenticodeExaminer.CmsSignatureBase.ReadAttributes(CRYPT_ATTRIBUTES attributes)
   at AuthenticodeExaminer.CmsSignature.InitFromHandles(CryptMsgSafeHandle messageHandle, LocalBufferSafeHandle signerHandle)
   at AuthenticodeExaminer.CmsSignature..ctor(AsnEncodedData data, SignatureKind kind)
   at AuthenticodeExaminer.CmsSignature.GetNestedSignatures()
   at AuthenticodeLint.SignatureExtensions.<VisitAll>d__0.MoveNext() in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\SignatureExtensions.cs:line 10
   at AuthenticodeLint.SignatureExtensions.<VisitAll>d__1.MoveNext() in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\SignatureExtensions.cs:line 38
   at AuthenticodeLint.Rules.NoWeakFileDigestAlgorithmsRule.Validate(IReadOnlyList`1 graph, SignatureLogger verboseWriter, CheckConfiguration configuration) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\Rules\10002-NoWeakFileDigestAlgorithmsRule.cs:line 20
   at AuthenticodeLint.CheckEngine.RunAllRules(String file, IReadOnlyList`1 signatures, List`1 collectors, CheckConfiguration configuration) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\CheckEngine.cs:line 59
   at AuthenticodeLint.Program.Main(String[] args) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\Program.cs:line 175

Rebuilding AuthenticodeLint locally with a project reference to the latest commit of AuthenticodeExaminer, instead of referencing version 0.3.0 from NuGet, resolves the issue. I'm guessing that it's some sort of bug in a dependency that the library is compiled against that occurs without either it or the consuming application being explicitly updated/recompiled to bump the reference to wherever the bug resides.

The application had no issues on the 28th of September when we released Polly 8.0.0, so I guess that there's also been a change somewhere to the .NET Foundation Authenticode signing infrastructure somewhere that's caused the signature generated to vary in some way compared to then that triggers this issue.

Trying to view assemblies within our NuGet packages shows a similar issue in NuGet Package Explorer.

Ideally, a new release of this library can be made that updates the appropriate dependency and is published to NuGet, and then AuthenticodeLint is updated to consume it in the .NET 6 version, and then that version is published to NuGet.org.

[martincostello]

Having looked at the diff since v0.3.0, it seems like referencing it in code just means I pick up all the bug fixes that have been made since then, and that's the reason doing that fixes things.

[benmcgarry]

I would advise to everyone, not to click that link and auth to GitHub.