[Bug]: SecurityUtilities.SignFile is broken in Microsoft.Build.Tasks.Core >= 17.1.0

[e455a81e-d3ba-41a2-bc6d-7aafb1d9a5cd]

Issue Description

Hi, I am using SecurityUtilities.SignFile to sign a ClickOnce manifest files but it fails with a System.Security.Cryptography.CryptographicException.

Steps to Reproduce

The easiest way to reproduce the issue is to check out deployment-tools and to update Microsoft.Build.Tasks.Core to version 17.7.2. This will break ClickOnce signing with dotnet-mage.

Expected Behavior

Signing the ClickOnce manifest file succeeds.

Actual Behavior

Signing the manifest fails with the following exception:

System.Security.Cryptography.CryptographicException: Could not create hash algorithm object.
   at System.Security.Cryptography.Xml.Reference.CalculateHashValue(XmlDocument document, CanonicalXmlNodeList refList)
   at System.Security.Cryptography.Xml.SignedXml.BuildDigestedReferences()
   at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
   at System.Deployment.Internal.CodeSigning.SignedCmiManifest2.AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner2 signer, String timeStampUrl, Boolean useSha256, Boolean disallowMansignTimestampFallback) in /_/src/Tasks/ManifestUtil/mansign2.cs:line 767
   at System.Deployment.Internal.CodeSigning.SignedCmiManifest2.Sign(CmiManifestSigner2 signer, String timeStampUrl, Boolean disallowMansignTimestampFallback) in /_/src/Tasks/ManifestUtil/mansign2.cs:line 356
   at Microsoft.Build.Tasks.Deployment.ManifestUtilities.SecurityUtilities.SignFileInternal(X509Certificate2 cert, Uri timestampUrl, String path, Boolean targetFrameworkSupportsSha256, ResourceManager resources, Boolean disallowMansignTimestampFallback) in /_/src/Tasks/ManifestUtil/SecurityUtil.cs:line 736

Analysis

Reverting to Microsoft.Build.Tasks.Core 17.0.1 fixes the issue.
I concluded that the problem occurs because of a change in ManifestSignedXml2.init, where SHA256Managed was replaced by SHA256. See this changeset.
System.Security.Cryptography.Xml.Reference.CalculateHashValue internally uses CryptoConfig.CreateFromName to instantiate the hash algorithm which then attempts to resolve the constructor for SHA256 which fails because SHA256 is an abstract class.

Versions & Configurations

MSBuild version 17.7.2+d6990bcfa for .NET Framework
17.7.2.37605
dotnet --version
7.0.401

[rainersigwald]

Can you clarify: are you using the task, or using Microsoft.Build.Tasks.Core.dll and manually calling APIs within it?

[sujitnayak]

@NikolaMilosavljevic is this a supported scenario for mage?

[NikolaMilosavljevic]

@NikolaMilosavljevic is this a supported scenario for mage?

While there could be issues in the API or Task, there are no current issues with end-to-end experience of dotnet-mage - that is until we update the package reference, as pointed out in the repro steps.

[rainersigwald]

The task doesn't work on Core today -- it fails early with a "use full-framework MSBuild on Windows" message. But if dotnet-mage depends on the API from MSBuild on core, we'd probably need to expand our testing (and fix this bug).

[e455a81e-d3ba-41a2-bc6d-7aafb1d9a5cd]

Can you clarify: are you using the task, or using Microsoft.Build.Tasks.Core.dll and manually calling APIs within it?

Thank you for the quick reply, I am using 'Microsoft.Build.Tasks.Core.dll' and make direct calls to the API.
I am using the API like in dotnet-mage here.