SignCheck failing to validated javascript files are signed

[michellemcdaniel]

• This issue is blocking
• This issue is causing unreasonable pain

There are a few javascript files in runtime that we sign, that appear to get successfully signed (they have a signature), but that signcheck fails on: https://dev.azure.com/dnceng/internal/_build/results?buildId=1082658&view=logs&j=99de65b0-5466-527c-2773-3bea55ba597d&t=2939c30a-036c-51e0-0258-8924602c5671&l=128

SignCheck uses AuthentiCode -> WinVerifyTrust to verify that javascript files are signed. Something in this process is failing.

[michellemcdaniel]

@chcosta none of us really know anything about SignCheck or why it might be failing for javascript files. Can you take a look?

[chcosta]

Ack, looking

[chcosta]

Haven't figured this out yet. For some reason, the behavior is different when running as a task versus running the signcheck app directly, and when running as a task, we're getting the TRUST_E_NOSIGNATURE error code even though I wouldn't expect any behavioral difference here. I'm still investigating.

[chcosta]

Side note, this is https://github.com/dotnet/core-eng/issues/9933, which was never resolved. If you need to unblock something, then you'd need to add exclusions for these files. Either way, I'll spend a little more time investigating unless @joeloff has a solution.

[joeloff]

We did fix this. The problem is that we need to ensure that we're running under a single threaded apartment, otherwise the code to which WinVerifyTrust calls into ends up failing. There was a fix I made in SignCheck last year to add the STAThread attribute to it. If you're running from a task, that's probably executing on an msbuild node.

@rainersigwald do tasks in msbuild use single threaded apartments?

Here's the PR: #5840

[rainersigwald]

do tasks in msbuild use single threaded apartments?

Only if opted in by applying the [RunInSTA] attribute to the task's class definition.

[chcosta]

Spot on, that fixes it. Thanks all, I'll prepare a PR