Skip to content

Change signature for diagnostic binaries #74322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hoyosjs merged 6 commits into from
Aug 22, 2022
Merged

Change signature for diagnostic binaries #74322

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d25b292
Add DAC signature infrastructure
hoyosjs Aug 17, 2022
1b269bd
Try using a .NET 6 SDK to enable signing
hoyosjs Aug 18, 2022
ee4962d
Minor opt
hoyosjs Aug 22, 2022
754b057
Add signature verification
hoyosjs Aug 21, 2022
5300111
Remove default target for signing
hoyosjs Aug 22, 2022
ab5bf51
Only sign in official Windows build legs
hoyosjs Aug 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add signature verification
  • Loading branch information
@hoyosjs
hoyosjs committed Aug 22, 2022
commit 754b0576c9acbd5b6ad5943a14bcc3515aae26c0
26 changes: 26 additions & 0 deletions eng/pipelines/coreclr/templates/sign-diagnostic-files.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,29 @@ steps:
DOTNET_MULTILEVEL_LOOKUP: 0
DOTNET_ROOT: '$(Agent.TempDirectory)/dotnet'
DOTNET_MSBUILD_SDK_RESOLVER_CLI_DIR: '$(Agent.TempDirectory)/dotnet'

- powershell: |
$filesToSign = $(Get-ChildItem -Recurse ${{ parameters.basePath }} -Include mscordaccore*.dll, mscordbi*.dll)
foreach ($file in $filesToSign) {
$signingCert = $(Get-AuthenticodeSignature $file).SignerCertificate
if ($signingCert -eq $null)
{
throw "File $file does not contain a signature."
}

if ($signingCert.Subject -ne "CN=.NET DAC, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" `
-or $signingCert.Issuer -ne "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")
{
throw "File $file not in expected trust chain."
}

$certEKU = $signingCert.Extensions.Where({ $_.Oid.FriendlyName -eq "Enhanced Key Usage" }) | Select -First 1

if ($certEKU.EnhancedKeyUsages.Where({ $_.Value -eq "1.3.6.1.4.1.311.84.4.1" }).Count -ne 1)
{
throw "Signature for $file does not contain expected EKU."
}

Write-Host "$file is correctly signed."
}
displayName: Validate diagnostic signatures