Open martincostello opened 8 months ago
Having looked at the diff since v0.3.0, it seems like referencing it in code just means I pick up all the bug fixes that have been made since then, and that's the reason doing that fixes things.
I would advise to everyone, not to click that link and auth to GitHub.
While trying to publish a new release of Polly today, we encountered a failure when trying to validate the Authenticode signatures of the binaries in our NuGet packages. We do this by compiling AuthenticodeLint from source as the .NET 6 version is not available from NuGet.org (see https://github.com/vcsjones/AuthenticodeLint/issues/34). There was no apparent feedback on what was wrong, just that the tool was failing to verify the signatures. See https://github.com/App-vNext/Polly/issues/1760 for more context.
Running the tool locally against the signed artifacts in Visual Studio shows that an exception is being thrown from the
GetNestedSignatures()
method:Rebuilding AuthenticodeLint locally with a project reference to the latest commit of AuthenticodeExaminer, instead of referencing version 0.3.0 from NuGet, resolves the issue. I'm guessing that it's some sort of bug in a dependency that the library is compiled against that occurs without either it or the consuming application being explicitly updated/recompiled to bump the reference to wherever the bug resides.
The application had no issues on the 28th of September when we released Polly 8.0.0, so I guess that there's also been a change somewhere to the .NET Foundation Authenticode signing infrastructure somewhere that's caused the signature generated to vary in some way compared to then that triggers this issue.
Trying to view assemblies within our NuGet packages shows a similar issue in NuGet Package Explorer.
Ideally, a new release of this library can be made that updates the appropriate dependency and is published to NuGet, and then AuthenticodeLint is updated to consume it in the .NET 6 version, and then that version is published to NuGet.org.