Enable generic detached signature support in SignTool#16035
Conversation
|
@mmitche 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs. I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review. |
|
@copilot I've updated the build instructions. Please read. |
I've read the updated build instructions in |
This enables generic detached signature support. A certificate can be configured as a 'detached' signature, meaning the signing operation rewrites the output file to produce just a signature, rather than a signed copy of the original file. If this is the case, signtool will make a copy the original file, allow the file to be signed, then copy the detached signature to ".sig" alongside the original. This allows for signing of various files that cannot themselves contain the signature. Note that in the output, the .sig file won't get included in a container. For instance, if test.zip exists within BlahPackage.nupkg, and you ask for test.zip to be signed, test.zip.sig would not get automatically added to BlahPackage.nupkg. Maybe this is a feature we want in the future, but for now it's too complicated. In addition, signing the outer container generally speaks for all contents. However, if test.zip is a top level file, you'll get a .sig alongside the original file.
e62a480 to
61c48a2
Compare
|
@copilot Please review the code changes, and update the PR description based on my manual changes. Do not change any code. |
I've reviewed the current implementation and will update the PR description to accurately reflect the certificate-based detached signature approach that was actually implemented, rather than the file-extension-based approach described in the original description. |
nagilson
left a comment
There was a problem hiding this comment.
Thanks for driving this component, I really appreciate that. This will be important for our division's signing effort.
Question so I understand this better:
Are you only improving sign tool (as a 1es / dnceng pipeline service) so that it can produce detached signatures? Or are you also working on the part which signs the .tar and .zip themselves using sign tool? I may have misunderstood what you were working on.
This just enables generation of detached signatures for any file. Could be a tar or a zip or a dll. Is there some new requirement that would be placing a signature file inside the .tar and .zip? |
ellahathaway
left a comment
There was a problem hiding this comment.
VerifyAfterSign(TaskLoggingHelper log, FileSignInfo file) should be adjusted to verify the detatched signatures of these files.
@copilot Please take care of this task |
Added logic to VerifyAfterSign method to verify that detached signature files (.sig) exist and are non-empty. This ensures that files requiring detached signatures are properly signed and that the .sig file is created alongside the original file. Co-authored-by: mmitche <8725170+mmitche@users.noreply.github.com>
Added verification for detached signatures in |
No, the signature does not need to be inside the file. I mean in terms of who owns using this feature you've added to sign and push the signatures of the .tar and .zip onto a cdn-based URL. I didn't realize sign tool needed to be updated, so our team may have misunderstood and assumed you meant you were going to do the work item of signing the .tar and .zip files and pushing those signatures onto the release urls. If that's not the case, then we (my team / security team) will need to find the owner for that. |
There are a few parts to that:
|
|
Thanks, and great point. Thanks for doing this work as well. I believe @/pavel-purma has signed off on 2. So, we may need an owner for 1. That would likely end up being the release team as well. I'll help coordinate. |
I think 1 will fall on the repo owners. |
I had copilot implement the basics of a check there. However, it'll be really tough to verify the signature without knowing the cert type/container, etc. |
|
/backport to release/10.0 |
|
Started backporting to release/10.0: https://github.com/dotnet/arcade/actions/runs/18328356130 |
| var macSigningOperation = certificateSignInfo.GetMetadata("MacCertificate"); | ||
| var macNotarizationAppName = certificateSignInfo.GetMetadata("MacNotarizationAppName"); | ||
| var collisionPriorityId = certificateSignInfo.GetMetadata(SignToolConstants.CollisionPriorityId); | ||
| var detachedSignatureCertificate = certificateSignInfo.GetMetadata("DetachedSignature"); |
There was a problem hiding this comment.
Nit: The name "DetachedSignature" doesn't convey it is a Boolean property. By that I mean it is a general practice to choose a name that clearly describes the Boolean state/capability (example isEmpty). Precedence for this is the existing "DualSigningAllowed" property. Consider something like "SupportsDetachedSignature".
If agreed, I would be willing to rename this with #16240. As part of this issue, I think we need to define CertificatesSignInfo for the certificates we will used for detached signatures.
e.g.
There was a problem hiding this comment.
I agree. This should be renamed to reflect the fact that it's a boolean property.
This PR implements generic detached signature support in SignTool based on certificate configuration rather than file extensions.
Problem
Previously, SignTool could only handle files that support embedded signatures. Files that cannot contain embedded signatures (like .zip, .tar.gz, .tgz) needed a way to be signed using detached signatures - separate .sig files alongside the originals.
Solution
Core Architecture
Certificate-Based Configuration
AdditionalCertificateInformationclass includes anIsDetachedSignaturepropertySignInfo Class
IsDetachedSignatureproperty to identify files requiring detached signaturesWithDetachedSignature(certificate)method to configure detached signature supportConfiguration Class
ShouldUseDetachedSignaturemethod that checks certificate configuration via_additionalCertificateInformationPathWithHashparameters for better type safetySignTool Architecture
FileSignInfo Class
DetachedSignatureFilePathandDetachedSignatureFullPathproperties for .sig file namingProcess Flow
Key Features
originalname.extension.sigformatValidation Updates
VerifyAfterSignto ensure .sig files exist and are non-emptyImportant Notes
test.zipexists withinBlahPackage.nupkgand is signed with a detached signature,test.zip.sigwill not be added to the .nupkgThe implementation provides a flexible foundation for detached signatures that can be extended to support any file type through certificate configuration.
Fixes #16034.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.