Enable StrongName verification in SignCheck (#15602)

Author: ellahathaway

Arcade.sln

@@ -151,6 +151,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.DotNet.MacOsPkg.C
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.MacOsPkg.Tests", "src\Microsoft.DotNet.MacOsPkg.Tests\Microsoft.DotNet.MacOsPkg.Tests.csproj", "{1F5118A8-A5C5-4D18-AF34-FFB60FECCD45}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.DotNet.StrongName", "src\Microsoft.DotNet.StrongName\Microsoft.DotNet.StrongName.csproj", "{B65809A4-C6DB-4994-BBDE-D5B8396958A6}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -1001,6 +1003,18 @@ Global
 		{1F5118A8-A5C5-4D18-AF34-FFB60FECCD45}.Release|x64.Build.0 = Release|Any CPU
 		{1F5118A8-A5C5-4D18-AF34-FFB60FECCD45}.Release|x86.ActiveCfg = Release|Any CPU
 		{1F5118A8-A5C5-4D18-AF34-FFB60FECCD45}.Release|x86.Build.0 = Release|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Debug|x64.Build.0 = Debug|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Debug|x86.Build.0 = Debug|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Release|Any CPU.Build.0 = Release|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Release|x64.ActiveCfg = Release|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Release|x64.Build.0 = Release|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Release|x86.ActiveCfg = Release|Any CPU
+		{B65809A4-C6DB-4994-BBDE-D5B8396958A6}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs

@@ -16,6 +16,7 @@
 using Xunit;
 using Xunit.Abstractions;
 using Microsoft.DotNet.Build.Tasks.Installers;
+using Microsoft.DotNet.StrongName;
 
 namespace Microsoft.DotNet.SignTool.Tests
 {
@@ -3028,11 +3029,11 @@ public void RunWixToolThrowsErrorIfWixToolsProvidedButDirDoesNotExist()
         [Fact]
         public void MissingStrongNameSignaturesDoNotValidate()
         {
-            StrongName.IsSigned(GetResourcePath("AspNetCoreCrossLib.dll")).Should().BeFalse();
-            StrongName.IsSigned(GetResourcePath("CoreLibCrossARM.dll")).Should().BeFalse();
-            StrongName.IsSigned(GetResourcePath("EmptyPKT.dll")).Should().BeFalse();
-            StrongName.IsSigned(GetResourcePath("DelaySigned.dll")).Should().BeFalse();
-            StrongName.IsSigned(GetResourcePath("ProjectOne.dll")).Should().BeFalse();
+            StrongNameHelper.IsSigned(GetResourcePath("AspNetCoreCrossLib.dll")).Should().BeFalse();
+            StrongNameHelper.IsSigned(GetResourcePath("CoreLibCrossARM.dll")).Should().BeFalse();
+            StrongNameHelper.IsSigned(GetResourcePath("EmptyPKT.dll")).Should().BeFalse();
+            StrongNameHelper.IsSigned(GetResourcePath("DelaySigned.dll")).Should().BeFalse();
+            StrongNameHelper.IsSigned(GetResourcePath("ProjectOne.dll")).Should().BeFalse();
         }
 
         /// <summary>
@@ -3099,9 +3100,9 @@ public void NoFlipButWriteShouldVerify()
 
             PEHeaders peHeaders = new PEHeaders(inputStream);
             inputStream.Position = 0;
-            int checksumStart = peHeaders.PEHeaderStartOffset + StrongName.ChecksumOffsetInPEHeader;
+            int checksumStart = peHeaders.PEHeaderStartOffset + Microsoft.DotNet.StrongName.Constants.ChecksumOffsetInPEHeader;
             WriteBytesToLocation(inputStream, outputStream, checksumStart, peHeaders.PEHeader.CheckSum);
-            StrongName.IsSigned(outputStream).Should().BeTrue();
+            StrongNameHelper.IsSigned(outputStream).Should().BeTrue();
         }
 
         [Fact]
@@ -3113,9 +3114,9 @@ public void IncorrectChecksumsDoNotValidate()
 
             PEHeaders peHeaders = new PEHeaders(inputStream);
             inputStream.Position = 0;
-            int checksumStart = peHeaders.PEHeaderStartOffset + StrongName.ChecksumOffsetInPEHeader;
+            int checksumStart = peHeaders.PEHeaderStartOffset + Microsoft.DotNet.StrongName.Constants.ChecksumOffsetInPEHeader;
             WriteBytesToLocation(inputStream, outputStream, checksumStart, peHeaders.PEHeader.CheckSum ^ 0x1);
-            StrongName.IsSigned(outputStream).Should().BeFalse();
+            StrongNameHelper.IsSigned(outputStream).Should().BeFalse();
         }
 
         // This binary has had a resource added after it was strong name. This invalidated the checksum too,
@@ -3129,25 +3130,25 @@ public void InvalidatedSNSignatureDoesNotValidate()
             PEHeaders peHeaders = new PEHeaders(inputStream);
             inputStream.Position = 0;
 
-            int checksumStart = peHeaders.PEHeaderStartOffset + StrongName.ChecksumOffsetInPEHeader;
+            int checksumStart = peHeaders.PEHeaderStartOffset + Microsoft.DotNet.StrongName.Constants.ChecksumOffsetInPEHeader;
             // Write the checksum that would be expected after editing the binary.
             WriteBytesToLocation(inputStream, outputStream, checksumStart, 110286);
 
-            StrongName.IsSigned(outputStream).Should().BeFalse();
+            StrongNameHelper.IsSigned(outputStream).Should().BeFalse();
         }
 
         [Fact]
         public void ValidStrongNameSignaturesValidate()
         {
-            StrongName.IsSigned(GetResourcePath("SignedLibrary.dll")).Should().BeTrue();
-            StrongName.IsSigned(GetResourcePath("StrongNamedWithEcmaKey.dll")).Should().BeTrue();
+            StrongNameHelper.IsSigned(GetResourcePath("SignedLibrary.dll")).Should().BeTrue();
+            StrongNameHelper.IsSigned(GetResourcePath("StrongNamedWithEcmaKey.dll")).Should().BeTrue();
         }
 
         [WindowsOnlyFact]
         public void ValidStrongNameSignaturesValidateWithFallback()
         {
-            StrongName.IsSigned_Legacy(GetResourcePath("SignedLibrary.dll"), s_snPath).Should().BeTrue();
-            StrongName.IsSigned_Legacy(GetResourcePath("StrongNamedWithEcmaKey.dll"), s_snPath).Should().BeTrue();
+            StrongNameHelper.IsSigned_Legacy(GetResourcePath("SignedLibrary.dll"), s_snPath).Should().BeTrue();
+            StrongNameHelper.IsSigned_Legacy(GetResourcePath("StrongNamedWithEcmaKey.dll"), s_snPath).Should().BeTrue();
         }
 
         [Theory]
@@ -3157,12 +3158,12 @@ public void SigningSignsAsExpected(string file, string key, bool initiallySigned
         {
             // Make sure this is unique
             string resourcePath = GetResourcePath(file, Guid.NewGuid().ToString());
-            StrongName.IsSigned(resourcePath).Should().Be(initiallySigned);
-            StrongName.Sign(resourcePath, GetResourcePath(key));
-            StrongName.IsSigned(resourcePath).Should().BeTrue();
+            StrongNameHelper.IsSigned(resourcePath).Should().Be(initiallySigned);
+            StrongNameHelper.Sign(resourcePath, GetResourcePath(key));
+            StrongNameHelper.IsSigned(resourcePath).Should().BeTrue();
 
             // Legacy sn verification works on on Windows only
-            StrongName.IsSigned_Legacy(resourcePath, s_snPath).Should().Be(
+            StrongNameHelper.IsSigned_Legacy(resourcePath, s_snPath).Should().Be(
                 RuntimeInformation.IsOSPlatform(OSPlatform.Windows));
         }
 
@@ -3174,11 +3175,11 @@ public void SigningSignsAsExpectedWithLegacyAndVerifiesWithNonLegacy(string file
         {
             // Make sure this is unique
             string resourcePath = GetResourcePath(file, Guid.NewGuid().ToString());
-            StrongName.IsSigned_Legacy(resourcePath, s_snPath).Should().Be(initiallySigned);
+            StrongNameHelper.IsSigned_Legacy(resourcePath, s_snPath).Should().Be(initiallySigned);
             // Unset the strong name bit first
-            StrongName.ClearStrongNameSignedBit(resourcePath);
-            StrongName.Sign_Legacy(resourcePath, GetResourcePath(key), s_snPath).Should().BeTrue();
-            StrongName.IsSigned(resourcePath).Should().BeTrue();
+            StrongNameHelper.ClearStrongNameSignedBit(resourcePath);
+            StrongNameHelper.Sign_Legacy(resourcePath, GetResourcePath(key), s_snPath).Should().BeTrue();
+            StrongNameHelper.IsSigned(resourcePath).Should().BeTrue();
         }
 
         [Fact]
@@ -3187,7 +3188,7 @@ public void CannotSignWithTheEcmaKey()
             // Using stream variant so that legacy fallback doesn't swallow the exception.
             using (var inputStream = File.OpenRead(GetResourcePath("StrongNamedWithEcmaKey.dll")))
             {
-                Action shouldFail = () => StrongName.Sign(inputStream, GetResourcePath("OpenSignedCorrespondingKey.snk"));
+                Action shouldFail = () => StrongNameHelper.Sign(inputStream, GetResourcePath("OpenSignedCorrespondingKey.snk"));
                 shouldFail.Should().Throw<NotImplementedException>();
             }
         }
@@ -3198,7 +3199,7 @@ public void DelaySignedBinaryFailsToSignWithDifferentKey()
             // Using stream variant so that legacy fallback doesn't swallow the exception.
             using (var inputStream = File.OpenRead(GetResourcePath("DelaySigned.dll")))
             {
-                Action shouldFail = () => StrongName.Sign(inputStream, GetResourcePath("OpenSignedCorrespondingKey.snk"));
+                Action shouldFail = () => StrongNameHelper.Sign(inputStream, GetResourcePath("OpenSignedCorrespondingKey.snk"));
                 shouldFail.Should().Throw<InvalidOperationException>();
             }
         }

src/Microsoft.DotNet.SignTool/Microsoft.DotNet.SignTool.csproj

@@ -37,6 +37,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.DotNet.Build.Tasks.Installers\Microsoft.DotNet.Build.Tasks.Installers.csproj" />
+    <ProjectReference Include="..\Microsoft.DotNet.StrongName\Microsoft.DotNet.StrongName.csproj" />
   </ItemGroup>
 
 </Project>

src/Microsoft.DotNet.SignTool/src/Configuration.cs

@@ -12,6 +12,7 @@
 using System.Runtime.Versioning;
 using Microsoft.Build.Framework;
 using Microsoft.Build.Utilities;
+using Microsoft.DotNet.StrongName;
 
 namespace Microsoft.DotNet.SignTool
 {
@@ -562,7 +563,7 @@ bool IsSigned(PathWithHash file, SigningStatus signingStatus)
 
             bool IsStrongNameSigned(PathWithHash file)
             {
-                bool isAlreadyStrongNamed = StrongName.IsSigned(file.FullPath, snPath: _snPath, log: _log);
+                bool isAlreadyStrongNamed = StrongNameHelper.IsSigned(file.FullPath, snPath: _snPath);
                 if (!isAlreadyStrongNamed)
                 {
                     _log.LogMessage(MessageImportance.Low, $"PE file {file.FullPath} does not have a valid strong name signature.");

src/Microsoft.DotNet.SignTool/src/ContentUtil.cs

@@ -60,27 +60,6 @@ public static ImmutableArray<byte> StringToHash(string hash)
 
         }
 
-        /// <summary>
-        /// Returns true if the PE file meets all of the pre-conditions to be Open Source Signed.
-        /// Returns false and logs msbuild errors otherwise.
-        /// </summary>
-        public static bool IsPublicSigned(PEReader peReader)
-        {
-            if (!peReader.HasMetadata)
-            {
-                return false;
-            }
-
-            var mdReader = peReader.GetMetadataReader();
-            if (!mdReader.IsAssembly)
-            {
-                return false;
-            }
-
-            CorHeader header = peReader.PEHeaders.CorHeader;
-            return (header.Flags & CorFlags.StrongNameSigned) == CorFlags.StrongNameSigned;
-        }
-
         public static bool IsManaged(string filePath)
         {
             try

src/Microsoft.DotNet.SignTool/src/RealSignTool.cs

@@ -10,6 +10,7 @@
 using System.Reflection.PortableExecutable;
 using System.Text;
 using System.Collections.Generic;
+using Microsoft.DotNet.StrongName;
 
 namespace Microsoft.DotNet.SignTool
 {
@@ -110,7 +111,7 @@ public override bool RunMSBuild(IBuildEngine buildEngine, string projectFilePath
 
         public override void RemoveStrongNameSign(string assemblyPath)
         {
-            StrongName.ClearStrongNameSignedBit(assemblyPath);
+            StrongNameHelper.ClearStrongNameSignedBit(assemblyPath);
         }
 
         public override SigningStatus VerifySignedPEFile(Stream assemblyStream)
@@ -131,7 +132,7 @@ public override SigningStatus VerifyStrongNameSign(string fileFullPath)
                 return SigningStatus.Signed;
             }
 
-            return StrongName.IsSigned(fileFullPath, snPath:_snPath, log: _log) ? SigningStatus.Signed : SigningStatus.NotSigned;
+            return StrongNameHelper.IsSigned(fileFullPath, snPath:_snPath) ? SigningStatus.Signed : SigningStatus.NotSigned;
         }
 
         public override SigningStatus VerifySignedDeb(TaskLoggingHelper log, string filePath)

src/Microsoft.DotNet.SignTool/src/SignTool.cs

@@ -12,6 +12,7 @@
 using Microsoft.Build.Framework;
 using Microsoft.Build.Utilities;
 using NuGet.Packaging;
+using Microsoft.DotNet.StrongName;
 
 namespace Microsoft.DotNet.SignTool
 {
@@ -248,7 +249,7 @@ protected bool LocalStrongNameSign(FileSignInfo file)
         {
             _log.LogMessage($"Strong-name signing '{file.FullPath}' locally with key '{file.SignInfo.StrongName}'.");
 
-            return StrongName.Sign(file.FullPath, file.SignInfo.StrongName, _args.SNBinaryPath, _log);
+            return StrongNameHelper.Sign(file.FullPath, file.SignInfo.StrongName, _args.SNBinaryPath);
         }
     }
 }