When using the --skip-signed option with an executable which has an embedded X509 certificate AzureSignTool might detect that file as already signed. We observed this with a native, non-managed executable written in C++ which had a PEM encoded certificate embedded in the exe.
Reason: X509Certificate.CreateFromSignedFile() finds any cert, not just code signing ones and AzureSignTool assumes that if a cert is found, that the file is signed.
AzureSignTool should check if the returned cert actually has the "Code Signing" key usage. Would still not be perfect, but properly validating the authenticode signature in context of --skip-signed would be too costly, i.e. slow down signing instead of speeding it up.
When using the --skip-signed option with an executable which has an embedded X509 certificate AzureSignTool might detect that file as already signed. We observed this with a native, non-managed executable written in C++ which had a PEM encoded certificate embedded in the exe.
Reason: X509Certificate.CreateFromSignedFile() finds any cert, not just code signing ones and AzureSignTool assumes that if a cert is found, that the file is signed.
AzureSignTool should check if the returned cert actually has the "Code Signing" key usage. Would still not be perfect, but properly validating the authenticode signature in context of --skip-signed would be too costly, i.e. slow down signing instead of speeding it up.