Ensure no signed files skip verification

[ellahathaway]

Not all files that can be validated on .NET Core can be validated on .NET Framework, and vise-versa. See https://github.com/dotnet/arcade/blob/e52018af7f5bab97b0721382d52badfc7edb54f6/src/SignCheck/Microsoft.SignCheck/Verification/SignatureVerificationManager.cs#L91-L117 for the full list.

Due to these differences, we should verify that no signed files skip verification between the Mac, Linux, and Windows verification legs. This work will be more of a sanity check and does not need to go into prod.

[mmitche]

Are all file types covered now @ellahathaway?

[ellahathaway]

Are all file types covered now

@mmitche There are ~145 extensions that are getting skipped by all OSes. I picked out a few that I think need to be addressed:

• 7z
• 7zip
• bat
• bz2
• bzip2
• cmd
• jar
• mjs
• sh

Here are the other extensions that are currently getting skipped:

• 1
• TXT
• Targets
• _
• avif
• bmp
• c
• cmake
• config
• cpp
• cs
• cshtml
• csproj
• css
• dat
• db
• dbg
• dds
• def
• dex
• dib
• docx
• editorconfig
• emf
• exif
• fs
• fsproj
• gif
• gitattrbutes
• gitignore
• globalconfig
• h
• heic
• heif
• html
• http
• ico
• in
• j2c
• jfif
• jp2
• jpc
• jpe
• jpeg
• jpg
• js
• json
• jxr
• less
• lib
• m
• manifest
• map
• md
• mof
• myapp
• natstepfilter
• natvis
• nuspec
• obj
• odp
• ods
• odt
• overridetasks
• p7s
• pbm
• pcx
• pdb
• pdf
• pem
• pgm
• plist
• png
• pom
• ppm
• pptx
• proj
• props
• proto
• psmdcp
• pubxml
• r2rmap
• razor
• razorencconfig
• rels
• rle
• rsp
• rtf
• ruleset
• sarif
• scss
• sha512
• sln
• slnx
• so
• svg
• symbols
• t4
• targets
• tasks
• tga
• thm
• tif
• tiff
• toolsetversion
• transform
• ts
• tsbuildinfo
• txt
• user
• vb
• vbproj
• version
• wasm
• wdp
• webmanifest
• webp
• win32manifest
• wit
• wixobj
• wixproj
• wmp
• wxl
• xaml
• xdt
• xlsx
• xml
• xz

[ellahathaway]

Follow-up:

7z, 7zip, bz2, and bzip2 can just be skipped, because they only apply to empty files (empty.7z, empty.7zip, empty.bz2 and empty.bzip2). I think the other file extensions, besides jar, don't have to be signed so they're okay to be skipped. For jar, I can enable jar verification in SignCheck via /p:EnableJarSigningCheck=true.

Before I enable jar verification, a fix will need to go into SignCheck because it currently fails when verifying jar files: <File Name="signalr-<version>-javadoc.jar" Outcome="Unsigned" Error="Unsupported hash algorithm name&#xD;&#xA;Parameter name: hashName" />

[ellahathaway]

Closing this issue per the comment above. I'm tracking the jar verification work with #4999