diff --git a/.gitattributes b/.gitattributes
index 303d14c..6b16159 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -24,8 +24,11 @@ tests/fixtures/**/*.msixbundle binary
tests/fixtures/**/*.msi binary
tests/fixtures/**/*.msp binary
tests/fixtures/**/*.mst binary
+tests/fixtures/**/*.nupkg binary
tests/fixtures/**/*.ocx binary
tests/fixtures/**/*.p7 binary
tests/fixtures/**/*.pfx binary
+tests/fixtures/**/*.snupkg binary
tests/fixtures/**/*.sys binary
+tests/fixtures/**/*.vsix binary
tests/fixtures/**/*.winmd binary
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index fe9eed3..919bfec 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,7 +4,7 @@ on:
workflow_dispatch:
inputs:
version:
- description: Release version to build/publish (for example 0.2.0)
+ description: Release version to build/publish (for example 0.3.0)
required: true
type: string
publish_nuget:
diff --git a/Cargo.lock b/Cargo.lock
index 3739b57..23d1825 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2001,7 +2001,7 @@ dependencies = [
[[package]]
name = "psign"
-version = "0.2.0"
+version = "0.3.0"
dependencies = [
"anyhow",
"assert_cmd",
@@ -2017,6 +2017,7 @@ dependencies = [
"psign-azure-kv-rest",
"psign-codesigning-rest",
"psign-digest-cli",
+ "psign-opc-sign",
"psign-sip-digest",
"rand 0.8.6",
"rayon",
@@ -2036,7 +2037,7 @@ dependencies = [
[[package]]
name = "psign-authenticode-trust"
-version = "0.2.0"
+version = "0.3.0"
dependencies = [
"anyhow",
"authenticode",
@@ -2060,7 +2061,7 @@ dependencies = [
[[package]]
name = "psign-azure-kv-rest"
-version = "0.2.0"
+version = "0.3.0"
dependencies = [
"anyhow",
"base64",
@@ -2075,7 +2076,7 @@ dependencies = [
[[package]]
name = "psign-codesigning-rest"
-version = "0.2.0"
+version = "0.3.0"
dependencies = [
"anyhow",
"base64",
@@ -2087,7 +2088,7 @@ dependencies = [
[[package]]
name = "psign-digest-cli"
-version = "0.2.0"
+version = "0.3.0"
dependencies = [
"anyhow",
"assert_cmd",
@@ -2113,21 +2114,26 @@ dependencies = [
[[package]]
name = "psign-opc-sign"
-version = "0.2.0"
+version = "0.3.0"
dependencies = [
"anyhow",
+ "base64",
"sha2 0.10.9",
"zip",
]
[[package]]
name = "psign-portable-core"
-version = "0.2.0"
+version = "0.3.0"
dependencies = [
"anyhow",
"base64",
+ "der 0.7.10",
"picky",
"psign-authenticode-trust",
+ "psign-azure-kv-rest",
+ "psign-codesigning-rest",
+ "psign-opc-sign",
"psign-sip-digest",
"reqwest",
"rsa 0.9.10",
@@ -2141,7 +2147,7 @@ dependencies = [
[[package]]
name = "psign-portable-ffi"
-version = "0.2.0"
+version = "0.3.0"
dependencies = [
"anyhow",
"psign-portable-core",
@@ -2151,7 +2157,7 @@ dependencies = [
[[package]]
name = "psign-sip-digest"
-version = "0.2.0"
+version = "0.3.0"
dependencies = [
"anyhow",
"authenticode",
diff --git a/Cargo.toml b/Cargo.toml
index 8af5ca1..663a679 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -30,7 +30,7 @@ repository = "https://github.com/Devolutions/psign"
[package]
name = "psign"
-version = "0.2.0"
+version = "0.3.0"
edition = "2024"
description = "Rust port of the Windows SDK signtool.exe (Authenticode sign/verify/timestamp) with portable digest helpers."
license.workspace = true
@@ -55,12 +55,13 @@ artifact-signing-rest = ["dep:psign-codesigning-rest", "psign-digest-cli/artifac
## Portable RFC 3161 TSA HTTP POST helper under `psign-tool portable`.
timestamp-http = ["psign-digest-cli/timestamp-http"]
## Local RFC 3161 timestamp test server (`psign-server`).
-timestamp-server = ["dep:cms", "dep:der", "dep:rand", "dep:rsa", "x509-cert/builder"]
+timestamp-server = ["dep:cms", "dep:der", "dep:rand", "x509-cert/builder"]
[dependencies]
psign-sip-digest = { path = "crates/psign-sip-digest" }
psign-authenticode-trust = { path = "crates/psign-authenticode-trust" }
psign-digest-cli = { path = "crates/psign-digest-cli" }
+psign-opc-sign = { path = "crates/psign-opc-sign" }
anyhow = "1"
clap = { version = "4", features = ["derive"] }
serde = { version = "1", features = ["derive"] }
@@ -73,15 +74,16 @@ picky = { version = "7.0.0-rc.23", default-features = false, features = ["pkcs12
cms = { version = "0.2.3", features = ["builder"], optional = true }
der = { version = "0.7", features = ["derive"], optional = true }
rand = { version = "0.8", optional = true }
-rsa = { version = "0.9.10", features = ["sha2"], optional = true }
+rsa = { version = "0.9.10", features = ["sha2"] }
x509-cert = "0.2.5"
+zip = { version = "0.6.6", default-features = false, features = ["deflate"] }
+reqwest = { version = "0.12", default-features = false, features = ["blocking", "json", "rustls-tls"], optional = true }
+psign-azure-kv-rest = { path = "crates/psign-azure-kv-rest", optional = true }
+psign-codesigning-rest = { path = "crates/psign-codesigning-rest", optional = true }
[target.'cfg(windows)'.dependencies]
glob = "0.3"
rayon = "1.10"
-psign-azure-kv-rest = { path = "crates/psign-azure-kv-rest", optional = true }
-psign-codesigning-rest = { path = "crates/psign-codesigning-rest", optional = true }
-reqwest = { version = "0.12", default-features = false, features = ["blocking", "json", "rustls-tls"], optional = true }
uuid = "1"
windows = { version = "0.59", features = [
"Win32_Foundation",
@@ -103,7 +105,6 @@ rand = "0.8"
rsa = { version = "0.9.10", features = ["sha2"] }
tempfile = "3"
x509-cert = { version = "0.2.5", features = ["builder"] }
-zip = { version = "0.6.6", default-features = false, features = ["deflate"] }
[build-dependencies]
winresource = "0.1.31"
diff --git a/PowerShell/Devolutions.Psign/Devolutions.Psign.psd1 b/PowerShell/Devolutions.Psign/Devolutions.Psign.psd1
index 352e765..d78a56b 100644
--- a/PowerShell/Devolutions.Psign/Devolutions.Psign.psd1
+++ b/PowerShell/Devolutions.Psign/Devolutions.Psign.psd1
@@ -1,6 +1,6 @@
@{
RootModule = 'Devolutions.Psign.psm1'
- ModuleVersion = '0.2.0'
+ ModuleVersion = '0.3.0'
GUID = 'e6e50e4b-bf25-4ed6-a343-49f904e79f8f'
Author = 'Devolutions'
CompanyName = 'Devolutions'
diff --git a/PowerShell/tests/Invoke-PortableSignatureTests.ps1 b/PowerShell/tests/Invoke-PortableSignatureTests.ps1
index 01816ec..f646ab8 100644
--- a/PowerShell/tests/Invoke-PortableSignatureTests.ps1
+++ b/PowerShell/tests/Invoke-PortableSignatureTests.ps1
@@ -8,404 +8,24 @@ $repo = Split-Path -Parent (Split-Path -Parent $PSScriptRoot)
$buildScript = Join-Path (Join-Path $repo 'PowerShell') 'build.ps1'
& $buildScript -Configuration $Configuration
-$modulePath = Join-Path (Join-Path (Join-Path $repo 'PowerShell') 'Devolutions.Psign') 'Devolutions.Psign.psd1'
-Import-Module $modulePath -Force
-
-function Assert-SignerCertificate {
- param(
- [Parameter(Mandatory)]
- $Signature,
- [Parameter(Mandatory)]
- [System.Security.Cryptography.X509Certificates.X509Certificate2] $ExpectedCertificate,
- [Parameter(Mandatory)]
- [string] $Label
- )
-
- if ($null -eq $Signature.SignerCertificate) {
- throw "Expected SignerCertificate for $Label."
- }
- if ($Signature.SignerCertificate.Thumbprint -ne $ExpectedCertificate.Thumbprint) {
- throw "Unexpected SignerCertificate thumbprint for $Label."
- }
- if ($Signature.EmbeddedCertificateCount -lt 1) {
- throw "Expected EmbeddedCertificateCount for $Label."
- }
+$pester = Get-Module -ListAvailable Pester |
+ Sort-Object Version -Descending |
+ Select-Object -First 1
+if ($null -eq $pester) {
+ throw 'Pester 5.x is required to run the PowerShell module test suite.'
}
-function Start-PsignTimestampServer {
- $psi = [System.Diagnostics.ProcessStartInfo]::new()
- $psi.FileName = 'cargo'
- foreach ($argument in @('run', '--quiet', '--bin', 'psign-server', '--', 'timestamp-server', '--max-requests', '1')) {
- $psi.ArgumentList.Add($argument)
- }
- $psi.WorkingDirectory = $repo
- $psi.RedirectStandardOutput = $true
- $psi.UseShellExecute = $false
- $psi.CreateNoWindow = $true
- $process = [System.Diagnostics.Process]::Start($psi)
- $line = $process.StandardOutput.ReadLine()
- if ($line -notlike 'psign-server timestamp-server listening on *') {
- try {
- if (-not $process.HasExited) {
- $process.Kill($true)
- }
- }
- catch {
- }
- throw "Failed to start psign timestamp server. First output: $line"
- }
- [pscustomobject]@{
- Process = $process
- Url = $line.Substring('psign-server timestamp-server listening on '.Length)
- }
-}
+Import-Module $pester.Path -Force
-$temp = Join-Path ([System.IO.Path]::GetTempPath()) ([System.Guid]::NewGuid().ToString('N'))
-New-Item -ItemType Directory -Force -Path $temp | Out-Null
+$env:PSIGN_PWSH_TEST_SKIP_BUILD = '1'
+$env:PSIGN_PWSH_TEST_CONFIGURATION = $Configuration
try {
- $rsa = [System.Security.Cryptography.RSA]::Create(2048)
- $rootRsa = [System.Security.Cryptography.RSA]::Create(2048)
- $rootRequest = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new(
- 'CN=psign portable root',
- $rootRsa,
- [System.Security.Cryptography.HashAlgorithmName]::SHA256,
- [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
- $rootRequest.CertificateExtensions.Add(
- [System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($true, $false, 0, $true))
- $rootRequest.CertificateExtensions.Add(
- [System.Security.Cryptography.X509Certificates.X509KeyUsageExtension]::new(
- [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::KeyCertSign -bor
- [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::CrlSign,
- $true))
- $rootCert = $rootRequest.CreateSelfSigned(
- [System.DateTimeOffset]::UtcNow.AddDays(-1),
- [System.DateTimeOffset]::UtcNow.AddDays(31))
-
- $request = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new(
- 'CN=psign portable test',
- $rsa,
- [System.Security.Cryptography.HashAlgorithmName]::SHA256,
- [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
- $request.CertificateExtensions.Add(
- [System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($false, $false, 0, $true))
- $request.CertificateExtensions.Add(
- [System.Security.Cryptography.X509Certificates.X509KeyUsageExtension]::new(
- [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::DigitalSignature,
- $true))
- $ekuOids = [System.Security.Cryptography.OidCollection]::new()
- $null = $ekuOids.Add([System.Security.Cryptography.Oid]::new('1.3.6.1.5.5.7.3.3'))
- $request.CertificateExtensions.Add(
- [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]::new($ekuOids, $false))
- $issuedCert = $request.Create(
- $rootCert,
- [System.DateTimeOffset]::UtcNow.AddDays(-1),
- [System.DateTimeOffset]::UtcNow.AddDays(30),
- [byte[]](1, 2, 3, 4, 5, 6, 7, 8))
- $cert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::CopyWithPrivateKey($issuedCert, $rsa)
- $certPath = Join-Path $temp 'signer.cer'
- $keyPath = Join-Path $temp 'signer.key'
- $pfxPath = Join-Path $temp 'signer.pfx'
- $pfxPassword = ConvertTo-SecureString -String 'portable-test' -AsPlainText -Force
- [System.IO.File]::WriteAllBytes($certPath, $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))
- [System.IO.File]::WriteAllText(
- $keyPath,
- [System.Security.Cryptography.PemEncoding]::WriteString('PRIVATE KEY', $rsa.ExportPkcs8PrivateKey()))
- [System.IO.File]::WriteAllBytes($pfxPath, $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, 'portable-test'))
- $storeDir = Join-Path $temp 'cert-store'
- $storeMyDir = Join-Path (Join-Path $storeDir 'CurrentUser') 'MY'
- New-Item -ItemType Directory -Force -Path $storeMyDir | Out-Null
- $storeCertPath = Join-Path $storeMyDir "$($cert.Thumbprint.ToUpperInvariant()).der"
- $storeKeyPath = Join-Path $storeMyDir "$($cert.Thumbprint.ToUpperInvariant()).key"
- Copy-Item -LiteralPath $certPath -Destination $storeCertPath
- Copy-Item -LiteralPath $keyPath -Destination $storeKeyPath
- $chainRsa = [System.Security.Cryptography.RSA]::Create(2048)
- $chainRequest = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new(
- 'CN=psign portable chain test',
- $chainRsa,
- [System.Security.Cryptography.HashAlgorithmName]::SHA256,
- [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
- $chainCert = $chainRequest.CreateSelfSigned(
- [System.DateTimeOffset]::UtcNow.AddDays(-1),
- [System.DateTimeOffset]::UtcNow.AddDays(30))
- $chainCertPath = Join-Path $temp 'chain.cer'
- [System.IO.File]::WriteAllBytes($chainCertPath, $chainCert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))
-
- $unsigned = Join-Path (Join-Path (Join-Path (Join-Path (Join-Path $repo 'tests') 'fixtures') 'generated-unsigned') 'pe') 'tiny32-pe-alias.exe'
- $work = Join-Path $temp 'tiny.exe'
- Copy-Item $unsigned $work
-
- if (-not (Get-Command Get-PortableSignature -ErrorAction SilentlyContinue)) {
- throw 'Get-PortableSignature was not exported.'
- }
- if (-not (Get-Command Set-PortableSignature -ErrorAction SilentlyContinue)) {
- throw 'Set-PortableSignature was not exported.'
- }
- $getParameters = (Get-Command Get-PortableSignature).Parameters
- foreach ($parameterName in @('FilePath', 'LiteralPath', 'SourcePathOrExtension', 'Content', 'TrustedCertificate', 'TrustedCertificatePath', 'AnchorDirectory', 'AuthRootCab', 'AsOf', 'PreferTimestampSigningTime', 'RequireValidTimestamp', 'OnlineAia', 'OnlineOcsp', 'RevocationMode')) {
- if (-not $getParameters.ContainsKey($parameterName)) {
- throw "Get-PortableSignature is missing expected migration parameter '$parameterName'."
- }
- }
- $setParameters = (Get-Command Set-PortableSignature).Parameters
- foreach ($parameterName in @('FilePath', 'LiteralPath', 'SourcePathOrExtension', 'Content', 'Certificate', 'CertificatePath', 'PrivateKeyPath', 'PfxPath', 'Password', 'Thumbprint', 'CertStoreDirectory', 'StoreName', 'MachineStore', 'IncludeChain', 'ChainCertificatePath', 'TimestampServer', 'TimestampHashAlgorithm', 'HashAlgorithm', 'OutputPath', 'Force')) {
- if (-not $setParameters.ContainsKey($parameterName)) {
- throw "Set-PortableSignature is missing expected migration parameter '$parameterName'."
- }
- }
-
- $before = Get-PortableSignature -LiteralPath $work
- if ($before.Status -ne 'NotSigned') {
- throw "Expected NotSigned before signing, got $($before.Status)."
- }
-
- $signed = Set-PortableSignature -LiteralPath $work -CertificatePath $certPath -PrivateKeyPath $keyPath
- if ($signed.Status -ne 'Valid') {
- throw "Expected Valid after signing, got $($signed.Status): $($signed.StatusMessage)"
- }
- Assert-SignerCertificate -Signature $signed -ExpectedCertificate $cert -Label 'PE signing response'
-
- $after = Get-PortableSignature -LiteralPath $work
- if ($after.Status -ne 'Valid') {
- throw "Expected Valid from Get-PortableSignature after signing, got $($after.Status)."
- }
- Assert-SignerCertificate -Signature $after -ExpectedCertificate $cert -Label 'PE get response'
-
- $trustedAfter = Get-PortableSignature -LiteralPath $work -TrustedCertificate $rootCert -AsOf ([System.DateTime]::UtcNow) -RevocationMode Off
- if ($trustedAfter.Status -ne 'Valid' -or $trustedAfter.TrustStatus -ne 'Valid') {
- throw "Expected explicit trust verification to succeed for signed PE, got status=$($trustedAfter.Status) trust=$($trustedAfter.TrustStatus): $($trustedAfter.StatusMessage)"
- }
- $untrustedAfter = Get-PortableSignature -LiteralPath $work -TrustedCertificate $chainCert
- if ($untrustedAfter.Status -ne 'NotTrusted' -or $untrustedAfter.TrustStatus -ne 'NotTrusted') {
- throw "Expected explicit trust verification to fail with wrong anchor, got status=$($untrustedAfter.Status) trust=$($untrustedAfter.TrustStatus): $($untrustedAfter.StatusMessage)"
- }
-
- $length = (Get-Item -LiteralPath $work).Length
- Set-PortableSignature -LiteralPath $work -CertificatePath $certPath -PrivateKeyPath $keyPath -WhatIf | Out-Null
- if ((Get-Item -LiteralPath $work).Length -ne $length) {
- throw 'Set-PortableSignature -WhatIf mutated the file.'
- }
-
- $readOnlyWork = Join-Path $temp 'tiny-readonly.exe'
- Copy-Item $unsigned $readOnlyWork
- Set-ItemProperty -LiteralPath $readOnlyWork -Name IsReadOnly -Value $true
- try {
- $failedWithoutForce = $false
- try {
- Set-PortableSignature -LiteralPath $readOnlyWork -CertificatePath $certPath -PrivateKeyPath $keyPath -ErrorAction Stop | Out-Null
- }
- catch {
- $failedWithoutForce = $true
- }
- if (-not $failedWithoutForce) {
- throw 'Expected Set-PortableSignature to fail on a read-only file without -Force.'
- }
- $forceSigned = Set-PortableSignature -LiteralPath $readOnlyWork -CertificatePath $certPath -PrivateKeyPath $keyPath -Force
- if ($forceSigned.Status -ne 'Valid') {
- throw "Expected Valid after read-only file signing with -Force, got $($forceSigned.Status): $($forceSigned.StatusMessage)"
- }
- if (-not (Get-Item -LiteralPath $readOnlyWork).IsReadOnly) {
- throw 'Expected Set-PortableSignature -Force to restore the read-only attribute.'
- }
- }
- finally {
- Set-ItemProperty -LiteralPath $readOnlyWork -Name IsReadOnly -Value $false -ErrorAction SilentlyContinue
- }
-
- $storeWork = Join-Path $temp 'tiny-store.exe'
- Copy-Item $unsigned $storeWork
- $storeSigned = Set-PortableSignature -LiteralPath $storeWork -Sha1 $cert.Thumbprint -CertStoreDirectory $storeDir
- if ($storeSigned.Status -ne 'Valid') {
- throw "Expected Valid after portable cert-store signing, got $($storeSigned.Status): $($storeSigned.StatusMessage)"
- }
- Assert-SignerCertificate -Signature $storeSigned -ExpectedCertificate $cert -Label 'portable cert-store signing response'
-
- $chainWork = Join-Path $temp 'tiny-chain.exe'
- Copy-Item $unsigned $chainWork
- $defaultChainWork = Join-Path $temp 'tiny-chain-default.exe'
- Copy-Item $unsigned $defaultChainWork
- $defaultChainSigned = Set-PortableSignature -LiteralPath $defaultChainWork -CertificatePath $certPath -PrivateKeyPath $keyPath -ChainCertificatePath $chainCertPath
- if ($defaultChainSigned.EmbeddedCertificateCount -ne 1) {
- throw "Expected default IncludeChain NotRoot to exclude a self-signed root certificate, got $($defaultChainSigned.EmbeddedCertificateCount) embedded certificates."
- }
- $chainSigned = Set-PortableSignature -LiteralPath $chainWork -CertificatePath $certPath -PrivateKeyPath $keyPath -IncludeChain All -ChainCertificatePath $chainCertPath
- if ($chainSigned.EmbeddedCertificateCount -lt 2) {
- throw "Expected IncludeChain All with ChainCertificatePath to embed at least 2 certificates, got $($chainSigned.EmbeddedCertificateCount)."
- }
-
- $unsignedCab = Join-Path (Join-Path (Join-Path (Join-Path (Join-Path $repo 'tests') 'fixtures') 'generated-unsigned') 'cab') 'sample.cab'
- $cabWork = Join-Path $temp 'sample.cab'
- Copy-Item $unsignedCab $cabWork
- $cabSigned = Set-PortableSignature -LiteralPath $cabWork -CertificatePath $certPath -PrivateKeyPath $keyPath
- if ($cabSigned.Status -ne 'Valid') {
- throw "Expected Valid after CAB signing, got $($cabSigned.Status): $($cabSigned.StatusMessage)"
- }
- Assert-SignerCertificate -Signature $cabSigned -ExpectedCertificate $cert -Label 'CAB signing response'
- $cabAfter = Get-PortableSignature -LiteralPath $cabWork
- if ($cabAfter.Status -ne 'Valid') {
- throw "Expected Valid from Get-PortableSignature for signed CAB, got $($cabAfter.Status): $($cabAfter.StatusMessage)"
- }
-
- $unsignedMsi = Join-Path (Join-Path (Join-Path (Join-Path (Join-Path $repo 'tests') 'fixtures') 'generated-unsigned') 'installer') 'tiny.msi'
- $msiWork = Join-Path $temp 'tiny.msi'
- Copy-Item $unsignedMsi $msiWork
- $msiSigned = Set-PortableSignature -LiteralPath $msiWork -CertificatePath $certPath -PrivateKeyPath $keyPath
- if ($msiSigned.Status -ne 'Valid') {
- throw "Expected Valid after MSI signing, got $($msiSigned.Status): $($msiSigned.StatusMessage)"
- }
- Assert-SignerCertificate -Signature $msiSigned -ExpectedCertificate $cert -Label 'MSI signing response'
- $msiAfter = Get-PortableSignature -LiteralPath $msiWork
- if ($msiAfter.Status -ne 'Valid') {
- throw "Expected Valid from Get-PortableSignature for signed MSI, got $($msiAfter.Status): $($msiAfter.StatusMessage)"
- }
-
- $zipSource = Join-Path $temp 'zip-source'
- New-Item -ItemType Directory -Force -Path $zipSource | Out-Null
- Set-Content -LiteralPath (Join-Path $zipSource 'payload.txt') -Value 'portable zip authenticode' -Encoding UTF8
- $zipWork = Join-Path $temp 'payload.zip'
- Compress-Archive -LiteralPath (Join-Path $zipSource 'payload.txt') -DestinationPath $zipWork
- $zipSigned = Set-PortableSignature -LiteralPath $zipWork -CertificatePath $certPath -PrivateKeyPath $keyPath
- if ($zipSigned.Status -ne 'Valid') {
- throw "Expected Valid after ZIP signing, got $($zipSigned.Status): $($zipSigned.StatusMessage)"
- }
- Assert-SignerCertificate -Signature $zipSigned -ExpectedCertificate $cert -Label 'ZIP signing response'
- $zipAfter = Get-PortableSignature -LiteralPath $zipWork
- if ($zipAfter.Status -ne 'Valid') {
- throw "Expected Valid from Get-PortableSignature for signed ZIP, got $($zipAfter.Status): $($zipAfter.StatusMessage)"
- }
-
- $scriptPath = Join-Path $temp 'Invoke-Test.ps1'
- Set-Content -LiteralPath $scriptPath -Value @'
-param([string] $Name = "portable")
-"Hello $Name"
-'@ -Encoding UTF8
- $scriptSigned = Set-PortableSignature -LiteralPath $scriptPath -Certificate $cert
- if ($scriptSigned.Status -ne 'Valid') {
- throw "Expected Valid for signed PowerShell script, got $($scriptSigned.Status): $($scriptSigned.StatusMessage)"
- }
- Assert-SignerCertificate -Signature $scriptSigned -ExpectedCertificate $cert -Label 'script signing response'
- $scriptAfter = Get-PortableSignature -LiteralPath $scriptPath
- if ($scriptAfter.Status -ne 'Valid') {
- throw "Expected Valid from Get-PortableSignature for signed script, got $($scriptAfter.Status)."
- }
- $trustedScript = Get-PortableSignature -LiteralPath $scriptPath -TrustedCertificate $rootCert
- if ($trustedScript.Status -ne 'Valid' -or $trustedScript.TrustStatus -ne 'Valid') {
- throw "Expected explicit trust verification to succeed for signed script, got status=$($trustedScript.Status) trust=$($trustedScript.TrustStatus): $($trustedScript.StatusMessage)"
- }
- Add-Content -LiteralPath $scriptPath -Value '# tamper'
- $scriptTampered = Get-PortableSignature -LiteralPath $scriptPath
- if ($scriptTampered.Status -ne 'HashMismatch') {
- throw "Expected HashMismatch for tampered signed script, got $($scriptTampered.Status): $($scriptTampered.StatusMessage)"
- }
-
- $ps1xmlPath = Join-Path $temp 'Types.ps1xml'
- Set-Content -LiteralPath $ps1xmlPath -Value @'
-
-
- Portable.Type
-
-
-'@ -Encoding UTF8
- $ps1xmlSigned = Set-PortableSignature -LiteralPath $ps1xmlPath -Certificate $cert
- if ($ps1xmlSigned.Status -ne 'Valid') {
- throw "Expected Valid for signed ps1xml, got $($ps1xmlSigned.Status): $($ps1xmlSigned.StatusMessage)"
- }
- Assert-SignerCertificate -Signature $ps1xmlSigned -ExpectedCertificate $cert -Label 'ps1xml signing response'
- $ps1xmlText = Get-Content -LiteralPath $ps1xmlPath -Raw
- if ($ps1xmlText -notmatch '') {
- throw 'Expected signed ps1xml to use XML Authenticode signature markers.'
- }
- $ps1xmlAfter = Get-PortableSignature -LiteralPath $ps1xmlPath
- if ($ps1xmlAfter.Status -ne 'Valid') {
- throw "Expected Valid from Get-PortableSignature for signed ps1xml, got $($ps1xmlAfter.Status): $($ps1xmlAfter.StatusMessage)"
- }
- Add-Content -LiteralPath $ps1xmlPath -Value ''
- $ps1xmlTampered = Get-PortableSignature -LiteralPath $ps1xmlPath
- if ($ps1xmlTampered.Status -ne 'HashMismatch') {
- throw "Expected HashMismatch for tampered signed ps1xml, got $($ps1xmlTampered.Status): $($ps1xmlTampered.StatusMessage)"
- }
-
- $scriptContent = [System.Text.Encoding]::UTF8.GetBytes("'content mode'")
- $contentSigned = Set-PortableSignature -SourcePathOrExtension '.ps1' -Content $scriptContent -Certificate $cert
- if ($contentSigned.Status -ne 'Valid') {
- throw "Expected Valid for signed PowerShell script content, got $($contentSigned.Status): $($contentSigned.StatusMessage)"
- }
- if ($null -eq $contentSigned.Content -or $contentSigned.Content.Length -le $scriptContent.Length) {
- throw 'Expected Set-PortableSignature -Content to return signed content bytes.'
- }
- Assert-SignerCertificate -Signature $contentSigned -ExpectedCertificate $cert -Label 'script content signing response'
- $contentAfter = Get-PortableSignature -SourcePathOrExtension '.ps1' -Content $contentSigned.Content
- if ($contentAfter.Status -ne 'Valid') {
- throw "Expected Valid from Get-PortableSignature -Content for signed script, got $($contentAfter.Status): $($contentAfter.StatusMessage)"
- }
-
- $timestampServer = Start-PsignTimestampServer
- try {
- $timestampScript = Join-Path $temp 'Timestamped.ps1'
- Set-Content -LiteralPath $timestampScript -Value '"timestamped"' -Encoding UTF8
- $timestamped = Set-PortableSignature -LiteralPath $timestampScript -Certificate $cert -TimestampServer $timestampServer.Url -TimestampHashAlgorithm Sha256
- if ($timestamped.Status -ne 'Valid') {
- throw "Expected Valid for timestamped script, got $($timestamped.Status): $($timestamped.StatusMessage)"
- }
- if ($timestamped.TimestampKinds.Count -eq 0) {
- throw 'Expected timestamped script to report a timestamp kind.'
- }
- if ($null -eq $timestamped.TimeStamperCertificate) {
- throw 'Expected timestamped script to expose TimeStamperCertificate.'
- }
- if (-not $timestamped.PSObject.Properties.Match('TimestampSigningTime')) {
- throw 'Expected timestamped script output to include TimestampSigningTime.'
- }
- }
- finally {
- if (-not $timestampServer.Process.HasExited) {
- $timestampServer.Process.Kill($true)
- }
- $timestampServer.Process.Dispose()
- }
-
- $moduleDir = Join-Path $temp 'PortableModule'
- $nestedDir = Join-Path $moduleDir 'Private'
- New-Item -ItemType Directory -Force -Path $nestedDir | Out-Null
- Set-Content -LiteralPath (Join-Path $moduleDir 'PortableModule.psm1') -Value 'function Get-PortableGreeting { "hello" }' -Encoding UTF8
- Set-Content -LiteralPath (Join-Path $moduleDir 'PortableModule.psd1') -Value "@{ RootModule = 'PortableModule.psm1'; ModuleVersion = '1.0.0'; GUID = '$([System.Guid]::NewGuid())' }" -Encoding UTF8
- Set-Content -LiteralPath (Join-Path $moduleDir 'PortableModule.Types.ps1xml') -Value '' -Encoding UTF8
- Set-Content -LiteralPath (Join-Path $nestedDir 'Helper.ps1') -Value '$script:PortableHelper = $true' -Encoding UTF8
- $moduleSigned = @(Set-PortableSignature -LiteralPath $moduleDir -CertificatePath $certPath -PrivateKeyPath $keyPath)
- if ($moduleSigned.Count -ne 4) {
- throw "Expected 4 signed PowerShell module files, got $($moduleSigned.Count)."
- }
- if (@($moduleSigned | Where-Object Status -ne 'Valid').Count -ne 0) {
- throw "Expected all signed module files to be Valid, got: $($moduleSigned | ConvertTo-Json -Depth 4)"
- }
- foreach ($moduleSignature in $moduleSigned) {
- Assert-SignerCertificate -Signature $moduleSignature -ExpectedCertificate $cert -Label "module signing response $($moduleSignature.Path)"
- }
- $moduleValidated = @(Get-PortableSignature -LiteralPath $moduleDir)
- if ($moduleValidated.Count -ne 4) {
- throw "Expected 4 validated PowerShell module files, got $($moduleValidated.Count)."
- }
- if (@($moduleValidated | Where-Object Status -ne 'Valid').Count -ne 0) {
- throw "Expected all validated module files to be Valid, got: $($moduleValidated | ConvertTo-Json -Depth 4)"
- }
-
- $unsignedMsix = Join-Path (Join-Path (Join-Path (Join-Path (Join-Path $repo 'tests') 'fixtures') 'generated-unsigned') 'msix') 'sample.msix'
- $msixWork = Join-Path $temp 'sample.msix'
- Copy-Item $unsignedMsix $msixWork
- $msixBefore = Get-PortableSignature -LiteralPath $msixWork
- if ($msixBefore.Status -notin @('NotSigned', 'Incompatible')) {
- throw "Expected unsigned MSIX preflight status before signing, got $($msixBefore.Status)."
- }
- $msixSigned = Set-PortableSignature -LiteralPath $msixWork -PfxPath $pfxPath -Password $pfxPassword
- if ($msixSigned.Status -ne 'Valid') {
- throw "Expected Valid after MSIX signing, got $($msixSigned.Status): $($msixSigned.StatusMessage)"
- }
- Assert-SignerCertificate -Signature $msixSigned -ExpectedCertificate $cert -Label 'MSIX signing response'
- $msixAfter = Get-PortableSignature -LiteralPath $msixWork
- if ($msixAfter.Status -ne 'Valid') {
- throw "Expected Valid from Get-PortableSignature for signed MSIX, got $($msixAfter.Status): $($msixAfter.StatusMessage)"
+ $result = Invoke-Pester -Path (Join-Path $PSScriptRoot '*.Tests.ps1') -PassThru
+ if ($result.FailedCount -gt 0) {
+ throw "PowerShell module tests failed: $($result.FailedCount) failed, $($result.PassedCount) passed."
}
}
finally {
- Remove-Item -LiteralPath $temp -Recurse -Force -ErrorAction SilentlyContinue
- Remove-Module Devolutions.Psign -Force -ErrorAction SilentlyContinue
+ Remove-Item Env:PSIGN_PWSH_TEST_SKIP_BUILD -ErrorAction SilentlyContinue
+ Remove-Item Env:PSIGN_PWSH_TEST_CONFIGURATION -ErrorAction SilentlyContinue
}
diff --git a/PowerShell/tests/PortableSignature.LegacySmoke.Tests.ps1 b/PowerShell/tests/PortableSignature.LegacySmoke.Tests.ps1
new file mode 100644
index 0000000..c5da8c5
--- /dev/null
+++ b/PowerShell/tests/PortableSignature.LegacySmoke.Tests.ps1
@@ -0,0 +1,12 @@
+Describe 'Portable PowerShell module legacy smoke suite' {
+ It 'passes the pre-existing end-to-end smoke checks' {
+ $configuration = if ($env:PSIGN_PWSH_TEST_CONFIGURATION) {
+ $env:PSIGN_PWSH_TEST_CONFIGURATION
+ }
+ else {
+ 'Release'
+ }
+
+ & (Join-Path $PSScriptRoot 'PortableSignature.LegacySmoke.ps1') -Configuration $configuration
+ }
+}
diff --git a/PowerShell/tests/PortableSignature.LegacySmoke.ps1 b/PowerShell/tests/PortableSignature.LegacySmoke.ps1
new file mode 100644
index 0000000..9fe7e5c
--- /dev/null
+++ b/PowerShell/tests/PortableSignature.LegacySmoke.ps1
@@ -0,0 +1,413 @@
+param(
+ [string] $Configuration = 'Release'
+)
+
+$ErrorActionPreference = 'Stop'
+
+$repo = Split-Path -Parent (Split-Path -Parent $PSScriptRoot)
+$buildScript = Join-Path (Join-Path $repo 'PowerShell') 'build.ps1'
+if (-not $env:PSIGN_PWSH_TEST_SKIP_BUILD) {
+ & $buildScript -Configuration $Configuration
+}
+
+$modulePath = Join-Path (Join-Path (Join-Path $repo 'PowerShell') 'Devolutions.Psign') 'Devolutions.Psign.psd1'
+Import-Module $modulePath -Force
+
+function Assert-SignerCertificate {
+ param(
+ [Parameter(Mandatory)]
+ $Signature,
+ [Parameter(Mandatory)]
+ [System.Security.Cryptography.X509Certificates.X509Certificate2] $ExpectedCertificate,
+ [Parameter(Mandatory)]
+ [string] $Label
+ )
+
+ if ($null -eq $Signature.SignerCertificate) {
+ throw "Expected SignerCertificate for $Label."
+ }
+ if ($Signature.SignerCertificate.Thumbprint -ne $ExpectedCertificate.Thumbprint) {
+ throw "Unexpected SignerCertificate thumbprint for $Label."
+ }
+ if ($Signature.EmbeddedCertificateCount -lt 1) {
+ throw "Expected EmbeddedCertificateCount for $Label."
+ }
+}
+
+function Start-PsignTimestampServer {
+ $psi = [System.Diagnostics.ProcessStartInfo]::new()
+ $psi.FileName = 'cargo'
+ foreach ($argument in @('run', '--quiet', '--bin', 'psign-server', '--', 'timestamp-server', '--max-requests', '1')) {
+ $psi.ArgumentList.Add($argument)
+ }
+ $psi.WorkingDirectory = $repo
+ $psi.RedirectStandardOutput = $true
+ $psi.UseShellExecute = $false
+ $psi.CreateNoWindow = $true
+ $process = [System.Diagnostics.Process]::Start($psi)
+ $line = $process.StandardOutput.ReadLine()
+ if ($line -notlike 'psign-server timestamp-server listening on *') {
+ try {
+ if (-not $process.HasExited) {
+ $process.Kill($true)
+ }
+ }
+ catch {
+ }
+ throw "Failed to start psign timestamp server. First output: $line"
+ }
+ [pscustomobject]@{
+ Process = $process
+ Url = $line.Substring('psign-server timestamp-server listening on '.Length)
+ }
+}
+
+$temp = Join-Path ([System.IO.Path]::GetTempPath()) ([System.Guid]::NewGuid().ToString('N'))
+New-Item -ItemType Directory -Force -Path $temp | Out-Null
+try {
+ $rsa = [System.Security.Cryptography.RSA]::Create(2048)
+ $rootRsa = [System.Security.Cryptography.RSA]::Create(2048)
+ $rootRequest = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new(
+ 'CN=psign portable root',
+ $rootRsa,
+ [System.Security.Cryptography.HashAlgorithmName]::SHA256,
+ [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
+ $rootRequest.CertificateExtensions.Add(
+ [System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($true, $false, 0, $true))
+ $rootRequest.CertificateExtensions.Add(
+ [System.Security.Cryptography.X509Certificates.X509KeyUsageExtension]::new(
+ [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::KeyCertSign -bor
+ [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::CrlSign,
+ $true))
+ $rootCert = $rootRequest.CreateSelfSigned(
+ [System.DateTimeOffset]::UtcNow.AddDays(-1),
+ [System.DateTimeOffset]::UtcNow.AddDays(31))
+
+ $request = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new(
+ 'CN=psign portable test',
+ $rsa,
+ [System.Security.Cryptography.HashAlgorithmName]::SHA256,
+ [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
+ $request.CertificateExtensions.Add(
+ [System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($false, $false, 0, $true))
+ $request.CertificateExtensions.Add(
+ [System.Security.Cryptography.X509Certificates.X509KeyUsageExtension]::new(
+ [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::DigitalSignature,
+ $true))
+ $ekuOids = [System.Security.Cryptography.OidCollection]::new()
+ $null = $ekuOids.Add([System.Security.Cryptography.Oid]::new('1.3.6.1.5.5.7.3.3'))
+ $request.CertificateExtensions.Add(
+ [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]::new($ekuOids, $false))
+ $issuedCert = $request.Create(
+ $rootCert,
+ [System.DateTimeOffset]::UtcNow.AddDays(-1),
+ [System.DateTimeOffset]::UtcNow.AddDays(30),
+ [byte[]](1, 2, 3, 4, 5, 6, 7, 8))
+ $cert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::CopyWithPrivateKey($issuedCert, $rsa)
+ $certPath = Join-Path $temp 'signer.cer'
+ $keyPath = Join-Path $temp 'signer.key'
+ $pfxPath = Join-Path $temp 'signer.pfx'
+ $pfxPassword = ConvertTo-SecureString -String 'portable-test' -AsPlainText -Force
+ [System.IO.File]::WriteAllBytes($certPath, $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))
+ [System.IO.File]::WriteAllText(
+ $keyPath,
+ [System.Security.Cryptography.PemEncoding]::WriteString('PRIVATE KEY', $rsa.ExportPkcs8PrivateKey()))
+ [System.IO.File]::WriteAllBytes($pfxPath, $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, 'portable-test'))
+ $storeDir = Join-Path $temp 'cert-store'
+ $storeMyDir = Join-Path (Join-Path $storeDir 'CurrentUser') 'MY'
+ New-Item -ItemType Directory -Force -Path $storeMyDir | Out-Null
+ $storeCertPath = Join-Path $storeMyDir "$($cert.Thumbprint.ToUpperInvariant()).der"
+ $storeKeyPath = Join-Path $storeMyDir "$($cert.Thumbprint.ToUpperInvariant()).key"
+ Copy-Item -LiteralPath $certPath -Destination $storeCertPath
+ Copy-Item -LiteralPath $keyPath -Destination $storeKeyPath
+ $chainRsa = [System.Security.Cryptography.RSA]::Create(2048)
+ $chainRequest = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new(
+ 'CN=psign portable chain test',
+ $chainRsa,
+ [System.Security.Cryptography.HashAlgorithmName]::SHA256,
+ [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
+ $chainCert = $chainRequest.CreateSelfSigned(
+ [System.DateTimeOffset]::UtcNow.AddDays(-1),
+ [System.DateTimeOffset]::UtcNow.AddDays(30))
+ $chainCertPath = Join-Path $temp 'chain.cer'
+ [System.IO.File]::WriteAllBytes($chainCertPath, $chainCert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))
+
+ $unsigned = Join-Path (Join-Path (Join-Path (Join-Path (Join-Path $repo 'tests') 'fixtures') 'generated-unsigned') 'pe') 'tiny32-pe-alias.exe'
+ $work = Join-Path $temp 'tiny.exe'
+ Copy-Item $unsigned $work
+
+ if (-not (Get-Command Get-PortableSignature -ErrorAction SilentlyContinue)) {
+ throw 'Get-PortableSignature was not exported.'
+ }
+ if (-not (Get-Command Set-PortableSignature -ErrorAction SilentlyContinue)) {
+ throw 'Set-PortableSignature was not exported.'
+ }
+ $getParameters = (Get-Command Get-PortableSignature).Parameters
+ foreach ($parameterName in @('FilePath', 'LiteralPath', 'SourcePathOrExtension', 'Content', 'TrustedCertificate', 'TrustedCertificatePath', 'AnchorDirectory', 'AuthRootCab', 'AsOf', 'PreferTimestampSigningTime', 'RequireValidTimestamp', 'OnlineAia', 'OnlineOcsp', 'RevocationMode')) {
+ if (-not $getParameters.ContainsKey($parameterName)) {
+ throw "Get-PortableSignature is missing expected migration parameter '$parameterName'."
+ }
+ }
+ $setParameters = (Get-Command Set-PortableSignature).Parameters
+ foreach ($parameterName in @('FilePath', 'LiteralPath', 'SourcePathOrExtension', 'Content', 'Certificate', 'CertificatePath', 'PrivateKeyPath', 'PfxPath', 'Password', 'Thumbprint', 'CertStoreDirectory', 'StoreName', 'MachineStore', 'IncludeChain', 'ChainCertificatePath', 'TimestampServer', 'TimestampHashAlgorithm', 'HashAlgorithm', 'OutputPath', 'Force')) {
+ if (-not $setParameters.ContainsKey($parameterName)) {
+ throw "Set-PortableSignature is missing expected migration parameter '$parameterName'."
+ }
+ }
+
+ $before = Get-PortableSignature -LiteralPath $work
+ if ($before.Status -ne 'NotSigned') {
+ throw "Expected NotSigned before signing, got $($before.Status)."
+ }
+
+ $signed = Set-PortableSignature -LiteralPath $work -CertificatePath $certPath -PrivateKeyPath $keyPath
+ if ($signed.Status -ne 'Valid') {
+ throw "Expected Valid after signing, got $($signed.Status): $($signed.StatusMessage)"
+ }
+ Assert-SignerCertificate -Signature $signed -ExpectedCertificate $cert -Label 'PE signing response'
+
+ $after = Get-PortableSignature -LiteralPath $work
+ if ($after.Status -ne 'Valid') {
+ throw "Expected Valid from Get-PortableSignature after signing, got $($after.Status)."
+ }
+ Assert-SignerCertificate -Signature $after -ExpectedCertificate $cert -Label 'PE get response'
+
+ $trustedAfter = Get-PortableSignature -LiteralPath $work -TrustedCertificate $rootCert -AsOf ([System.DateTime]::UtcNow) -RevocationMode Off
+ if ($trustedAfter.Status -ne 'Valid' -or $trustedAfter.TrustStatus -ne 'Valid') {
+ throw "Expected explicit trust verification to succeed for signed PE, got status=$($trustedAfter.Status) trust=$($trustedAfter.TrustStatus): $($trustedAfter.StatusMessage)"
+ }
+ $untrustedAfter = Get-PortableSignature -LiteralPath $work -TrustedCertificate $chainCert
+ if ($untrustedAfter.Status -ne 'NotTrusted' -or $untrustedAfter.TrustStatus -ne 'NotTrusted') {
+ throw "Expected explicit trust verification to fail with wrong anchor, got status=$($untrustedAfter.Status) trust=$($untrustedAfter.TrustStatus): $($untrustedAfter.StatusMessage)"
+ }
+
+ $length = (Get-Item -LiteralPath $work).Length
+ Set-PortableSignature -LiteralPath $work -CertificatePath $certPath -PrivateKeyPath $keyPath -WhatIf | Out-Null
+ if ((Get-Item -LiteralPath $work).Length -ne $length) {
+ throw 'Set-PortableSignature -WhatIf mutated the file.'
+ }
+
+ $readOnlyWork = Join-Path $temp 'tiny-readonly.exe'
+ Copy-Item $unsigned $readOnlyWork
+ Set-ItemProperty -LiteralPath $readOnlyWork -Name IsReadOnly -Value $true
+ try {
+ $failedWithoutForce = $false
+ try {
+ Set-PortableSignature -LiteralPath $readOnlyWork -CertificatePath $certPath -PrivateKeyPath $keyPath -ErrorAction Stop | Out-Null
+ }
+ catch {
+ $failedWithoutForce = $true
+ }
+ if (-not $failedWithoutForce) {
+ throw 'Expected Set-PortableSignature to fail on a read-only file without -Force.'
+ }
+ $forceSigned = Set-PortableSignature -LiteralPath $readOnlyWork -CertificatePath $certPath -PrivateKeyPath $keyPath -Force
+ if ($forceSigned.Status -ne 'Valid') {
+ throw "Expected Valid after read-only file signing with -Force, got $($forceSigned.Status): $($forceSigned.StatusMessage)"
+ }
+ if (-not (Get-Item -LiteralPath $readOnlyWork).IsReadOnly) {
+ throw 'Expected Set-PortableSignature -Force to restore the read-only attribute.'
+ }
+ }
+ finally {
+ Set-ItemProperty -LiteralPath $readOnlyWork -Name IsReadOnly -Value $false -ErrorAction SilentlyContinue
+ }
+
+ $storeWork = Join-Path $temp 'tiny-store.exe'
+ Copy-Item $unsigned $storeWork
+ $storeSigned = Set-PortableSignature -LiteralPath $storeWork -Sha1 $cert.Thumbprint -CertStoreDirectory $storeDir
+ if ($storeSigned.Status -ne 'Valid') {
+ throw "Expected Valid after portable cert-store signing, got $($storeSigned.Status): $($storeSigned.StatusMessage)"
+ }
+ Assert-SignerCertificate -Signature $storeSigned -ExpectedCertificate $cert -Label 'portable cert-store signing response'
+
+ $chainWork = Join-Path $temp 'tiny-chain.exe'
+ Copy-Item $unsigned $chainWork
+ $defaultChainWork = Join-Path $temp 'tiny-chain-default.exe'
+ Copy-Item $unsigned $defaultChainWork
+ $defaultChainSigned = Set-PortableSignature -LiteralPath $defaultChainWork -CertificatePath $certPath -PrivateKeyPath $keyPath -ChainCertificatePath $chainCertPath
+ if ($defaultChainSigned.EmbeddedCertificateCount -ne 1) {
+ throw "Expected default IncludeChain NotRoot to exclude a self-signed root certificate, got $($defaultChainSigned.EmbeddedCertificateCount) embedded certificates."
+ }
+ $chainSigned = Set-PortableSignature -LiteralPath $chainWork -CertificatePath $certPath -PrivateKeyPath $keyPath -IncludeChain All -ChainCertificatePath $chainCertPath
+ if ($chainSigned.EmbeddedCertificateCount -lt 2) {
+ throw "Expected IncludeChain All with ChainCertificatePath to embed at least 2 certificates, got $($chainSigned.EmbeddedCertificateCount)."
+ }
+
+ $unsignedCab = Join-Path (Join-Path (Join-Path (Join-Path (Join-Path $repo 'tests') 'fixtures') 'generated-unsigned') 'cab') 'sample.cab'
+ $cabWork = Join-Path $temp 'sample.cab'
+ Copy-Item $unsignedCab $cabWork
+ $cabSigned = Set-PortableSignature -LiteralPath $cabWork -CertificatePath $certPath -PrivateKeyPath $keyPath
+ if ($cabSigned.Status -ne 'Valid') {
+ throw "Expected Valid after CAB signing, got $($cabSigned.Status): $($cabSigned.StatusMessage)"
+ }
+ Assert-SignerCertificate -Signature $cabSigned -ExpectedCertificate $cert -Label 'CAB signing response'
+ $cabAfter = Get-PortableSignature -LiteralPath $cabWork
+ if ($cabAfter.Status -ne 'Valid') {
+ throw "Expected Valid from Get-PortableSignature for signed CAB, got $($cabAfter.Status): $($cabAfter.StatusMessage)"
+ }
+
+ $unsignedMsi = Join-Path (Join-Path (Join-Path (Join-Path (Join-Path $repo 'tests') 'fixtures') 'generated-unsigned') 'installer') 'tiny.msi'
+ $msiWork = Join-Path $temp 'tiny.msi'
+ Copy-Item $unsignedMsi $msiWork
+ $msiSigned = Set-PortableSignature -LiteralPath $msiWork -CertificatePath $certPath -PrivateKeyPath $keyPath
+ if ($msiSigned.Status -ne 'Valid') {
+ throw "Expected Valid after MSI signing, got $($msiSigned.Status): $($msiSigned.StatusMessage)"
+ }
+ Assert-SignerCertificate -Signature $msiSigned -ExpectedCertificate $cert -Label 'MSI signing response'
+ $msiAfter = Get-PortableSignature -LiteralPath $msiWork
+ if ($msiAfter.Status -ne 'Valid') {
+ throw "Expected Valid from Get-PortableSignature for signed MSI, got $($msiAfter.Status): $($msiAfter.StatusMessage)"
+ }
+
+ $zipSource = Join-Path $temp 'zip-source'
+ New-Item -ItemType Directory -Force -Path $zipSource | Out-Null
+ Set-Content -LiteralPath (Join-Path $zipSource 'payload.txt') -Value 'portable zip authenticode' -Encoding UTF8
+ $zipWork = Join-Path $temp 'payload.zip'
+ Compress-Archive -LiteralPath (Join-Path $zipSource 'payload.txt') -DestinationPath $zipWork
+ $zipSigned = Set-PortableSignature -LiteralPath $zipWork -CertificatePath $certPath -PrivateKeyPath $keyPath
+ if ($zipSigned.Status -ne 'Valid') {
+ throw "Expected Valid after ZIP signing, got $($zipSigned.Status): $($zipSigned.StatusMessage)"
+ }
+ Assert-SignerCertificate -Signature $zipSigned -ExpectedCertificate $cert -Label 'ZIP signing response'
+ $zipAfter = Get-PortableSignature -LiteralPath $zipWork
+ if ($zipAfter.Status -ne 'Valid') {
+ throw "Expected Valid from Get-PortableSignature for signed ZIP, got $($zipAfter.Status): $($zipAfter.StatusMessage)"
+ }
+
+ $scriptPath = Join-Path $temp 'Invoke-Test.ps1'
+ Set-Content -LiteralPath $scriptPath -Value @'
+param([string] $Name = "portable")
+"Hello $Name"
+'@ -Encoding UTF8
+ $scriptSigned = Set-PortableSignature -LiteralPath $scriptPath -Certificate $cert
+ if ($scriptSigned.Status -ne 'Valid') {
+ throw "Expected Valid for signed PowerShell script, got $($scriptSigned.Status): $($scriptSigned.StatusMessage)"
+ }
+ Assert-SignerCertificate -Signature $scriptSigned -ExpectedCertificate $cert -Label 'script signing response'
+ $scriptAfter = Get-PortableSignature -LiteralPath $scriptPath
+ if ($scriptAfter.Status -ne 'Valid') {
+ throw "Expected Valid from Get-PortableSignature for signed script, got $($scriptAfter.Status)."
+ }
+ $trustedScript = Get-PortableSignature -LiteralPath $scriptPath -TrustedCertificate $rootCert
+ if ($trustedScript.Status -ne 'Valid' -or $trustedScript.TrustStatus -ne 'Valid') {
+ throw "Expected explicit trust verification to succeed for signed script, got status=$($trustedScript.Status) trust=$($trustedScript.TrustStatus): $($trustedScript.StatusMessage)"
+ }
+ Add-Content -LiteralPath $scriptPath -Value '# tamper'
+ $scriptTampered = Get-PortableSignature -LiteralPath $scriptPath
+ if ($scriptTampered.Status -ne 'HashMismatch') {
+ throw "Expected HashMismatch for tampered signed script, got $($scriptTampered.Status): $($scriptTampered.StatusMessage)"
+ }
+
+ $ps1xmlPath = Join-Path $temp 'Types.ps1xml'
+ Set-Content -LiteralPath $ps1xmlPath -Value @'
+
+
+ Portable.Type
+
+
+'@ -Encoding UTF8
+ $ps1xmlSigned = Set-PortableSignature -LiteralPath $ps1xmlPath -Certificate $cert
+ if ($ps1xmlSigned.Status -ne 'Valid') {
+ throw "Expected Valid for signed ps1xml, got $($ps1xmlSigned.Status): $($ps1xmlSigned.StatusMessage)"
+ }
+ Assert-SignerCertificate -Signature $ps1xmlSigned -ExpectedCertificate $cert -Label 'ps1xml signing response'
+ $ps1xmlText = Get-Content -LiteralPath $ps1xmlPath -Raw
+ if ($ps1xmlText -notmatch '') {
+ throw 'Expected signed ps1xml to use XML Authenticode signature markers.'
+ }
+ $ps1xmlAfter = Get-PortableSignature -LiteralPath $ps1xmlPath
+ if ($ps1xmlAfter.Status -ne 'Valid') {
+ throw "Expected Valid from Get-PortableSignature for signed ps1xml, got $($ps1xmlAfter.Status): $($ps1xmlAfter.StatusMessage)"
+ }
+ Add-Content -LiteralPath $ps1xmlPath -Value ''
+ $ps1xmlTampered = Get-PortableSignature -LiteralPath $ps1xmlPath
+ if ($ps1xmlTampered.Status -ne 'HashMismatch') {
+ throw "Expected HashMismatch for tampered signed ps1xml, got $($ps1xmlTampered.Status): $($ps1xmlTampered.StatusMessage)"
+ }
+
+ $scriptContent = [System.Text.Encoding]::UTF8.GetBytes("'content mode'")
+ $contentSigned = Set-PortableSignature -SourcePathOrExtension '.ps1' -Content $scriptContent -Certificate $cert
+ if ($contentSigned.Status -ne 'Valid') {
+ throw "Expected Valid for signed PowerShell script content, got $($contentSigned.Status): $($contentSigned.StatusMessage)"
+ }
+ if ($null -eq $contentSigned.Content -or $contentSigned.Content.Length -le $scriptContent.Length) {
+ throw 'Expected Set-PortableSignature -Content to return signed content bytes.'
+ }
+ Assert-SignerCertificate -Signature $contentSigned -ExpectedCertificate $cert -Label 'script content signing response'
+ $contentAfter = Get-PortableSignature -SourcePathOrExtension '.ps1' -Content $contentSigned.Content
+ if ($contentAfter.Status -ne 'Valid') {
+ throw "Expected Valid from Get-PortableSignature -Content for signed script, got $($contentAfter.Status): $($contentAfter.StatusMessage)"
+ }
+
+ $timestampServer = Start-PsignTimestampServer
+ try {
+ $timestampScript = Join-Path $temp 'Timestamped.ps1'
+ Set-Content -LiteralPath $timestampScript -Value '"timestamped"' -Encoding UTF8
+ $timestamped = Set-PortableSignature -LiteralPath $timestampScript -Certificate $cert -TimestampServer $timestampServer.Url -TimestampHashAlgorithm Sha256
+ if ($timestamped.Status -ne 'Valid') {
+ throw "Expected Valid for timestamped script, got $($timestamped.Status): $($timestamped.StatusMessage)"
+ }
+ if ($timestamped.TimestampKinds.Count -eq 0) {
+ throw 'Expected timestamped script to report a timestamp kind.'
+ }
+ if ($null -eq $timestamped.TimeStamperCertificate) {
+ throw 'Expected timestamped script to expose TimeStamperCertificate.'
+ }
+ if (-not $timestamped.PSObject.Properties.Match('TimestampSigningTime')) {
+ throw 'Expected timestamped script output to include TimestampSigningTime.'
+ }
+ }
+ finally {
+ if (-not $timestampServer.Process.HasExited) {
+ $timestampServer.Process.Kill($true)
+ }
+ $timestampServer.Process.Dispose()
+ }
+
+ $moduleDir = Join-Path $temp 'PortableModule'
+ $nestedDir = Join-Path $moduleDir 'Private'
+ New-Item -ItemType Directory -Force -Path $nestedDir | Out-Null
+ Set-Content -LiteralPath (Join-Path $moduleDir 'PortableModule.psm1') -Value 'function Get-PortableGreeting { "hello" }' -Encoding UTF8
+ Set-Content -LiteralPath (Join-Path $moduleDir 'PortableModule.psd1') -Value "@{ RootModule = 'PortableModule.psm1'; ModuleVersion = '1.0.0'; GUID = '$([System.Guid]::NewGuid())' }" -Encoding UTF8
+ Set-Content -LiteralPath (Join-Path $moduleDir 'PortableModule.Types.ps1xml') -Value '' -Encoding UTF8
+ Set-Content -LiteralPath (Join-Path $nestedDir 'Helper.ps1') -Value '$script:PortableHelper = $true' -Encoding UTF8
+ $moduleSigned = @(Set-PortableSignature -LiteralPath $moduleDir -CertificatePath $certPath -PrivateKeyPath $keyPath)
+ if ($moduleSigned.Count -ne 4) {
+ throw "Expected 4 signed PowerShell module files, got $($moduleSigned.Count)."
+ }
+ if (@($moduleSigned | Where-Object Status -ne 'Valid').Count -ne 0) {
+ throw "Expected all signed module files to be Valid, got: $($moduleSigned | ConvertTo-Json -Depth 4)"
+ }
+ foreach ($moduleSignature in $moduleSigned) {
+ Assert-SignerCertificate -Signature $moduleSignature -ExpectedCertificate $cert -Label "module signing response $($moduleSignature.Path)"
+ }
+ $moduleValidated = @(Get-PortableSignature -LiteralPath $moduleDir)
+ if ($moduleValidated.Count -ne 4) {
+ throw "Expected 4 validated PowerShell module files, got $($moduleValidated.Count)."
+ }
+ if (@($moduleValidated | Where-Object Status -ne 'Valid').Count -ne 0) {
+ throw "Expected all validated module files to be Valid, got: $($moduleValidated | ConvertTo-Json -Depth 4)"
+ }
+
+ $unsignedMsix = Join-Path (Join-Path (Join-Path (Join-Path (Join-Path $repo 'tests') 'fixtures') 'generated-unsigned') 'msix') 'sample.msix'
+ $msixWork = Join-Path $temp 'sample.msix'
+ Copy-Item $unsignedMsix $msixWork
+ $msixBefore = Get-PortableSignature -LiteralPath $msixWork
+ if ($msixBefore.Status -notin @('NotSigned', 'Incompatible')) {
+ throw "Expected unsigned MSIX preflight status before signing, got $($msixBefore.Status)."
+ }
+ $msixSigned = Set-PortableSignature -LiteralPath $msixWork -PfxPath $pfxPath -Password $pfxPassword
+ if ($msixSigned.Status -ne 'Valid') {
+ throw "Expected Valid after MSIX signing, got $($msixSigned.Status): $($msixSigned.StatusMessage)"
+ }
+ Assert-SignerCertificate -Signature $msixSigned -ExpectedCertificate $cert -Label 'MSIX signing response'
+ $msixAfter = Get-PortableSignature -LiteralPath $msixWork
+ if ($msixAfter.Status -ne 'Valid') {
+ throw "Expected Valid from Get-PortableSignature for signed MSIX, got $($msixAfter.Status): $($msixAfter.StatusMessage)"
+ }
+}
+finally {
+ Remove-Item -LiteralPath $temp -Recurse -Force -ErrorAction SilentlyContinue
+ Remove-Module Devolutions.Psign -Force -ErrorAction SilentlyContinue
+}
diff --git a/PowerShell/tests/PortableSignature.PackageNative.Tests.ps1 b/PowerShell/tests/PortableSignature.PackageNative.Tests.ps1
new file mode 100644
index 0000000..b7e0558
--- /dev/null
+++ b/PowerShell/tests/PortableSignature.PackageNative.Tests.ps1
@@ -0,0 +1,285 @@
+Set-StrictMode -Version Latest
+
+function script:Ensure-PortableSignatureModule {
+ if (-not (Get-Command Set-PortableSignature -ErrorAction SilentlyContinue)) {
+ $repoRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot)
+ $modulePath = Join-Path (Join-Path $repoRoot 'PowerShell\Devolutions.Psign') 'Devolutions.Psign.psd1'
+ Import-Module $modulePath -Force
+ }
+}
+
+function script:New-PortableSigningMaterial {
+ param(
+ [Parameter(Mandatory)]
+ [string] $BasePath
+ )
+
+ $rsa = [System.Security.Cryptography.RSA]::Create(2048)
+ $rootRsa = [System.Security.Cryptography.RSA]::Create(2048)
+ $rootRequest = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new(
+ 'CN=psign portable root',
+ $rootRsa,
+ [System.Security.Cryptography.HashAlgorithmName]::SHA256,
+ [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
+ $rootRequest.CertificateExtensions.Add(
+ [System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($true, $false, 0, $true))
+ $rootRequest.CertificateExtensions.Add(
+ [System.Security.Cryptography.X509Certificates.X509KeyUsageExtension]::new(
+ [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::KeyCertSign -bor
+ [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::CrlSign,
+ $true))
+ $rootCert = $rootRequest.CreateSelfSigned(
+ [System.DateTimeOffset]::UtcNow.AddDays(-1),
+ [System.DateTimeOffset]::UtcNow.AddDays(31))
+
+ $request = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new(
+ 'CN=psign portable test',
+ $rsa,
+ [System.Security.Cryptography.HashAlgorithmName]::SHA256,
+ [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
+ $request.CertificateExtensions.Add(
+ [System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($false, $false, 0, $true))
+ $request.CertificateExtensions.Add(
+ [System.Security.Cryptography.X509Certificates.X509KeyUsageExtension]::new(
+ [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::DigitalSignature,
+ $true))
+ $ekuOids = [System.Security.Cryptography.OidCollection]::new()
+ $null = $ekuOids.Add([System.Security.Cryptography.Oid]::new('1.3.6.1.5.5.7.3.3'))
+ $request.CertificateExtensions.Add(
+ [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]::new($ekuOids, $false))
+ $issuedCert = $request.Create(
+ $rootCert,
+ [System.DateTimeOffset]::UtcNow.AddDays(-1),
+ [System.DateTimeOffset]::UtcNow.AddDays(30),
+ [byte[]](1, 2, 3, 4, 5, 6, 7, 8))
+ $cert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::CopyWithPrivateKey($issuedCert, $rsa)
+
+ $certPath = Join-Path $BasePath 'signer.cer'
+ $keyPath = Join-Path $BasePath 'signer.key'
+ [System.IO.File]::WriteAllBytes($certPath, $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))
+ [System.IO.File]::WriteAllText(
+ $keyPath,
+ [System.Security.Cryptography.PemEncoding]::WriteString('PRIVATE KEY', $rsa.ExportPkcs8PrivateKey()))
+
+ [pscustomobject]@{
+ Certificate = $cert
+ RootCertificate = $rootCert
+ CertificatePath = $certPath
+ PrivateKeyPath = $keyPath
+ }
+}
+
+function script:Get-ZipEntryNames {
+ param(
+ [Parameter(Mandatory)]
+ [string] $Path
+ )
+
+ Add-Type -AssemblyName System.IO.Compression.FileSystem
+ $archive = [System.IO.Compression.ZipFile]::OpenRead($Path)
+ try {
+ return @($archive.Entries | ForEach-Object FullName)
+ }
+ finally {
+ $archive.Dispose()
+ }
+}
+
+function script:New-ClickOnceDocument {
+ param(
+ [Parameter(Mandatory)]
+ [string] $Path,
+ [Parameter(Mandatory)]
+ [string] $RootName
+ )
+
+ $xml = @"
+
+<$RootName>
+
+
+"@
+ Set-Content -LiteralPath $Path -Value $xml -Encoding UTF8
+}
+
+Describe 'Portable PowerShell package-native coverage' {
+ BeforeAll {
+ Ensure-PortableSignatureModule
+ $script:RepoRoot = Split-Path -Parent (Split-Path -Parent $PSScriptRoot)
+ $script:ModulePath = Join-Path (Join-Path $script:RepoRoot 'PowerShell\Devolutions.Psign') 'Devolutions.Psign.psd1'
+ $script:TempRoot = Join-Path ([System.IO.Path]::GetTempPath()) ([System.Guid]::NewGuid().ToString('N'))
+ New-Item -ItemType Directory -Force -Path $script:TempRoot | Out-Null
+ $script:Signing = New-PortableSigningMaterial -BasePath $script:TempRoot
+ }
+
+ AfterAll {
+ if ($script:TempRoot) {
+ Remove-Item -LiteralPath $script:TempRoot -Recurse -Force -ErrorAction SilentlyContinue
+ }
+ }
+
+ Context 'Set-PortableSignature validation' {
+ It 'requires -AzureKeyVaultCertificate when -AzureKeyVaultUrl is used' {
+ $errorRecord = $null
+ try {
+ Set-PortableSignature -LiteralPath 'placeholder.exe' -AzureKeyVaultUrl 'https://vault.example' -ErrorAction Stop | Out-Null
+ }
+ catch {
+ $errorRecord = $_
+ }
+
+ $errorRecord | Should -Not -BeNullOrEmpty
+ $errorRecord.FullyQualifiedErrorId | Should -Be 'PortableSignatureAkvCertificateRequired,Devolutions.Psign.PowerShell.Cmdlets.SetPortableSignatureCommand'
+ }
+
+ It 'rejects mixed local and Azure Key Vault signing sources' {
+ $errorRecord = $null
+ try {
+ Set-PortableSignature -LiteralPath 'placeholder.exe' `
+ -CertificatePath 'signer.cer' `
+ -PrivateKeyPath 'signer.key' `
+ -AzureKeyVaultUrl 'https://vault.example' `
+ -AzureKeyVaultCertificate 'signer' `
+ -ErrorAction Stop | Out-Null
+ }
+ catch {
+ $errorRecord = $_
+ }
+
+ $errorRecord | Should -Not -BeNullOrEmpty
+ $errorRecord.FullyQualifiedErrorId | Should -Be 'PortableSignatureSigningMaterialRequired,Devolutions.Psign.PowerShell.Cmdlets.SetPortableSignatureCommand'
+ }
+
+ It 'rejects -OutputPath with -Content' {
+ $errorRecord = $null
+ try {
+ Set-PortableSignature -SourcePathOrExtension '.ps1' `
+ -Content ([System.Text.Encoding]::UTF8.GetBytes('"hello"')) `
+ -CertificatePath $script:Signing.CertificatePath `
+ -PrivateKeyPath $script:Signing.PrivateKeyPath `
+ -OutputPath 'out.ps1' `
+ -ErrorAction Stop | Out-Null
+ }
+ catch {
+ $errorRecord = $_
+ }
+
+ $errorRecord | Should -Not -BeNullOrEmpty
+ $errorRecord.FullyQualifiedErrorId | Should -Be 'PortableSignatureContentOutputPathUnsupported,Devolutions.Psign.PowerShell.Cmdlets.SetPortableSignatureCommand'
+ }
+ }
+
+ Context 'Set-PortableSignature package-native formats' {
+ It 'signs and inspects NuGet packages' {
+ $work = Join-Path $script:TempRoot 'sample.nupkg'
+ Copy-Item -LiteralPath (Join-Path $script:RepoRoot 'tests\fixtures\package-signing\unsigned\sample.nupkg') -Destination $work -Force
+
+ $signed = Set-PortableSignature -LiteralPath $work -CertificatePath $script:Signing.CertificatePath -PrivateKeyPath $script:Signing.PrivateKeyPath
+ $signed.Format | Should -Be 'NuGet'
+ $signed.Status | Should -Be 'Valid'
+ (Get-ZipEntryNames -Path $work) | Should -Contain '.signature.p7s'
+
+ $inspected = Get-PortableSignature -LiteralPath $work
+ $inspected.Format | Should -Be 'NuGet'
+ $inspected.Status | Should -Be 'Valid'
+ }
+
+ It 'signs and inspects symbol NuGet packages' {
+ $work = Join-Path $script:TempRoot 'sample.snupkg'
+ Copy-Item -LiteralPath (Join-Path $script:RepoRoot 'tests\fixtures\package-signing\unsigned\sample.snupkg') -Destination $work -Force
+
+ $signed = Set-PortableSignature -LiteralPath $work -CertificatePath $script:Signing.CertificatePath -PrivateKeyPath $script:Signing.PrivateKeyPath
+ $signed.Format | Should -Be 'NuGet'
+ $signed.Status | Should -Be 'Valid'
+ (Get-ZipEntryNames -Path $work) | Should -Contain '.signature.p7s'
+ }
+
+ It 'signs and inspects VSIX packages' {
+ $work = Join-Path $script:TempRoot 'sample.vsix'
+ Copy-Item -LiteralPath (Join-Path $script:RepoRoot 'tests\fixtures\package-signing\unsigned\sample.vsix') -Destination $work -Force
+
+ $signed = Set-PortableSignature -LiteralPath $work -CertificatePath $script:Signing.CertificatePath -PrivateKeyPath $script:Signing.PrivateKeyPath
+ $signed.Format | Should -Be 'Vsix'
+ $signed.Status | Should -Be 'Valid'
+ @(Get-ZipEntryNames -Path $work | Where-Object { $_ -like 'package/services/digital-signature/*' }).Count | Should -BeGreaterThan 0
+
+ $inspected = Get-PortableSignature -LiteralPath $work
+ $inspected.Format | Should -Be 'Vsix'
+ $inspected.Status | Should -Be 'Valid'
+ }
+
+ It 'signs and inspects ClickOnce XML manifests for .manifest, .application, and .vsto' -TestCases @(
+ @{ FileName = 'sample.manifest'; RootName = 'assembly' }
+ @{ FileName = 'sample.application'; RootName = 'deployment' }
+ @{ FileName = 'sample.vsto'; RootName = 'deployment' }
+ ) {
+ param($FileName, $RootName)
+
+ $work = Join-Path $script:TempRoot $FileName
+ New-ClickOnceDocument -Path $work -RootName $RootName
+
+ $signed = Set-PortableSignature -LiteralPath $work -CertificatePath $script:Signing.CertificatePath -PrivateKeyPath $script:Signing.PrivateKeyPath
+ $signed.Format | Should -Be 'ClickOnceManifest'
+ $signed.Status | Should -Be 'Valid'
+ (Get-Content -LiteralPath $work -Raw) | Should -Match ''
+
+ $inspected = Get-PortableSignature -LiteralPath $work
+ $inspected.Format | Should -Be 'ClickOnceManifest'
+ $inspected.Status | Should -Be 'Valid'
+ }
+
+ It 'signs App Installer descriptors and writes the detached companion' {
+ $work = Join-Path $script:TempRoot 'sample.appinstaller'
+ Copy-Item -LiteralPath (Join-Path $script:RepoRoot 'tests\fixtures\generated-unsigned\appinstaller\sample.appinstaller') -Destination $work -Force
+
+ $signed = Set-PortableSignature -LiteralPath $work -CertificatePath $script:Signing.CertificatePath -PrivateKeyPath $script:Signing.PrivateKeyPath
+ $signed.Format | Should -Be 'AppInstaller'
+ $signed.Status | Should -Be 'Valid'
+
+ $companion = "$work.p7"
+ Test-Path -LiteralPath $companion | Should -BeTrue
+
+ $inspected = Get-PortableSignature -LiteralPath $work
+ $inspected.Format | Should -Be 'AppInstaller'
+ $inspected.Status | Should -Be 'Valid'
+ }
+ }
+
+ Context 'Directory recursion covers newly signable PowerShell module neighbors' {
+ It 'recurses into package-native and ClickOnce files in a module tree' {
+ $moduleRoot = Join-Path $script:TempRoot 'PortableModuleWithPackages'
+ $privateRoot = Join-Path $moduleRoot 'Private'
+ New-Item -ItemType Directory -Force -Path $privateRoot | Out-Null
+
+ Set-Content -LiteralPath (Join-Path $moduleRoot 'PortableModule.psm1') -Value 'function Get-PortableGreeting { "hello" }' -Encoding UTF8
+ Set-Content -LiteralPath (Join-Path $moduleRoot 'PortableModule.psd1') -Value "@{ RootModule = 'PortableModule.psm1'; ModuleVersion = '1.0.0'; GUID = '$([System.Guid]::NewGuid())' }" -Encoding UTF8
+ Copy-Item -LiteralPath (Join-Path $script:RepoRoot 'tests\fixtures\package-signing\unsigned\sample.nupkg') -Destination (Join-Path $moduleRoot 'sample.nupkg')
+ Copy-Item -LiteralPath (Join-Path $script:RepoRoot 'tests\fixtures\package-signing\unsigned\sample.snupkg') -Destination (Join-Path $moduleRoot 'sample.snupkg')
+ Copy-Item -LiteralPath (Join-Path $script:RepoRoot 'tests\fixtures\package-signing\unsigned\sample.vsix') -Destination (Join-Path $moduleRoot 'sample.vsix')
+ Copy-Item -LiteralPath (Join-Path $script:RepoRoot 'tests\fixtures\generated-unsigned\appinstaller\sample.appinstaller') -Destination (Join-Path $moduleRoot 'sample.appinstaller')
+ New-ClickOnceDocument -Path (Join-Path $moduleRoot 'sample.manifest') -RootName 'assembly'
+ New-ClickOnceDocument -Path (Join-Path $moduleRoot 'sample.application') -RootName 'deployment'
+ New-ClickOnceDocument -Path (Join-Path $privateRoot 'sample.vsto') -RootName 'deployment'
+ Set-Content -LiteralPath (Join-Path $moduleRoot 'ignored.txt') -Value 'ignore me' -Encoding UTF8
+
+ $signed = @(Set-PortableSignature -LiteralPath $moduleRoot -CertificatePath $script:Signing.CertificatePath -PrivateKeyPath $script:Signing.PrivateKeyPath)
+ $formats = @($signed | ForEach-Object Format)
+ $formats | Should -Contain 'PowerShellScript'
+ $formats | Should -Contain 'NuGet'
+ $formats | Should -Contain 'Vsix'
+ $formats | Should -Contain 'ClickOnceManifest'
+ $formats | Should -Contain 'AppInstaller'
+
+ $signedPaths = @($signed | ForEach-Object Path)
+ $signedPaths | Should -Not -Contain (Join-Path $moduleRoot 'ignored.txt')
+ Test-Path -LiteralPath (Join-Path $moduleRoot 'sample.appinstaller.p7') | Should -BeTrue
+
+ $validated = @(Get-PortableSignature -LiteralPath $moduleRoot)
+ @($validated | Where-Object Status -ne 'Valid').Count | Should -Be 0
+ @($validated | ForEach-Object Format) | Should -Contain 'NuGet'
+ @($validated | ForEach-Object Format) | Should -Contain 'Vsix'
+ @($validated | ForEach-Object Format) | Should -Contain 'ClickOnceManifest'
+ @($validated | ForEach-Object Format) | Should -Contain 'AppInstaller'
+ }
+ }
+}
diff --git a/README.md b/README.md
index d970292..b6dc30d 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,7 @@ Canonical repository: .
- `timestamp`: Rust mssign32 core (`SignerTimeStampEx3`/`SignerTimeStampEx2`) plus AppX restrictions.
- `rdp`: Rust port of **`rdpsign.exe`** for `.rdp` files (`SignScope` / `Signature` records, detached PKCS#7 over the secure-settings blob).
- `cert-store`: Portable file-backed certificate store under `~/.psign/cert-store` by default, with Windows-style store/thumbprint selection.
+- `code`: dotnet/sign-style orchestration entry point. It supports `--dry-run` / `--plan-json` planning over inputs, file lists, globs, and nested ZIP/OPC containers, plus guarded local cert/key, PFX, portable cert-store SHA-1, Azure Key Vault, or Artifact Signing execution for PE/WinMD, NuGet/SNuGet, VSIX, generic ZIP nested package entries, MSIX/AppX unsigned-package prepare including nested packages inside upload/bundle containers, encrypted MSIX/AppX OS-only diagnostics, ClickOnce `.manifest` / `.application` / `.vsto` XMLDSig signing, PE-like ClickOnce `.deploy` payloads, App Installer publisher updates + top-level or nested companion signatures, `--continue-on-error`, `--skip-signed`, `--overwrite`, and inside-out VSIX/ZIP -> NuGet/VSIX -> PE/ClickOnce-manifest signing.
- `portable ...`: Cross-platform digest, verification, trust, signing, package, RFC3161, and remote-hash helpers that avoid Win32 APIs, including PE/WinMD signing through Azure Artifact Signing REST without Microsoft client DLLs.
## MSIX parity notes
@@ -65,7 +66,7 @@ dotnet tool run psign-tool -- --help
Create local dotnet tool packages from prebuilt release artifacts:
```powershell
-pwsh ./nuget/pack-psign-dotnet-tool.ps1 -Version 0.2.0 -ArtifactsRoot ./dist -OutputDir ./dist/nuget
+pwsh ./nuget/pack-psign-dotnet-tool.ps1 -Version 0.3.0 -ArtifactsRoot ./dist -OutputDir ./dist/nuget
```
The package is built from native `psign-tool` artifacts for `win-x64`, `win-arm64`, `linux-x64`, `linux-arm64`, `osx-x64`, and `osx-arm64`, plus an `any` fallback package for unsupported runtimes.
@@ -99,7 +100,57 @@ cargo build -p psign --bin psign-tool --locked
# Portable package inspection helpers:
# psign-tool portable nupkg-signature-info package.nupkg
# psign-tool portable nupkg-digest package.nupkg --algorithm sha256
+# psign-tool portable nupkg-signature-content package.nupkg --output signature-content.txt
+# psign-tool portable nupkg-signature-pkcs7 package.nupkg --cert signer.der --key signer.pkcs8 --timestamp-url http://tsa --timestamp-digest sha256 --output signature.p7s
+# psign-tool portable nupkg-signature-pkcs7-prehash package.nupkg --encoding raw --output prehash.bin
+# psign-tool portable nupkg-signature-pkcs7-from-signature package.nupkg --cert signer.der --signature remote.sig --output signature.p7s
+# psign-tool portable nupkg-verify-signature-content package.nupkg --content signature-content.txt
+# psign-tool portable nupkg-embed-signature package.nupkg --signature signature.p7s --output signed.nupkg
+# psign-tool portable nupkg-sign package.nupkg --cert signer.der --key signer.pkcs8 --timestamp-url http://tsa --timestamp-digest sha256 --output signed.nupkg
+# psign-tool portable nupkg-verify-signature signed.nupkg --trusted-ca signer.der --allow-loose-signing-cert
# psign-tool portable vsix-signature-info extension.vsix
+# psign-tool portable vsix-signature-reference-xml extension.vsix --output signature-reference.xml
+# psign-tool portable vsix-verify-signature-reference-xml extension.vsix --signature-xml signature-reference.xml
+# psign-tool portable vsix-signature-xml extension.vsix --cert signer.der --key signer.pkcs8 --output signature.xml
+# psign-tool portable vsix-signature-xml-prehash extension.vsix --encoding raw --output prehash.bin
+# psign-tool portable vsix-signature-xml-from-signature extension.vsix --cert signer.der --signature remote.sig --output signature.xml
+# psign-tool portable vsix-verify-signature-xml extension.vsix --signature-xml signature.xml --cert signer.der --trusted-ca root.der
+# psign-tool portable vsix-embed-signature-xml extension.vsix --signature-xml signature.xml --output signed.vsix
+# psign-tool portable vsix-sign extension.vsix --cert signer.der --key signer.pkcs8 --output signed.vsix
+# psign-tool portable vsix-verify-signature signed.vsix --trusted-ca root.der
+# psign-tool portable appinstaller-info app.appinstaller --signature app.appinstaller.p7
+# psign-tool portable appinstaller-sign-companion app.appinstaller --cert signer.der --key signer.pkcs8 --timestamp-url http://tsa --timestamp-digest sha256 --output app.appinstaller.p7
+# psign-tool portable appinstaller-sign-companion-prehash app.appinstaller --encoding raw --output prehash.bin
+# psign-tool portable appinstaller-sign-companion-from-signature app.appinstaller --cert signer.der --signature remote.sig --output app.appinstaller.p7
+# psign-tool portable appinstaller-verify-companion app.appinstaller --signature app.appinstaller.p7 --anchor-dir anchors
+# psign-tool portable appinstaller-set-publisher app.appinstaller --publisher "CN=Example" --output updated.appinstaller
+# psign-tool portable business-central-app-info package.app
+# psign-tool portable msix-manifest-info package.msix
+# psign-tool portable msix-set-publisher package.msix --publisher "CN=Example" --output updated.msix
+# psign-tool portable clickonce-deploy-info app.exe.deploy
+# psign-tool portable clickonce-copy-deploy-payload app.exe.deploy --output app.exe
+# psign-tool portable clickonce-update-manifest-hashes app.exe.manifest --base-directory . --output updated.manifest
+# psign-tool portable clickonce-manifest-hashes updated.manifest --base-directory .
+# psign-tool portable clickonce-sign-manifest updated.manifest --cert signer.der --key signer.pkcs8 --output signed.manifest
+# psign-tool portable clickonce-sign-manifest-prehash updated.manifest --encoding raw --output prehash.bin
+# psign-tool portable clickonce-sign-manifest-from-signature updated.manifest --cert signer.der --signature remote.sig --output signed.manifest
+# psign-tool portable clickonce-verify-manifest-signature signed.manifest --trusted-ca signer.der
+# dotnet/sign-style dry-run planning for nested package orchestration:
+# psign-tool code --dry-run --plan-json --base-directory . --file-list files.txt
+# Initial guarded code execution for PE/NuGet/VSIX/ZIP/MSIX/ClickOnce/App Installer inputs:
+# psign-tool code --base-directory . --cert signer.der --key signer.pkcs8 --output signed.exe app.exe
+# psign-tool code --base-directory . --pfx signer.pfx --password "pfx-password" --output signed.nupkg package.nupkg
+# psign-tool code --base-directory . --cert-store-dir ~/.psign/cert-store --sha1 --output signed.nupkg package.nupkg
+# psign-tool code --base-directory . --azure-key-vault-url https://vault.vault.azure.net --azure-key-vault-certificate cert --azure-key-vault-accesstoken "$TOKEN" --output signed.nupkg package.nupkg
+# psign-tool code --base-directory . --artifact-signing-endpoint https://wus2.codesigning.azure.net --artifact-signing-account-name acct --artifact-signing-profile-name profile --artifact-signing-access-token "$TOKEN" --output signed.nupkg package.nupkg
+# psign-tool code --base-directory . --cert signer.der --key signer.pkcs8 --timestamp-url http://tsa --timestamp-digest sha256 --output signed.nupkg package.nupkg
+# psign-tool code --base-directory . --cert signer.der --key signer.pkcs8 --output signed.vsix extension.vsix
+# psign-tool code --base-directory . --overwrite --cert signer.der --key signer.pkcs8 --output resigned.nupkg signed-package.nupkg
+# psign-tool code --base-directory . --cert signer.der --key signer.pkcs8 --output signed.zip package-bundle.zip
+# psign-tool code --base-directory . --cert signer.der --key signer.pkcs8 --publisher-name "CN=Publisher" --output prepared.msix app.msix
+# psign-tool code --base-directory . --cert signer.der --key signer.pkcs8 --output signed.manifest app.exe.manifest
+# psign-tool code --base-directory . --cert signer.der --key signer.pkcs8 --output app.signed.exe.deploy app.exe.deploy
+# psign-tool code --base-directory . --cert signer.der --key signer.pkcs8 --publisher-name "CN=Publisher" --output updated.appinstaller.p7 app.appinstaller
# Optional portable REST helpers (Linux/macOS):
# cargo build -p psign --bin psign-tool --locked --features artifact-signing-rest
# cargo build -p psign --bin psign-tool --locked --features azure-kv-sign
@@ -167,6 +218,13 @@ psign-tool --mode portable sign /sha1 ABCDEF0123456789ABCDEF0123456789ABCDEF01 /
The portable signing path supports local RSA/SHA-2 Authenticode signing for PE/WinMD plus the package/script formats exposed by the portable core. Unsupported native signing options, CSP/KSP selection, auto-selection, and non-exportable local keys return explicit errors in portable mode.
+Cloud-backed signing options also accept Azure.Identity-style selectors:
+`--azure-key-vault-credential-type` and `--artifact-signing-credential-type`
+(`default`, `managed-identity`, `access-token`, `client-secret`,
+`workload-identity`). Managed identity maps to the existing managed-identity
+flows; workload identity is represented in provider planning but explicit
+signing execution is not wired yet.
+
## Generate binary manifest and dependency graph
```powershell
diff --git a/crates/psign-authenticode-trust/Cargo.toml b/crates/psign-authenticode-trust/Cargo.toml
index 63ef21d..dd55db5 100644
--- a/crates/psign-authenticode-trust/Cargo.toml
+++ b/crates/psign-authenticode-trust/Cargo.toml
@@ -1,6 +1,6 @@
[package]
name = "psign-authenticode-trust"
-version = "0.2.0"
+version = "0.3.0"
edition = "2024"
description = "Portable Authenticode PKCS#7 trust verification (anchors, chain, EKU) using picky-rs"
license.workspace = true
diff --git a/crates/psign-authenticode-trust/src/anchor.rs b/crates/psign-authenticode-trust/src/anchor.rs
index 36ef42d..3660eb9 100644
--- a/crates/psign-authenticode-trust/src/anchor.rs
+++ b/crates/psign-authenticode-trust/src/anchor.rs
@@ -109,7 +109,7 @@ pub fn cert_sha1_thumbprint(cert: &Cert) -> Result<[u8; 20]> {
Ok(out)
}
-fn parse_cert_bytes(raw: &[u8]) -> Result {
+pub fn parse_cert_bytes(raw: &[u8]) -> Result {
let trimmed = raw.trim_ascii_start();
if trimmed.starts_with(b"-----BEGIN ") {
let s =
diff --git a/crates/psign-azure-kv-rest/Cargo.toml b/crates/psign-azure-kv-rest/Cargo.toml
index ec3f273..b2b7513 100644
--- a/crates/psign-azure-kv-rest/Cargo.toml
+++ b/crates/psign-azure-kv-rest/Cargo.toml
@@ -1,6 +1,6 @@
[package]
name = "psign-azure-kv-rest"
-version = "0.2.0"
+version = "0.3.0"
edition = "2024"
description = "Azure Key Vault certificate metadata + keys/sign REST (portable, blocking HTTP)"
license.workspace = true
diff --git a/crates/psign-codesigning-rest/Cargo.toml b/crates/psign-codesigning-rest/Cargo.toml
index a828320..3a5f1c0 100644
--- a/crates/psign-codesigning-rest/Cargo.toml
+++ b/crates/psign-codesigning-rest/Cargo.toml
@@ -1,6 +1,6 @@
[package]
name = "psign-codesigning-rest"
-version = "0.2.0"
+version = "0.3.0"
edition = "2024"
description = "Azure Code Signing data-plane CertificateProfileOperations Sign LRO (portable, blocking HTTP)"
license.workspace = true
diff --git a/crates/psign-digest-cli/Cargo.toml b/crates/psign-digest-cli/Cargo.toml
index f3fa124..6411fe1 100644
--- a/crates/psign-digest-cli/Cargo.toml
+++ b/crates/psign-digest-cli/Cargo.toml
@@ -1,6 +1,6 @@
[package]
name = "psign-digest-cli"
-version = "0.2.0"
+version = "0.3.0"
edition = "2024"
description = "Linux/macOS-friendly CLI over portable Authenticode SIP digests (psign-sip-digest)"
license.workspace = true
@@ -34,7 +34,9 @@ base64 = { version = "0.22", optional = true }
reqwest = { version = "0.12", default-features = false, features = ["blocking", "json", "rustls-tls"], optional = true }
sha1 = "0.10"
sha2 = "0.10"
+rsa = { version = "0.9.10", features = ["sha2"] }
x509-cert = "0.2.5"
+zip = { version = "0.6.6", default-features = false, features = ["deflate"] }
[dev-dependencies]
assert_cmd = "2"
diff --git a/crates/psign-digest-cli/src/main.rs b/crates/psign-digest-cli/src/main.rs
index 6363379..ea548b7 100644
--- a/crates/psign-digest-cli/src/main.rs
+++ b/crates/psign-digest-cli/src/main.rs
@@ -14,6 +14,7 @@ use psign_authenticode_trust::{
trust_verify_cab_bytes, trust_verify_catalog_bytes, trust_verify_detached_bytes,
trust_verify_msi_bytes, trust_verify_pe_bytes, trust_verify_wim_esd_path,
trust_verify_zip_bytes,
+ trust_verify_pe::load_trust_material,
};
#[cfg(feature = "azure-kv-sign-portable")]
use psign_azure_kv_rest::{
@@ -50,11 +51,19 @@ use psign_sip_digest::timestamp::{
use psign_sip_digest::verify_pe;
use psign_sip_digest::verify_script_digest_consistency;
use psign_sip_digest::zip_authenticode;
+use rsa::pkcs8::DecodePublicKey as _;
+use rsa::signature::{SignatureEncoding as _, Signer as _, Verifier as _};
use serde::Deserialize;
use sha1::Sha1;
use sha2::{Digest as _, Sha256, Sha384, Sha512};
use std::ffi::{OsStr, OsString};
+use std::fs::File;
+use std::io::{Read as _, Write as _};
use std::path::{Path, PathBuf};
+use x509_cert::der::{
+ Encode as _,
+ asn1::{ObjectIdentifier, OctetString},
+};
#[derive(Parser)]
#[command(name = "psign-tool")]
@@ -167,6 +176,84 @@ fn trust_verify_options_from_shared(a: &TrustVerifySharedArgs) -> Result bool {
+ a.anchor_dir.is_some()
+ || !a.trusted_ca.is_empty()
+ || a.authroot_cab.is_some()
+ || a.expect_authroot_cab_sha256.is_some()
+ || a.as_of.is_some()
+ || a.online_aia
+ || a.online_ocsp
+ || a.revocation_mode != CliRevocationMode::Off
+ || a.crl_url_override.is_some()
+ || a.aia_url_override.is_some()
+ || a.ocsp_url_override.is_some()
+}
+
+fn verify_xml_signer_certificate_trust(cert_der: &[u8], shared: &TrustVerifySharedArgs) -> Result {
+ let opts = trust_verify_options_from_shared(shared)?;
+ let (anchors, anchor_certs) = load_trust_material(&opts)?;
+ let leaf = psign_authenticode_trust::anchor::parse_cert_bytes(cert_der)
+ .context("parse XMLDSig signer certificate for trust verification")?;
+ let mut merged =
+ psign_authenticode_trust::chain::merge_unique_certs(vec![leaf.clone()], anchor_certs)?;
+ let chain_owned = psign_authenticode_trust::chain::issuer_chain_excluding_leaf_online(
+ &leaf,
+ &mut merged,
+ &opts.online,
+ )?;
+ let root = psign_authenticode_trust::chain::terminal_root_cert_owned(&leaf, &chain_owned);
+ let root_thumb = psign_authenticode_trust::anchor::cert_sha1_thumbprint(root)?;
+ if !anchors.contains_thumbprint(&root_thumb) {
+ return Err(anyhow!(
+ "XMLDSig terminal root certificate is not in the anchor store (SHA-1 thumbprint {:02x}{:02x}...)",
+ root_thumb[0],
+ root_thumb[1]
+ ));
+ }
+ psign_authenticode_trust::online::check_revocation_chain(&leaf, &chain_owned, &opts.online)?;
+
+ let verification_instant = match opts.verification_instant_override.as_ref() {
+ Some(instant) => instant.clone(),
+ None if opts.policy.prefer_timestamp_signing_time && opts.policy.require_valid_timestamp => {
+ return Err(anyhow!(
+ "VSIX XMLDSig timestamp trust verification is not implemented; use --as-of for deterministic certificate-chain validation"
+ ));
+ }
+ None => psign_authenticode_trust::verification_instant::resolve_verification_utc_date(
+ b"",
+ &opts.policy,
+ )?,
+ };
+
+ let chain_refs: Vec<_> = chain_owned.iter().collect();
+ let leaf_verifier = leaf.verifier();
+ let verifier = leaf_verifier
+ .chain(chain_refs.iter().copied())
+ .exact_date(&verification_instant);
+ verifier
+ .verify()
+ .map_err(|e| anyhow!("XMLDSig certificate chain verification: {e}"))?;
+
+ if opts.verbose_chain {
+ let thumb_hex: String = root_thumb.iter().map(|b| format!("{b:02x}")).collect();
+ eprintln!("xml-trust: leaf subject: {}", leaf.subject_name());
+ for (i, cert) in chain_refs.iter().enumerate() {
+ eprintln!(
+ "xml-trust: chain[{i}] subject: {} issuer: {}",
+ cert.subject_name(),
+ cert.issuer_name()
+ );
+ }
+ eprintln!(
+ "xml-trust: root subject: {} (thumb SHA-1 {thumb_hex})",
+ root.subject_name()
+ );
+ }
+
+ Ok(anchors.thumbprint_count())
+}
+
fn digest_byte_len_for_hash_alg(alg: HashAlg) -> usize {
match alg {
HashAlg::Sha1 => 20,
@@ -283,512 +370,2033 @@ fn run_rfc3161_timestamp_req(
Ok(())
}
-fn run_rfc3161_timestamp_resp_inspect(
- path: &Path,
- expect_digest_hex: Option<&str>,
- expect_nonce: Option,
-) -> Result<()> {
- let bytes = std::fs::read(path).with_context(|| format!("read {}", path.display()))?;
- let expected_digest = expect_digest_hex
- .map(normalize_even_hex)
- .transpose()
- .context("parse --expect-digest-hex")?;
- let expected_nonce = expect_nonce.map(rfc3161_nonce_hex);
- let p = parse_time_stamp_resp_der(&bytes).ok_or_else(|| {
- anyhow!("could not parse TimeStampResp DER (definite ASN.1 subset or trailing garbage)")
- })?;
- let tok_len = p.time_stamp_token.map(|t| t.len()).unwrap_or(0);
- println!(
- "pki_status={} pki_status_int={} granted={} time_stamp_token_len={}",
- pki_status_label(p.pki_status),
- p.pki_status.as_raw_integer(),
- if p.pki_status.granted() { "yes" } else { "no" },
- tok_len
- );
- println!(
- "time_stamp_token_prefix_hex={}",
- time_stamp_token_prefix_hex(p.time_stamp_token)
- );
- println!(
- "status_strings_json={}",
- serde_json::to_string(&p.status_strings).context("encode PKIStatusInfo.statusString")?
- );
- match p.fail_info_tlv {
- Some(fi) => println!("fail_info_tlv_hex={}", hex_lower(fi)),
- None => println!("fail_info_tlv_hex=-"),
- }
- let flags_json = match p.fail_info_tlv {
- None => serde_json::Value::Array(vec![]),
- Some(fi) => match pkifailure_info_flag_labels_from_bit_string_tlv(fi) {
- Some(labels) => serde_json::to_value(&labels).context("encode failInfo flags")?,
- None => serde_json::Value::Null,
- },
- };
- println!("fail_info_flags_json={flags_json}");
- if let Some(tst) = p.time_stamp_token.and_then(parse_time_stamp_token_tst_info) {
- println!("tst_info_present=yes");
- println!("tst_info_policy_oid={}", tst.policy_oid);
- println!(
- "tst_info_message_imprint_digest_alg_oid={}",
- tst.message_imprint_digest_alg_oid
- );
- println!(
- "tst_info_message_imprint_hashed_message_hex={}",
- hex_lower(&tst.message_imprint_hashed_message)
- );
- println!("tst_info_serial_hex={}", tst.serial_number_hex);
- println!("tst_info_gen_time={}", tst.gen_time);
- println!(
- "tst_info_nonce_hex={}",
- tst.nonce_hex.as_deref().unwrap_or("-")
- );
- if let Some(expected) = expected_digest.as_deref() {
- println!(
- "tst_info_message_imprint_match={}",
- if hex_lower(&tst.message_imprint_hashed_message) == expected {
- "yes"
- } else {
- "no"
- }
- );
- }
- if let Some(expected) = expected_nonce.as_deref() {
- println!(
- "tst_info_nonce_match={}",
- if tst.nonce_hex.as_deref() == Some(expected) {
- "yes"
- } else {
- "no"
- }
- );
- }
- } else {
- println!("tst_info_present=no");
- if expected_digest.is_some() {
- println!("tst_info_message_imprint_match=no");
- }
- if expected_nonce.is_some() {
- println!("tst_info_nonce_match=no");
+#[derive(Debug, Eq, PartialEq)]
+struct AppInstallerDescriptorInfo {
+ root: &'static str,
+ namespace: Option,
+ has_main_package: bool,
+ has_main_bundle: bool,
+ publisher: Option,
+}
+
+#[derive(Debug, Eq, PartialEq)]
+struct BusinessCentralAppInfo {
+ is_navx: bool,
+ len: u64,
+}
+
+#[derive(Debug, Eq, PartialEq)]
+struct MsixManifestInfo {
+ package_name: Option,
+ publisher: Option,
+ version: Option,
+ processor_architecture: Option,
+}
+
+#[derive(Debug, Eq, PartialEq)]
+struct ClickOnceDeployInfo {
+ deployed: bool,
+ content_name: Option,
+ len: u64,
+}
+
+#[derive(Debug, Eq, PartialEq)]
+struct ClickOnceManifestHashEntry {
+ path: String,
+ algorithm: HashAlg,
+ expected_size: Option,
+ actual_size: u64,
+ expected_digest_b64: String,
+ actual_digest_b64: String,
+}
+
+impl ClickOnceManifestHashEntry {
+ fn status(&self) -> &'static str {
+ if self.expected_size.is_some_and(|size| size != self.actual_size) {
+ "mismatch"
+ } else if self.expected_digest_b64 == self.actual_digest_b64 {
+ "valid"
+ } else {
+ "mismatch"
}
}
- Ok(())
}
-#[cfg(feature = "timestamp-http")]
-fn run_rfc3161_timestamp_http_post(
- url: String,
- algorithm: HashAlg,
- digest_file: Option,
- digest_hex: Option,
- nonce: Option,
- cert_req: bool,
- output: Option,
-) -> Result<()> {
- use std::io::Write;
- let preimage =
- load_timestamp_imprint_preimage(digest_hex.as_ref(), digest_file.as_ref(), algorithm)?;
- let plan = Rfc3161TimestampRequestPlan {
- digest_alg_oid: hash_alg_timestamp_oid(algorithm),
- nonce,
- cert_req,
- };
- let der = build_timestamp_request_bytes(&plan, &preimage).ok_or_else(|| {
- anyhow!("unsupported digest OID / preimage length for RFC3161 TimeStampReq")
- })?;
- let client = reqwest::blocking::Client::builder()
- .use_rustls_tls()
- .timeout(std::time::Duration::from_secs(120))
- .build()
- .context("build HTTP client (timestamp-http feature)")?;
- let resp = client
- .post(url.trim())
- .header("Content-Type", "application/timestamp-query")
- .header(
- "Accept",
- "application/timestamp-reply, application/timestamp-response",
- )
- .body(der)
- .send()
- .with_context(|| format!("POST TimeStampReq to {}", url.trim()))?;
- let status = resp.status();
- let body = resp.bytes().context("read TSA response body")?;
- if !status.is_success() {
+#[derive(Debug, Eq, PartialEq)]
+struct ClickOnceManifestSignatureReport {
+ digest: PortableSignDigest,
+ manifest_digest_b64: String,
+ signature_len: usize,
+}
+
+fn inspect_clickonce_deploy_payload(path: &Path) -> Result {
+ let metadata = std::fs::metadata(path).with_context(|| format!("stat {}", path.display()))?;
+ let content_name = clickonce_deploy_content_name(path);
+ Ok(ClickOnceDeployInfo {
+ deployed: content_name.is_some(),
+ content_name,
+ len: metadata.len(),
+ })
+}
+
+fn clickonce_deploy_content_name(path: &Path) -> Option {
+ let file_name = path.file_name()?.to_string_lossy();
+ file_name
+ .strip_suffix(".deploy")
+ .filter(|name| !name.is_empty())
+ .map(str::to_owned)
+}
+
+fn copy_clickonce_deploy_payload(input: &Path, output: &Path) -> Result {
+ let Some(_) = clickonce_deploy_content_name(input) else {
return Err(anyhow!(
- "TSA HTTP {} — first {} body bytes (hex): {}",
- status,
- body.len().min(256),
- hex_lower(&body[..body.len().min(256)])
+ "ClickOnce deploy payload name must end with .deploy: {}",
+ input.display()
));
+ };
+ std::fs::copy(input, output)
+ .with_context(|| format!("copy {} to {}", input.display(), output.display()))
+}
+
+fn clickonce_manifest_hashes(
+ manifest_path: &Path,
+ base_directory: Option<&Path>,
+) -> Result> {
+ let text = std::fs::read_to_string(manifest_path)
+ .with_context(|| format!("read ClickOnce manifest {}", manifest_path.display()))?;
+ let base = base_directory
+ .map(Path::to_path_buf)
+ .unwrap_or_else(|| manifest_path.parent().unwrap_or(Path::new(".")).to_path_buf());
+ clickonce_manifest_hashes_from_text(&text, &base)
+}
+
+fn clickonce_manifest_hashes_from_text(
+ text: &str,
+ base_directory: &Path,
+) -> Result> {
+ let entries = clickonce_manifest_reference_spans(text)?;
+ let mut out = Vec::with_capacity(entries.len());
+ for entry in entries {
+ let file_path = resolve_clickonce_manifest_path(base_directory, &entry.path)?;
+ let bytes =
+ std::fs::read(&file_path).with_context(|| format!("read {}", file_path.display()))?;
+ let digest = digest_bytes_for_hash_alg(entry.algorithm, &bytes);
+ out.push(ClickOnceManifestHashEntry {
+ path: entry.path,
+ algorithm: entry.algorithm,
+ expected_size: entry.size,
+ actual_size: bytes.len() as u64,
+ expected_digest_b64: entry.digest_value,
+ actual_digest_b64: base64_encode(&digest),
+ });
}
- match output.as_ref() {
- Some(p) => std::fs::write(p, &body).with_context(|| format!("write {}", p.display()))?,
- None => std::io::stdout()
- .write_all(&body)
- .context("write TimeStampResp DER to stdout")?,
- }
- Ok(())
+ Ok(out)
}
-#[cfg(feature = "timestamp-http")]
-fn post_rfc3161_timestamp_request(
- url: &str,
+fn update_clickonce_manifest_hashes(
+ manifest_path: &Path,
+ base_directory: Option<&Path>,
+ output: &Path,
algorithm: HashAlg,
- message_imprint: &[u8],
-) -> Result> {
- if message_imprint.len() != digest_byte_len_for_hash_alg(algorithm) {
- return Err(anyhow!(
- "timestamp message imprint must be exactly {} bytes for {:?}, got {}",
- digest_byte_len_for_hash_alg(algorithm),
- algorithm,
- message_imprint.len()
+) -> Result {
+ let text = std::fs::read_to_string(manifest_path)
+ .with_context(|| format!("read ClickOnce manifest {}", manifest_path.display()))?;
+ let base = base_directory
+ .map(Path::to_path_buf)
+ .unwrap_or_else(|| manifest_path.parent().unwrap_or(Path::new(".")).to_path_buf());
+ let updated = update_clickonce_manifest_hashes_in_text(&text, &base, algorithm)?;
+ std::fs::write(output, updated.text)
+ .with_context(|| format!("write ClickOnce manifest {}", output.display()))?;
+ Ok(updated.updated)
+}
+
+#[derive(Debug)]
+struct ClickOnceManifestReference {
+ tag_start: usize,
+ tag_end: usize,
+ path: String,
+ size: Option,
+ algorithm: HashAlg,
+ digest_value: String,
+ digest_method_tag_start: usize,
+ digest_method_tag_end: usize,
+ digest_value_content_start: usize,
+ digest_value_content_end: usize,
+}
+
+#[derive(Debug)]
+struct UpdatedClickOnceManifest {
+ text: String,
+ updated: usize,
+}
+
+fn update_clickonce_manifest_hashes_in_text(
+ text: &str,
+ base_directory: &Path,
+ algorithm: HashAlg,
+) -> Result {
+ let entries = clickonce_manifest_reference_spans(text)?;
+ let mut replacements = Vec::with_capacity(entries.len() * 3);
+ for entry in &entries {
+ let file_path = resolve_clickonce_manifest_path(base_directory, &entry.path)?;
+ let bytes =
+ std::fs::read(&file_path).with_context(|| format!("read {}", file_path.display()))?;
+ let digest = digest_bytes_for_hash_alg(algorithm, &bytes);
+ let size = bytes.len().to_string();
+ replacements.push((
+ entry.tag_start,
+ entry.tag_end + 1,
+ replace_or_insert_xml_attr(&text[entry.tag_start..=entry.tag_end], "size", &size)?,
));
- }
- let plan = Rfc3161TimestampRequestPlan {
- digest_alg_oid: hash_alg_timestamp_oid(algorithm),
- nonce: None,
- cert_req: true,
- };
- let der = build_timestamp_request_bytes(&plan, message_imprint).ok_or_else(|| {
- anyhow!("unsupported digest OID / preimage length for RFC3161 TimeStampReq")
- })?;
- let client = reqwest::blocking::Client::builder()
- .use_rustls_tls()
- .timeout(std::time::Duration::from_secs(120))
- .build()
- .context("build HTTP client (timestamp-http feature)")?;
- let resp = client
- .post(url.trim())
- .header("Content-Type", "application/timestamp-query")
- .header(
- "Accept",
- "application/timestamp-reply, application/timestamp-response",
- )
- .body(der)
- .send()
- .with_context(|| format!("POST TimeStampReq to {}", url.trim()))?;
- let status = resp.status();
- let body = resp.bytes().context("read TSA response body")?;
- if !status.is_success() {
- return Err(anyhow!(
- "TSA HTTP {} — first {} body bytes (hex): {}",
- status,
- body.len().min(256),
- hex_lower(&body[..body.len().min(256)])
+ replacements.push((
+ entry.digest_method_tag_start,
+ entry.digest_method_tag_end + 1,
+ replace_or_insert_xml_attr(
+ &text[entry.digest_method_tag_start..=entry.digest_method_tag_end],
+ "Algorithm",
+ clickonce_digest_algorithm_uri(algorithm),
+ )?,
+ ));
+ replacements.push((
+ entry.digest_value_content_start,
+ entry.digest_value_content_end,
+ base64_encode(&digest),
));
}
- Ok(body.to_vec())
+
+ replacements.sort_by_key(|(start, _, _)| *start);
+ let mut out = String::with_capacity(text.len());
+ let mut cursor = 0usize;
+ for (start, end, replacement) in replacements {
+ if start < cursor {
+ return Err(anyhow!("internal ClickOnce manifest replacement overlap"));
+ }
+ out.push_str(&text[cursor..start]);
+ out.push_str(&replacement);
+ cursor = end;
+ }
+ out.push_str(&text[cursor..]);
+ Ok(UpdatedClickOnceManifest {
+ text: out,
+ updated: entries.len(),
+ })
}
-#[cfg(feature = "timestamp-http")]
-fn timestamp_pkcs7_der_rfc3161(
- pkcs7_der: &[u8],
- timestamp_url: &str,
- timestamp_digest: HashAlg,
-) -> Result> {
- let sd = pkcs7::parse_pkcs7_signed_data_der(pkcs7_der).context("parse PKCS#7 SignedData")?;
- let signer = sd
- .signer_infos
- .0
- .as_slice()
- .first()
- .ok_or_else(|| anyhow!("PKCS#7 SignedData has no SignerInfo to timestamp"))?;
- let imprint = digest_bytes_for_hash_alg(timestamp_digest, signer.signature.as_bytes());
- let response = post_rfc3161_timestamp_request(timestamp_url, timestamp_digest, &imprint)?;
- let parsed = parse_time_stamp_resp_der(&response)
- .ok_or_else(|| anyhow!("could not parse TimeStampResp DER from TSA response"))?;
- if !parsed.pki_status.granted() {
+fn clickonce_manifest_reference_spans(text: &str) -> Result> {
+ let mut refs = Vec::new();
+ collect_clickonce_manifest_references(text, "file", "name", &mut refs)?;
+ collect_clickonce_manifest_references(text, "dependentAssembly", "codebase", &mut refs)?;
+ refs.sort_by_key(|entry| entry.tag_start);
+ Ok(refs)
+}
+
+fn collect_clickonce_manifest_references(
+ text: &str,
+ tag: &str,
+ path_attr: &str,
+ refs: &mut Vec,
+) -> Result<()> {
+ let mut cursor = 0usize;
+ while let Some(start) = find_xml_start_tag(text, tag, cursor) {
+ let tag_end = text[start..]
+ .find('>')
+ .map(|offset| start + offset)
+ .ok_or_else(|| anyhow!("ClickOnce manifest <{tag}> tag is not closed"))?;
+ let start_tag = &text[start..=tag_end];
+ cursor = tag_end + 1;
+ if start_tag.ends_with("/>") {
+ continue;
+ }
+ let Some(path) = xml_attr(start_tag, path_attr) else {
+ continue;
+ };
+ let close = format!("");
+ let Some(close_start) = text[cursor..].find(&close).map(|offset| cursor + offset) else {
+ continue;
+ };
+ let block_end = close_start + close.len();
+ let block = &text[tag_end + 1..close_start];
+ let Some(method) = find_xml_start_tag_by_local_name(block, "DigestMethod", 0)? else {
+ continue;
+ };
+ let Some(value) = find_xml_element_by_local_name(block, "DigestValue", 0)? else {
+ continue;
+ };
+ let method_tag = &block[method.start..=method.end];
+ let algorithm = xml_attr(method_tag, "Algorithm")
+ .as_deref()
+ .map(clickonce_hash_alg_from_uri)
+ .transpose()?
+ .unwrap_or(HashAlg::Sha256);
+ refs.push(ClickOnceManifestReference {
+ tag_start: start,
+ tag_end,
+ path,
+ size: xml_attr(start_tag, "size")
+ .map(|s| s.parse::())
+ .transpose()
+ .context("parse ClickOnce manifest size attribute")?,
+ algorithm,
+ digest_value: block[value.content_start..value.content_end]
+ .trim()
+ .to_owned(),
+ digest_method_tag_start: tag_end + 1 + method.start,
+ digest_method_tag_end: tag_end + 1 + method.end,
+ digest_value_content_start: tag_end + 1 + value.content_start,
+ digest_value_content_end: tag_end + 1 + value.content_end,
+ });
+ cursor = block_end;
+ }
+ Ok(())
+}
+
+#[derive(Debug)]
+struct XmlStartTagSpan {
+ start: usize,
+ end: usize,
+ name: String,
+}
+
+#[derive(Debug)]
+struct XmlElementSpan {
+ content_start: usize,
+ content_end: usize,
+}
+
+fn find_xml_start_tag(text: &str, tag: &str, from: usize) -> Option {
+ let needle = format!("<{tag}");
+ let mut cursor = from;
+ while let Some(rel) = text[cursor..].find(&needle) {
+ let start = cursor + rel;
+ let next = text[start + needle.len()..].chars().next();
+ if matches!(next, Some(' ' | '\t' | '\r' | '\n' | '>' | '/')) {
+ return Some(start);
+ }
+ cursor = start + needle.len();
+ }
+ None
+}
+
+fn find_xml_start_tag_by_local_name(
+ text: &str,
+ local_name: &str,
+ from: usize,
+) -> Result> {
+ let mut cursor = from;
+ while let Some(rel) = text[cursor..].find('<') {
+ let start = cursor + rel;
+ let Some(first) = text[start + 1..].chars().next() else {
+ return Ok(None);
+ };
+ if matches!(first, '/' | '!' | '?') {
+ cursor = start + 1;
+ continue;
+ }
+ let end = text[start..]
+ .find('>')
+ .map(|offset| start + offset)
+ .ok_or_else(|| anyhow!("ClickOnce XML tag is not closed"))?;
+ let name_start = start + 1;
+ let name_end = text[name_start..=end]
+ .find(|ch: char| ch.is_whitespace() || ch == '>' || ch == '/')
+ .map(|offset| name_start + offset)
+ .unwrap_or(end);
+ let name = &text[name_start..name_end];
+ let name_local = name.rsplit_once(':').map(|(_, local)| local).unwrap_or(name);
+ if name_local == local_name {
+ return Ok(Some(XmlStartTagSpan {
+ start,
+ end,
+ name: name.to_owned(),
+ }));
+ }
+ cursor = end + 1;
+ }
+ Ok(None)
+}
+
+fn find_xml_element_by_local_name(
+ text: &str,
+ local_name: &str,
+ from: usize,
+) -> Result> {
+ let Some(start_tag) = find_xml_start_tag_by_local_name(text, local_name, from)? else {
+ return Ok(None);
+ };
+ let close = format!("", start_tag.name);
+ let content_start = start_tag.end + 1;
+ let content_end = text[content_start..]
+ .find(&close)
+ .map(|offset| content_start + offset)
+ .ok_or_else(|| anyhow!("ClickOnce XML tag is not closed", start_tag.name))?;
+ Ok(Some(XmlElementSpan {
+ content_start,
+ content_end,
+ }))
+}
+
+fn find_xml_element_span_by_local_name(
+ text: &str,
+ local_name: &str,
+ from: usize,
+) -> Result> {
+ let Some(start_tag) = find_xml_start_tag_by_local_name(text, local_name, from)? else {
+ return Ok(None);
+ };
+ let close = format!("", start_tag.name);
+ let content_start = start_tag.end + 1;
+ let close_start = text[content_start..]
+ .find(&close)
+ .map(|offset| content_start + offset)
+ .ok_or_else(|| anyhow!("ClickOnce XML tag is not closed", start_tag.name))?;
+ Ok(Some((start_tag.start, close_start + close.len())))
+}
+
+fn find_xml_root_start_tag(text: &str) -> Result {
+ let mut cursor = 0usize;
+ while let Some(rel) = text[cursor..].find('<') {
+ let start = cursor + rel;
+ let Some(first) = text[start + 1..].chars().next() else {
+ break;
+ };
+ if matches!(first, '?' | '!') {
+ let end = text[start..]
+ .find('>')
+ .map(|offset| start + offset)
+ .ok_or_else(|| anyhow!("ClickOnce XML declaration/comment is not closed"))?;
+ cursor = end + 1;
+ continue;
+ }
+ if first == '/' {
+ return Err(anyhow!("ClickOnce XML starts with an unexpected closing tag"));
+ }
+ let end = text[start..]
+ .find('>')
+ .map(|offset| start + offset)
+ .ok_or_else(|| anyhow!("ClickOnce XML root tag is not closed"))?;
+ let name_start = start + 1;
+ let name_end = text[name_start..=end]
+ .find(|ch: char| ch.is_whitespace() || ch == '>' || ch == '/')
+ .map(|offset| name_start + offset)
+ .unwrap_or(end);
+ return Ok(XmlStartTagSpan {
+ start,
+ end,
+ name: text[name_start..name_end].to_owned(),
+ });
+ }
+ Err(anyhow!("ClickOnce manifest does not contain a root XML element"))
+}
+
+fn resolve_clickonce_manifest_path(base_directory: &Path, manifest_path: &str) -> Result {
+ let relative = Path::new(manifest_path);
+ let mut safe = PathBuf::new();
+ for component in relative.components() {
+ match component {
+ std::path::Component::Normal(part) => safe.push(part),
+ std::path::Component::CurDir => {}
+ _ => {
+ return Err(anyhow!(
+ "ClickOnce manifest path must be relative and stay under the base directory: {manifest_path}"
+ ));
+ }
+ }
+ }
+ if safe.as_os_str().is_empty() {
+ return Err(anyhow!("ClickOnce manifest path is empty"));
+ }
+ Ok(base_directory.join(safe))
+}
+
+fn clickonce_hash_alg_from_uri(uri: &str) -> Result {
+ match uri {
+ "http://www.w3.org/2000/09/xmldsig#sha1" => Ok(HashAlg::Sha1),
+ "http://www.w3.org/2001/04/xmlenc#sha256" => Ok(HashAlg::Sha256),
+ "http://www.w3.org/2001/04/xmldsig-more#sha384" => Ok(HashAlg::Sha384),
+ "http://www.w3.org/2001/04/xmlenc#sha512" => Ok(HashAlg::Sha512),
+ other => Err(anyhow!(
+ "unsupported ClickOnce digest method Algorithm: {other}"
+ )),
+ }
+}
+
+fn clickonce_digest_algorithm_uri(algorithm: HashAlg) -> &'static str {
+ match algorithm {
+ HashAlg::Sha1 => "http://www.w3.org/2000/09/xmldsig#sha1",
+ HashAlg::Sha256 => "http://www.w3.org/2001/04/xmlenc#sha256",
+ HashAlg::Sha384 => "http://www.w3.org/2001/04/xmldsig-more#sha384",
+ HashAlg::Sha512 => "http://www.w3.org/2001/04/xmlenc#sha512",
+ }
+}
+
+fn clickonce_signature_algorithm_uri(digest: PortableSignDigest) -> &'static str {
+ match digest {
+ PortableSignDigest::Sha256 => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+ PortableSignDigest::Sha384 => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+ PortableSignDigest::Sha512 => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+ }
+}
+
+fn clickonce_signature_digest_uri(digest: PortableSignDigest) -> &'static str {
+ match digest {
+ PortableSignDigest::Sha256 => clickonce_digest_algorithm_uri(HashAlg::Sha256),
+ PortableSignDigest::Sha384 => clickonce_digest_algorithm_uri(HashAlg::Sha384),
+ PortableSignDigest::Sha512 => clickonce_digest_algorithm_uri(HashAlg::Sha512),
+ }
+}
+
+fn clickonce_signature_digest_bytes(digest: PortableSignDigest, bytes: &[u8]) -> Vec {
+ match digest {
+ PortableSignDigest::Sha256 => Sha256::digest(bytes).to_vec(),
+ PortableSignDigest::Sha384 => Sha384::digest(bytes).to_vec(),
+ PortableSignDigest::Sha512 => Sha512::digest(bytes).to_vec(),
+ }
+}
+
+fn unsigned_clickonce_manifest_text(text: &str) -> Result {
+ let Some((start, end)) = find_xml_element_span_by_local_name(text, "Signature", 0)? else {
+ return Ok(text.to_owned());
+ };
+ let mut out = String::with_capacity(text.len() - (end - start));
+ out.push_str(&text[..start]);
+ out.push_str(&text[end..]);
+ Ok(out)
+}
+
+fn clickonce_manifest_signed_info_xml(
+ unsigned_manifest_text: &str,
+ digest: PortableSignDigest,
+) -> Vec {
+ let manifest_digest = clickonce_signature_digest_bytes(digest, unsigned_manifest_text.as_bytes());
+ let digest_b64 = base64_encode(&manifest_digest);
+ format!(
+ r#"{digest_b64}"#,
+ clickonce_signature_algorithm_uri(digest),
+ clickonce_signature_digest_uri(digest),
+ )
+ .into_bytes()
+}
+
+fn clickonce_manifest_signature_xml(
+ signed_info: &[u8],
+ signature: &[u8],
+ cert_der: &[u8],
+) -> String {
+ let signed_info = String::from_utf8_lossy(signed_info);
+ format!(
+ r#"{signed_info}{}{}"#,
+ base64_encode(signature),
+ base64_encode(cert_der)
+ )
+}
+
+fn insert_clickonce_signature_xml(unsigned_manifest_text: &str, signature_xml: &str) -> Result {
+ let root = find_xml_root_start_tag(unsigned_manifest_text)?;
+ let close = format!("", root.name);
+ let close_start = unsigned_manifest_text
+ .rfind(&close)
+ .ok_or_else(|| anyhow!("ClickOnce manifest root tag is not closed", root.name))?;
+ let mut out = String::with_capacity(unsigned_manifest_text.len() + signature_xml.len());
+ out.push_str(&unsigned_manifest_text[..close_start]);
+ out.push_str(signature_xml);
+ out.push_str(&unsigned_manifest_text[close_start..]);
+ Ok(out)
+}
+
+fn clickonce_signed_info_from_signature_xml(signature_xml: &str) -> Result> {
+ let Some((start, end)) = find_xml_element_span_by_local_name(signature_xml, "SignedInfo", 0)? else {
+ return Err(anyhow!("ClickOnce manifest signature is missing SignedInfo"));
+ };
+ Ok(signature_xml.as_bytes()[start..end].to_vec())
+}
+
+fn clickonce_signature_value_from_signature_xml(signature_xml: &str) -> Result> {
+ let value = find_xml_element_by_local_name(signature_xml, "SignatureValue", 0)?
+ .ok_or_else(|| anyhow!("ClickOnce manifest signature is missing SignatureValue"))?;
+ let text = &signature_xml[value.content_start..value.content_end];
+ let signature = base64_decode(text.trim()).context("decode ClickOnce SignatureValue")?;
+ if signature.is_empty() {
+ return Err(anyhow!("ClickOnce manifest SignatureValue is empty"));
+ }
+ Ok(signature)
+}
+
+fn clickonce_signer_certificate_from_signature_xml(signature_xml: &str) -> Result> {
+ let value = find_xml_element_by_local_name(signature_xml, "X509Certificate", 0)?
+ .ok_or_else(|| anyhow!("ClickOnce manifest signature is missing X509Certificate"))?;
+ let text = &signature_xml[value.content_start..value.content_end];
+ let cert = base64_decode(text.trim()).context("decode ClickOnce X509Certificate")?;
+ if cert.is_empty() {
+ return Err(anyhow!("ClickOnce manifest X509Certificate is empty"));
+ }
+ Ok(cert)
+}
+
+fn sign_clickonce_manifest_path(
+ path: &Path,
+ cert: &Path,
+ key: &Path,
+ digest: PortableSignDigest,
+ output: &Path,
+) -> Result {
+ let text = std::fs::read_to_string(path)
+ .with_context(|| format!("read ClickOnce manifest {}", path.display()))?;
+ let unsigned = unsigned_clickonce_manifest_text(&text)?;
+ let cert_bytes = std::fs::read(cert).with_context(|| format!("read {}", cert.display()))?;
+ rdp::parse_certificate(&cert_bytes)
+ .with_context(|| format!("parse signer certificate {}", cert.display()))?;
+ let key_bytes = std::fs::read(key).with_context(|| format!("read {}", key.display()))?;
+ let private_key = rdp::parse_rsa_private_key(&key_bytes)
+ .with_context(|| format!("parse RSA private key {}", key.display()))?;
+ let signed_info = clickonce_manifest_signed_info_xml(&unsigned, digest);
+ let signature = sign_clickonce_signed_info(digest, private_key, &signed_info)?;
+ let signature_xml = clickonce_manifest_signature_xml(&signed_info, &signature, &cert_bytes);
+ let signed_manifest = insert_clickonce_signature_xml(&unsigned, &signature_xml)?;
+ std::fs::write(output, signed_manifest)
+ .with_context(|| format!("write ClickOnce manifest {}", output.display()))?;
+ Ok(ClickOnceManifestSignatureReport {
+ digest,
+ manifest_digest_b64: base64_encode(&clickonce_signature_digest_bytes(
+ digest,
+ unsigned.as_bytes(),
+ )),
+ signature_len: signature.len(),
+ })
+}
+
+fn clickonce_signed_info_remote_prehash(
+ digest: PortableSignDigest,
+ signed_info: &[u8],
+) -> Vec {
+ clickonce_signature_digest_bytes(digest, signed_info)
+}
+
+fn sign_clickonce_manifest_from_external_signature_path(
+ path: &Path,
+ cert: &Path,
+ signature: &Path,
+ digest: PortableSignDigest,
+ output: &Path,
+) -> Result {
+ let text = std::fs::read_to_string(path)
+ .with_context(|| format!("read ClickOnce manifest {}", path.display()))?;
+ let unsigned = unsigned_clickonce_manifest_text(&text)?;
+ let cert_bytes = std::fs::read(cert).with_context(|| format!("read {}", cert.display()))?;
+ rdp::parse_certificate(&cert_bytes)
+ .with_context(|| format!("parse signer certificate {}", cert.display()))?;
+ let signature = std::fs::read(signature).with_context(|| format!("read {}", signature.display()))?;
+ let signed_info = clickonce_manifest_signed_info_xml(&unsigned, digest);
+ let signature_xml = clickonce_manifest_signature_xml(&signed_info, &signature, &cert_bytes);
+ let signed_manifest = insert_clickonce_signature_xml(&unsigned, &signature_xml)?;
+ std::fs::write(output, signed_manifest)
+ .with_context(|| format!("write ClickOnce manifest {}", output.display()))?;
+ Ok(ClickOnceManifestSignatureReport {
+ digest,
+ manifest_digest_b64: base64_encode(&clickonce_signature_digest_bytes(
+ digest,
+ unsigned.as_bytes(),
+ )),
+ signature_len: signature.len(),
+ })
+}
+
+fn verify_clickonce_manifest_signature_path(
+ path: &Path,
+ cert: Option<&Path>,
+ digest: PortableSignDigest,
+ shared: &TrustVerifySharedArgs,
+) -> Result {
+ let text = std::fs::read_to_string(path)
+ .with_context(|| format!("read ClickOnce manifest {}", path.display()))?;
+ let unsigned = unsigned_clickonce_manifest_text(&text)?;
+ let (signature_start, signature_end) = find_xml_element_span_by_local_name(&text, "Signature", 0)?
+ .ok_or_else(|| anyhow!("ClickOnce manifest is missing XMLDSig Signature"))?;
+ let signature_xml = &text[signature_start..signature_end];
+ let signed_info = clickonce_signed_info_from_signature_xml(signature_xml)?;
+ let signature = clickonce_signature_value_from_signature_xml(signature_xml)?;
+ let embedded_cert = clickonce_signer_certificate_from_signature_xml(signature_xml)?;
+ let cert_bytes = match cert {
+ Some(path) => std::fs::read(path).with_context(|| format!("read {}", path.display()))?,
+ None => embedded_cert,
+ };
+ let signer_cert = rdp::parse_certificate(&cert_bytes).context("parse ClickOnce signer certificate")?;
+ let expected_signed_info = clickonce_manifest_signed_info_xml(&unsigned, digest);
+ if signed_info != expected_signed_info {
+ return Err(anyhow!("ClickOnce manifest SignedInfo does not match manifest digest"));
+ }
+ verify_clickonce_signed_info(digest, &signer_cert, &signed_info, &signature)?;
+ if trust_verify_args_present(shared) {
+ verify_xml_signer_certificate_trust(&cert_bytes, shared)?;
+ }
+ Ok(ClickOnceManifestSignatureReport {
+ digest,
+ manifest_digest_b64: base64_encode(&clickonce_signature_digest_bytes(
+ digest,
+ unsigned.as_bytes(),
+ )),
+ signature_len: signature.len(),
+ })
+}
+
+fn hash_alg_label(algorithm: HashAlg) -> &'static str {
+ match algorithm {
+ HashAlg::Sha1 => "sha1",
+ HashAlg::Sha256 => "sha256",
+ HashAlg::Sha384 => "sha384",
+ HashAlg::Sha512 => "sha512",
+ }
+}
+
+fn base64_encode(bytes: &[u8]) -> String {
+ const TABLE: &[u8; 64] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+ let mut out = String::with_capacity(bytes.len().div_ceil(3) * 4);
+ for chunk in bytes.chunks(3) {
+ let b0 = chunk[0];
+ let b1 = *chunk.get(1).unwrap_or(&0);
+ let b2 = *chunk.get(2).unwrap_or(&0);
+ out.push(TABLE[(b0 >> 2) as usize] as char);
+ out.push(TABLE[(((b0 & 0x03) << 4) | (b1 >> 4)) as usize] as char);
+ if chunk.len() > 1 {
+ out.push(TABLE[(((b1 & 0x0f) << 2) | (b2 >> 6)) as usize] as char);
+ } else {
+ out.push('=');
+ }
+ if chunk.len() > 2 {
+ out.push(TABLE[(b2 & 0x3f) as usize] as char);
+ } else {
+ out.push('=');
+ }
+ }
+ out
+}
+
+fn base64_decode(text: &str) -> Result> {
+ let mut out = Vec::with_capacity(text.len() * 3 / 4);
+ let mut chunk = [0u8; 4];
+ let mut chunk_len = 0usize;
+ let mut padding = 0usize;
+ for ch in text.bytes().filter(|b| !b.is_ascii_whitespace()) {
+ let value = match ch {
+ b'A'..=b'Z' => ch - b'A',
+ b'a'..=b'z' => ch - b'a' + 26,
+ b'0'..=b'9' => ch - b'0' + 52,
+ b'+' => 62,
+ b'/' => 63,
+ b'=' => {
+ padding += 1;
+ 0
+ }
+ _ => return Err(anyhow!("invalid base64 character in XMLDSig value")),
+ };
+ chunk[chunk_len] = value;
+ chunk_len += 1;
+ if chunk_len == 4 {
+ out.push((chunk[0] << 2) | (chunk[1] >> 4));
+ if padding < 2 {
+ out.push((chunk[1] << 4) | (chunk[2] >> 2));
+ }
+ if padding == 0 {
+ out.push((chunk[2] << 6) | chunk[3]);
+ }
+ chunk_len = 0;
+ padding = 0;
+ }
+ }
+ if chunk_len != 0 {
+ return Err(anyhow!("truncated base64 XMLDSig value"));
+ }
+ Ok(out)
+}
+
+fn inspect_business_central_app(path: &Path) -> Result {
+ let bytes = std::fs::read(path).with_context(|| format!("read {}", path.display()))?;
+ Ok(BusinessCentralAppInfo {
+ is_navx: bytes.starts_with(b"NAVX"),
+ len: bytes.len() as u64,
+ })
+}
+
+fn inspect_msix_manifest_path(path: &Path) -> Result {
+ reject_encrypted_msix_path(path)?;
+ let manifest = read_msix_manifest(path)?;
+ let identity = first_tag(&manifest, "Identity")
+ .ok_or_else(|| anyhow!("MSIX/AppX AppxManifest.xml is missing Identity"))?;
+ Ok(MsixManifestInfo {
+ package_name: xml_attr(identity, "Name"),
+ publisher: xml_attr(identity, "Publisher"),
+ version: xml_attr(identity, "Version"),
+ processor_architecture: xml_attr(identity, "ProcessorArchitecture"),
+ })
+}
+
+fn set_msix_manifest_publisher_path(input: &Path, output: &Path, publisher: &str) -> Result<()> {
+ reject_encrypted_msix_path(input)?;
+ if publisher.is_empty() {
+ return Err(anyhow!("MSIX/AppX publisher cannot be empty"));
+ }
+ let reader = File::open(input).with_context(|| format!("open {}", input.display()))?;
+ let writer = File::create(output).with_context(|| format!("create {}", output.display()))?;
+ set_msix_manifest_publisher(reader, writer, publisher)
+ .with_context(|| format!("set MSIX/AppX manifest publisher in {}", input.display()))
+}
+
+fn reject_encrypted_msix_path(path: &Path) -> Result<()> {
+ let ext = path
+ .extension()
+ .and_then(|e| e.to_str())
+ .map(str::to_ascii_lowercase)
+ .unwrap_or_default();
+ if psign_sip_digest::msix_digest::is_encrypted_msix_extension(&ext) {
return Err(anyhow!(
- "TimeStampResp status is not granted (status={})",
- parsed.pki_status.as_raw_integer()
+ "encrypted MSIX/AppX packages (.eappx/.emsix) require Windows AppxSip OS delegation; portable cleartext package helpers cannot inspect or update {}",
+ path.display()
));
}
- let token = parsed
- .time_stamp_token
- .ok_or_else(|| anyhow!("TimeStampResp has no timeStampToken"))?;
- let stamped = pkcs7::signed_data_add_rfc3161_timestamp_token(&sd, 0, token)
- .context("attach RFC3161 timestamp token")?;
- pkcs7::encode_pkcs7_content_info_signed_data_der(&stamped)
+ Ok(())
}
-fn parse_sha256_hex(s: &str) -> Result<[u8; 32]> {
- let hex = s.trim().strip_prefix("0x").unwrap_or(s.trim());
- let hex = hex.strip_prefix("0X").unwrap_or(hex);
- if hex.len() != 64 {
+fn read_msix_manifest(path: &Path) -> Result {
+ let file = File::open(path).with_context(|| format!("open {}", path.display()))?;
+ let mut archive = zip::ZipArchive::new(file).context("open MSIX/AppX ZIP")?;
+ let mut manifest = archive
+ .by_name("AppxManifest.xml")
+ .context("read AppxManifest.xml")?;
+ let mut text = String::new();
+ manifest
+ .read_to_string(&mut text)
+ .context("read AppxManifest.xml as UTF-8")?;
+ Ok(text)
+}
+
+fn set_msix_manifest_publisher(reader: R, writer: W, publisher: &str) -> Result<()>
+where
+ R: std::io::Read + std::io::Seek,
+ W: std::io::Write + std::io::Seek,
+{
+ let escaped = xml_escape_attr(publisher);
+ let mut input = zip::ZipArchive::new(reader).context("open MSIX/AppX ZIP")?;
+ if input.by_name("AppxSignature.p7x").is_ok() {
return Err(anyhow!(
- "expect 64 hex chars for SHA-256, got {}",
- hex.len()
+ "MSIX/AppX package already contains AppxSignature.p7x; update the unsigned package before final signing"
));
}
- let mut out = [0u8; 32];
- for i in 0..32 {
- let byte =
- u8::from_str_radix(&hex[i * 2..i * 2 + 2], 16).map_err(|_| anyhow!("invalid hex"))?;
- out[i] = byte;
+ let mut output = zip::ZipWriter::new(writer);
+ let mut updated_manifest = false;
+
+ for i in 0..input.len() {
+ let mut file = input.by_index(i).context("read MSIX/AppX ZIP entry")?;
+ let name = psign_opc_sign::opc::normalize_zip_part_name(file.name())?;
+ let options = zip::write::FileOptions::default().compression_method(file.compression());
+ if file.is_dir() {
+ output.add_directory(name, options)?;
+ continue;
+ }
+ output.start_file(&name, options)?;
+ if name == "AppxManifest.xml" {
+ let mut text = String::new();
+ file.read_to_string(&mut text)
+ .context("read AppxManifest.xml as UTF-8")?;
+ let updated = update_attr_for_tags(&text, "Identity", "Publisher", &escaped)?;
+ output.write_all(updated.as_bytes())?;
+ updated_manifest = true;
+ } else {
+ std::io::copy(&mut file, &mut output)?;
+ }
+ }
+
+ if !updated_manifest {
+ return Err(anyhow!("MSIX/AppX package is missing AppxManifest.xml"));
+ }
+ output.finish()?;
+ Ok(())
+}
+
+fn parse_appinstaller_descriptor(text: &str) -> Result {
+ let root_start = text
+ .find(" not found"))?;
+ let root_end = text[root_start..]
+ .find('>')
+ .map(|offset| root_start + offset)
+ .ok_or_else(|| anyhow!("App Installer root tag is not closed"))?;
+ let root_tag = &text[root_start..=root_end];
+ let namespace = xml_attr(root_tag, "xmlns");
+ let main_package =
+ first_start_tag_by_local_name(text, "MainPackage").context("parse MainPackage tag")?;
+ let main_bundle =
+ first_start_tag_by_local_name(text, "MainBundle").context("parse MainBundle tag")?;
+ let has_main_package = main_package.is_some();
+ let has_main_bundle = main_bundle.is_some();
+ let publisher = main_package
+ .and_then(|tag| xml_attr(tag, "Publisher"))
+ .or_else(|| main_bundle.and_then(|tag| xml_attr(tag, "Publisher")));
+ Ok(AppInstallerDescriptorInfo {
+ root: "AppInstaller",
+ namespace,
+ has_main_package,
+ has_main_bundle,
+ publisher,
+ })
+}
+
+fn update_appinstaller_publisher(text: &str, publisher: &str) -> Result {
+ if publisher.is_empty() {
+ return Err(anyhow!("App Installer publisher cannot be empty"));
+ }
+ let info = parse_appinstaller_descriptor(text)?;
+ if !info.has_main_package && !info.has_main_bundle {
+ return Err(anyhow!(
+ "App Installer descriptor does not contain MainPackage or MainBundle"
+ ));
+ }
+
+ let escaped = xml_escape_attr(publisher);
+ let mut updated = text.to_owned();
+ for tag in ["MainPackage", "MainBundle"] {
+ updated = update_attr_for_local_tags(&updated, tag, "Publisher", &escaped)?;
+ }
+ Ok(updated)
+}
+
+fn sign_pkcs7_id_data(
+ content: &[u8],
+ cert: &Path,
+ key: &Path,
+ chain_certs: Vec,
+ digest: PortableSignDigest,
+) -> Result> {
+ let (signer_cert, chain) = load_cms_signer_material(cert, chain_certs)?;
+ let key_bytes = std::fs::read(key).with_context(|| format!("read {}", key.display()))?;
+ let private_key = rdp::parse_rsa_private_key(&key_bytes)
+ .with_context(|| format!("parse RSA private key {}", key.display()))?;
+ let econtent_der = id_data_econtent_der(content)?;
+ let pkcs7 = pkcs7::create_pkcs7_signed_data_der_rsa(
+ pkcs7_id_data_oid()?,
+ &econtent_der,
+ digest.into(),
+ signer_cert,
+ chain,
+ private_key,
+ )?;
+ detach_pkcs7_econtent(&pkcs7)
+}
+
+fn load_cms_signer_material(
+ cert: &Path,
+ chain_certs: Vec,
+) -> Result<(x509_cert::Certificate, Vec)> {
+ let cert_bytes = std::fs::read(cert).with_context(|| format!("read {}", cert.display()))?;
+ let signer_cert = rdp::parse_certificate(&cert_bytes)
+ .with_context(|| format!("parse signer certificate {}", cert.display()))?;
+ let mut chain = Vec::with_capacity(chain_certs.len());
+ for chain_cert in chain_certs {
+ let bytes =
+ std::fs::read(&chain_cert).with_context(|| format!("read {}", chain_cert.display()))?;
+ chain.push(
+ rdp::parse_certificate(&bytes)
+ .with_context(|| format!("parse chain certificate {}", chain_cert.display()))?,
+ );
+ }
+ Ok((signer_cert, chain))
+}
+
+fn id_data_econtent_der(content: &[u8]) -> Result> {
+ OctetString::new(content.to_vec())
+ .map_err(|e| anyhow!("encode CMS id-data OCTET STRING: {e}"))?
+ .to_der()
+ .map_err(|e| anyhow!("encode CMS id-data DER: {e}"))
+}
+
+fn pkcs7_id_data_oid() -> Result {
+ ObjectIdentifier::new(pkcs7::PKCS7_ID_DATA_OID)
+ .map_err(|e| anyhow!("parse CMS id-data OID: {e}"))
+}
+
+fn pkcs7_id_data_remote_prehash(content: &[u8], digest: PortableSignDigest) -> Result> {
+ let econtent_der = id_data_econtent_der(content)?;
+ pkcs7::pkcs7_remote_rsa_signed_attrs_digest(pkcs7_id_data_oid()?, &econtent_der, digest.into())
+}
+
+fn sign_pkcs7_id_data_with_external_signature(
+ content: &[u8],
+ cert: &Path,
+ chain_certs: Vec,
+ digest: PortableSignDigest,
+ signature: &[u8],
+) -> Result> {
+ let (signer_cert, chain) = load_cms_signer_material(cert, chain_certs)?;
+ let econtent_der = id_data_econtent_der(content)?;
+ pkcs7::create_pkcs7_signed_data_der_with_rsa_signature(
+ pkcs7_id_data_oid()?,
+ &econtent_der,
+ digest.into(),
+ signer_cert,
+ chain,
+ signature,
+ true,
+ )
+}
+
+fn detach_pkcs7_econtent(pkcs7_der: &[u8]) -> Result> {
+ let mut detached = pkcs7::parse_pkcs7_signed_data_der(pkcs7_der)
+ .context("parse generated CMS before detaching eContent")?;
+ detached.encap_content_info.econtent = None;
+ pkcs7::encode_pkcs7_content_info_signed_data_der(&detached)
+}
+
+fn update_attr_for_tags(text: &str, tag: &str, attr: &str, escaped_value: &str) -> Result {
+ let mut out = String::with_capacity(text.len());
+ let mut cursor = 0usize;
+ let needle = format!("<{tag}");
+ while let Some(rel_start) = text[cursor..].find(&needle) {
+ let start = cursor + rel_start;
+ let end = text[start..]
+ .find('>')
+ .map(|offset| start + offset)
+ .ok_or_else(|| anyhow!("App Installer <{tag}> tag is not closed"))?;
+ out.push_str(&text[cursor..start]);
+ out.push_str(&replace_or_insert_xml_attr(
+ &text[start..=end],
+ attr,
+ escaped_value,
+ )?);
+ cursor = end + 1;
}
+ out.push_str(&text[cursor..]);
Ok(out)
}
-fn print_trust_ok(prefix: &str, report: &TrustVerifyPeReport) {
- println!(
- "{prefix}: ok — verified {} PKCS#7 entr(y/ies); {} anchor thumbprint(s)",
- report.pkcs7_entries_verified, report.anchor_thumbprints
- );
+fn update_attr_for_local_tags(
+ text: &str,
+ local_name: &str,
+ attr: &str,
+ escaped_value: &str,
+) -> Result {
+ let mut out = String::with_capacity(text.len());
+ let mut cursor = 0usize;
+ while let Some(tag) = find_xml_start_tag_by_local_name(text, local_name, cursor)? {
+ out.push_str(&text[cursor..tag.start]);
+ out.push_str(&replace_or_insert_xml_attr(
+ &text[tag.start..=tag.end],
+ attr,
+ escaped_value,
+ )?);
+ cursor = tag.end + 1;
+ }
+ out.push_str(&text[cursor..]);
+ Ok(out)
}
-#[derive(Subcommand)]
-enum Command {
+fn replace_or_insert_xml_attr(tag: &str, attr: &str, escaped_value: &str) -> Result {
+ let needle = format!("{attr}=\"");
+ if let Some(value_start) = tag.find(&needle).map(|idx| idx + needle.len()) {
+ let value_end = tag[value_start..]
+ .find('"')
+ .map(|offset| value_start + offset)
+ .ok_or_else(|| anyhow!("App Installer {attr} attribute is not closed"))?;
+ let mut out = String::with_capacity(tag.len() + escaped_value.len());
+ out.push_str(&tag[..value_start]);
+ out.push_str(escaped_value);
+ out.push_str(&tag[value_end..]);
+ return Ok(out);
+ }
+
+ let insert_at = tag
+ .rfind("/>")
+ .or_else(|| tag.rfind('>'))
+ .ok_or_else(|| anyhow!("App Installer tag is not closed"))?;
+ let mut out = String::with_capacity(tag.len() + attr.len() + escaped_value.len() + 4);
+ out.push_str(&tag[..insert_at]);
+ out.push(' ');
+ out.push_str(attr);
+ out.push_str("=\"");
+ out.push_str(escaped_value);
+ out.push('"');
+ out.push_str(&tag[insert_at..]);
+ Ok(out)
+}
+
+fn xml_escape_attr(value: &str) -> String {
+ value
+ .replace('&', "&")
+ .replace('"', """)
+ .replace('<', "<")
+ .replace('>', ">")
+}
+
+fn first_tag<'a>(text: &'a str, tag: &str) -> Option<&'a str> {
+ let start = text.find(&format!("<{tag}"))?;
+ let end = text[start..].find('>').map(|offset| start + offset)?;
+ Some(&text[start..=end])
+}
+
+fn first_start_tag_by_local_name<'a>(text: &'a str, local_name: &str) -> Result> {
+ Ok(find_xml_start_tag_by_local_name(text, local_name, 0)?
+ .map(|tag| &text[tag.start..=tag.end]))
+}
+
+fn xml_attr(tag: &str, name: &str) -> Option {
+ let needle = format!("{name}=\"");
+ let start = tag.find(&needle)? + needle.len();
+ let end = tag[start..].find('"')? + start;
+ Some(tag[start..end].to_owned())
+}
+
+fn run_rfc3161_timestamp_resp_inspect(
+ path: &Path,
+ expect_digest_hex: Option<&str>,
+ expect_nonce: Option,
+) -> Result<()> {
+ let bytes = std::fs::read(path).with_context(|| format!("read {}", path.display()))?;
+ let expected_digest = expect_digest_hex
+ .map(normalize_even_hex)
+ .transpose()
+ .context("parse --expect-digest-hex")?;
+ let expected_nonce = expect_nonce.map(rfc3161_nonce_hex);
+ let p = parse_time_stamp_resp_der(&bytes).ok_or_else(|| {
+ anyhow!("could not parse TimeStampResp DER (definite ASN.1 subset or trailing garbage)")
+ })?;
+ let tok_len = p.time_stamp_token.map(|t| t.len()).unwrap_or(0);
+ println!(
+ "pki_status={} pki_status_int={} granted={} time_stamp_token_len={}",
+ pki_status_label(p.pki_status),
+ p.pki_status.as_raw_integer(),
+ if p.pki_status.granted() { "yes" } else { "no" },
+ tok_len
+ );
+ println!(
+ "time_stamp_token_prefix_hex={}",
+ time_stamp_token_prefix_hex(p.time_stamp_token)
+ );
+ println!(
+ "status_strings_json={}",
+ serde_json::to_string(&p.status_strings).context("encode PKIStatusInfo.statusString")?
+ );
+ match p.fail_info_tlv {
+ Some(fi) => println!("fail_info_tlv_hex={}", hex_lower(fi)),
+ None => println!("fail_info_tlv_hex=-"),
+ }
+ let flags_json = match p.fail_info_tlv {
+ None => serde_json::Value::Array(vec![]),
+ Some(fi) => match pkifailure_info_flag_labels_from_bit_string_tlv(fi) {
+ Some(labels) => serde_json::to_value(&labels).context("encode failInfo flags")?,
+ None => serde_json::Value::Null,
+ },
+ };
+ println!("fail_info_flags_json={flags_json}");
+ if let Some(tst) = p.time_stamp_token.and_then(parse_time_stamp_token_tst_info) {
+ println!("tst_info_present=yes");
+ println!("tst_info_policy_oid={}", tst.policy_oid);
+ println!(
+ "tst_info_message_imprint_digest_alg_oid={}",
+ tst.message_imprint_digest_alg_oid
+ );
+ println!(
+ "tst_info_message_imprint_hashed_message_hex={}",
+ hex_lower(&tst.message_imprint_hashed_message)
+ );
+ println!("tst_info_serial_hex={}", tst.serial_number_hex);
+ println!("tst_info_gen_time={}", tst.gen_time);
+ println!(
+ "tst_info_nonce_hex={}",
+ tst.nonce_hex.as_deref().unwrap_or("-")
+ );
+ if let Some(expected) = expected_digest.as_deref() {
+ println!(
+ "tst_info_message_imprint_match={}",
+ if hex_lower(&tst.message_imprint_hashed_message) == expected {
+ "yes"
+ } else {
+ "no"
+ }
+ );
+ }
+ if let Some(expected) = expected_nonce.as_deref() {
+ println!(
+ "tst_info_nonce_match={}",
+ if tst.nonce_hex.as_deref() == Some(expected) {
+ "yes"
+ } else {
+ "no"
+ }
+ );
+ }
+ } else {
+ println!("tst_info_present=no");
+ if expected_digest.is_some() {
+ println!("tst_info_message_imprint_match=no");
+ }
+ if expected_nonce.is_some() {
+ println!("tst_info_nonce_match=no");
+ }
+ }
+ Ok(())
+}
+
+#[cfg(feature = "timestamp-http")]
+fn run_rfc3161_timestamp_http_post(
+ url: String,
+ algorithm: HashAlg,
+ digest_file: Option,
+ digest_hex: Option,
+ nonce: Option,
+ cert_req: bool,
+ output: Option,
+) -> Result<()> {
+ use std::io::Write;
+ let preimage =
+ load_timestamp_imprint_preimage(digest_hex.as_ref(), digest_file.as_ref(), algorithm)?;
+ let plan = Rfc3161TimestampRequestPlan {
+ digest_alg_oid: hash_alg_timestamp_oid(algorithm),
+ nonce,
+ cert_req,
+ };
+ let der = build_timestamp_request_bytes(&plan, &preimage).ok_or_else(|| {
+ anyhow!("unsupported digest OID / preimage length for RFC3161 TimeStampReq")
+ })?;
+ let client = reqwest::blocking::Client::builder()
+ .use_rustls_tls()
+ .timeout(std::time::Duration::from_secs(120))
+ .build()
+ .context("build HTTP client (timestamp-http feature)")?;
+ let resp = client
+ .post(url.trim())
+ .header("Content-Type", "application/timestamp-query")
+ .header(
+ "Accept",
+ "application/timestamp-reply, application/timestamp-response",
+ )
+ .body(der)
+ .send()
+ .with_context(|| format!("POST TimeStampReq to {}", url.trim()))?;
+ let status = resp.status();
+ let body = resp.bytes().context("read TSA response body")?;
+ if !status.is_success() {
+ return Err(anyhow!(
+ "TSA HTTP {} — first {} body bytes (hex): {}",
+ status,
+ body.len().min(256),
+ hex_lower(&body[..body.len().min(256)])
+ ));
+ }
+ match output.as_ref() {
+ Some(p) => std::fs::write(p, &body).with_context(|| format!("write {}", p.display()))?,
+ None => std::io::stdout()
+ .write_all(&body)
+ .context("write TimeStampResp DER to stdout")?,
+ }
+ Ok(())
+}
+
+#[cfg(feature = "timestamp-http")]
+fn post_rfc3161_timestamp_request(
+ url: &str,
+ algorithm: HashAlg,
+ message_imprint: &[u8],
+) -> Result> {
+ if message_imprint.len() != digest_byte_len_for_hash_alg(algorithm) {
+ return Err(anyhow!(
+ "timestamp message imprint must be exactly {} bytes for {:?}, got {}",
+ digest_byte_len_for_hash_alg(algorithm),
+ algorithm,
+ message_imprint.len()
+ ));
+ }
+ let plan = Rfc3161TimestampRequestPlan {
+ digest_alg_oid: hash_alg_timestamp_oid(algorithm),
+ nonce: None,
+ cert_req: true,
+ };
+ let der = build_timestamp_request_bytes(&plan, message_imprint).ok_or_else(|| {
+ anyhow!("unsupported digest OID / preimage length for RFC3161 TimeStampReq")
+ })?;
+ let client = reqwest::blocking::Client::builder()
+ .use_rustls_tls()
+ .timeout(std::time::Duration::from_secs(120))
+ .build()
+ .context("build HTTP client (timestamp-http feature)")?;
+ let resp = client
+ .post(url.trim())
+ .header("Content-Type", "application/timestamp-query")
+ .header(
+ "Accept",
+ "application/timestamp-reply, application/timestamp-response",
+ )
+ .body(der)
+ .send()
+ .with_context(|| format!("POST TimeStampReq to {}", url.trim()))?;
+ let status = resp.status();
+ let body = resp.bytes().context("read TSA response body")?;
+ if !status.is_success() {
+ return Err(anyhow!(
+ "TSA HTTP {} — first {} body bytes (hex): {}",
+ status,
+ body.len().min(256),
+ hex_lower(&body[..body.len().min(256)])
+ ));
+ }
+ Ok(body.to_vec())
+}
+
+#[cfg(feature = "timestamp-http")]
+fn timestamp_pkcs7_der_rfc3161(
+ pkcs7_der: &[u8],
+ timestamp_url: &str,
+ timestamp_digest: HashAlg,
+) -> Result> {
+ let sd = pkcs7::parse_pkcs7_signed_data_der(pkcs7_der).context("parse PKCS#7 SignedData")?;
+ let signer = sd
+ .signer_infos
+ .0
+ .as_slice()
+ .first()
+ .ok_or_else(|| anyhow!("PKCS#7 SignedData has no SignerInfo to timestamp"))?;
+ let imprint = digest_bytes_for_hash_alg(timestamp_digest, signer.signature.as_bytes());
+ let response = post_rfc3161_timestamp_request(timestamp_url, timestamp_digest, &imprint)?;
+ let parsed = parse_time_stamp_resp_der(&response)
+ .ok_or_else(|| anyhow!("could not parse TimeStampResp DER from TSA response"))?;
+ if !parsed.pki_status.granted() {
+ return Err(anyhow!(
+ "TimeStampResp status is not granted (status={})",
+ parsed.pki_status.as_raw_integer()
+ ));
+ }
+ let token = parsed
+ .time_stamp_token
+ .ok_or_else(|| anyhow!("TimeStampResp has no timeStampToken"))?;
+ let stamped = pkcs7::signed_data_add_rfc3161_timestamp_token(&sd, 0, token)
+ .context("attach RFC3161 timestamp token")?;
+ pkcs7::encode_pkcs7_content_info_signed_data_der(&stamped)
+}
+
+fn timestamp_pkcs7_if_requested(
+ pkcs7_der: &[u8],
+ timestamp_url: Option,
+ timestamp_digest: Option,
+ context: &str,
+) -> Result> {
+ match (timestamp_url, timestamp_digest) {
+ (Some(url), Some(timestamp_digest)) => {
+ #[cfg(feature = "timestamp-http")]
+ {
+ timestamp_pkcs7_der_rfc3161(pkcs7_der, &url, timestamp_digest)
+ .with_context(|| format!("RFC3161 timestamp {context}"))
+ }
+ #[cfg(not(feature = "timestamp-http"))]
+ {
+ let _ = (url, timestamp_digest);
+ Err(anyhow!(
+ "{context} RFC3161 timestamping requires the timestamp-http feature"
+ ))
+ }
+ }
+ (Some(_), None) => Err(anyhow!("{context} requires --timestamp-digest with --timestamp-url")),
+ (None, Some(_)) => Err(anyhow!("{context} requires --timestamp-url with --timestamp-digest")),
+ (None, None) => Ok(pkcs7_der.to_vec()),
+ }
+}
+
+fn parse_sha256_hex(s: &str) -> Result<[u8; 32]> {
+ let hex = s.trim().strip_prefix("0x").unwrap_or(s.trim());
+ let hex = hex.strip_prefix("0X").unwrap_or(hex);
+ if hex.len() != 64 {
+ return Err(anyhow!(
+ "expect 64 hex chars for SHA-256, got {}",
+ hex.len()
+ ));
+ }
+ let mut out = [0u8; 32];
+ for i in 0..32 {
+ let byte =
+ u8::from_str_radix(&hex[i * 2..i * 2 + 2], 16).map_err(|_| anyhow!("invalid hex"))?;
+ out[i] = byte;
+ }
+ Ok(out)
+}
+
+fn print_trust_ok(prefix: &str, report: &TrustVerifyPeReport) {
+ println!(
+ "{prefix}: ok — verified {} PKCS#7 entr(y/ies); {} anchor thumbprint(s)",
+ report.pkcs7_entries_verified, report.anchor_thumbprints
+ );
+}
+
+#[derive(Subcommand)]
+enum Command {
/// Print lowercase hex of the PE/WinMD **Authenticode image digest** (unsigned PE is OK).
PeDigest {
path: PathBuf,
- #[arg(long, value_enum, default_value_t = HashAlg::Sha256)]
- algorithm: HashAlg,
- /// **`hex`** (default): one lowercase hex line. **`raw`**: raw digest bytes (e.g. for **`artifact-signing-submit`** `--digest-file`).
+ #[arg(long, value_enum, default_value_t = HashAlg::Sha256)]
+ algorithm: HashAlg,
+ /// **`hex`** (default): one lowercase hex line. **`raw`**: raw digest bytes (e.g. for **`artifact-signing-submit`** `--digest-file`).
+ #[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
+ encoding: DigestEncoding,
+ /// Write output here instead of stdout.
+ #[arg(long, value_name = "PATH")]
+ output: Option,
+ },
+ /// Compare PE **`Optional Header.CheckSum`** to **`pe_compute_image_checksum`** (Windows **`CheckSumMappedFile`** style).
+ ///
+ /// Prints one line each: **`stored=0x…`**, **`computed=0x…`**, **`match=yes|no`**, **`file_bytes=N`**. **`--strict`**: exit with failure when **`match=no`** (CI / parity gate).
+ PeChecksum {
+ path: PathBuf,
+ #[arg(long)]
+ strict: bool,
+ },
+ /// Require embedded PKCS#7; compare indirect digest to Rust PE recomputation for each Authenticode cert.
+ VerifyPe { path: PathBuf },
+ /// Verify PE Authenticode **trust**: PKCS#7 CMS validation + certificate chain to **explicit** anchors (no OS store).
+ ///
+ /// Supply **`--anchor-dir`** (Phase A: `.crt`/`.cer`/`.pem`) and/or **`--authroot-cab`** (extract certs + CTL thumbs from AuthRoot-style CAB `.stl` payloads). **`verify-pe`** remains digest-only; this subcommand adds chain + policy checks.
+ TrustVerifyPe {
+ path: PathBuf,
+ #[command(flatten)]
+ shared: TrustVerifySharedArgs,
+ },
+ /// Same trust pipeline as **`trust-verify-pe`** after CAB SIP digest consistency (**`verify-cab`**).
+ TrustVerifyCab {
+ path: PathBuf,
+ #[command(flatten)]
+ shared: TrustVerifySharedArgs,
+ },
+ /// Same trust pipeline as **`trust-verify-pe`** after MSI/MSP SIP digest consistency (**`verify-msi`**).
+ TrustVerifyMsi {
+ path: PathBuf,
+ #[command(flatten)]
+ shared: TrustVerifySharedArgs,
+ },
+ /// Same trust pipeline as **`trust-verify-pe`** after WIM/ESD SIP digest consistency (**`verify-esd`**).
+ TrustVerifyEsd {
+ path: PathBuf,
+ #[command(flatten)]
+ shared: TrustVerifySharedArgs,
+ },
+ /// CMS catalog digest consistency (**`verify-catalog`**) plus PKCS#7 chain to anchors when Authenticode-wrapped.
+ TrustVerifyCatalog {
+ path: PathBuf,
+ #[command(flatten)]
+ shared: TrustVerifySharedArgs,
+ },
+ /// Detached PKCS#7 vs raw **`content`** bytes (digest inferred from PKCS#7 indirect length); PKCS#7 blob normalized like Win32 `CryptVerifyDetachedMessageSignature` helpers.
+ TrustVerifyDetached {
+ content: PathBuf,
+ signature: PathBuf,
+ #[command(flatten)]
+ shared: TrustVerifySharedArgs,
+ },
+ /// Custom ZIP Authenticode comment signature: verify ZIP digest binding plus PKCS#7 chain to anchors.
+ TrustVerifyZip {
+ path: PathBuf,
+ #[command(flatten)]
+ shared: TrustVerifySharedArgs,
+ },
+ /// Print whether embedded PKCS#7 bytes contain **SPC_PE_IMAGE_PAGE_HASHES** attribute OIDs (V1/V2 DER scan).
+ ///
+ /// Outputs `yes` or `no` (does **not** validate page segments vs file bytes — use **`verify-pe-page-hashes`** for the experimental Rust check).
+ PeHasPageHashes { path: PathBuf },
+ /// Print structured **`SPC_PE_IMAGE_PAGE_HASHES`** rows from CMS **signed** attributes (one line per signer location).
+ ///
+ /// Includes **`parsed_page_hash_pairs`** when DER peeling + flat-table parsing succeeds (`-` otherwise).
+ /// Empty stdout means no matching authenticated attributes were found. Does **not** validate pages vs file bytes.
+ PePageHashInfo { path: PathBuf },
+ /// **Experimental:** parse embedded page-hash tables and verify **contiguous raw file ranges** (see `psign_sip_digest::page_hashes::verify_pe_embedded_page_hash_tables`).
+ ///
+ /// Not a full `WinVerifyTrust` `/ph` clone — checksum / cert-directory exclusions may differ from native.
+ VerifyPePageHashes { path: PathBuf },
+ /// Print ordered **[`start`,`end`)** file byte ranges included in **PE Authenticode image digest** (same layout as `authenticode-rs` / `pe_authenticode_digest`).
+ ///
+ /// One line per range: `start=N end=M` (half-open end). Useful on Linux for tooling / future page-hash alignment vs `WinTrust`.
+ PeAuthenticodeRanges { path: PathBuf },
+ /// Decode **`SpcIndirectDataContent`** from an embedded Authenticode PKCS#7 (**JSON** to stdout; certificate-table order; default **`--index`** **`0`**).
+ ///
+ /// Intended for Linux-side inspection and PKCS#7 rebuild experiments (Rust **`pkcs7`** module in **`psign-sip-digest`**); does **not** sign or embed signatures.
+ InspectPeSpcIndirect {
+ path: PathBuf,
+ /// **`WIN_CERT_TYPE_PKCS_SIGNED_DATA`** row index (**`0`** = first; same order as **`extract-pe-pkcs7`** / **`list-pe-pkcs7`**).
+ #[arg(long, default_value_t = 0)]
+ index: usize,
+ /// Include lowercase hex of **`image_data.value`** DER (**`SpcPeImageData`**) — output can be large.
+ #[arg(long)]
+ include_image_value_der_hex: bool,
+ },
+ /// Write an embedded Authenticode PKCS#7 (**raw DER**) to stdout or **`--output`** (certificate-table order; default **`--index`** **`0`**).
+ ExtractPePkcs7 {
+ path: PathBuf,
+ /// **`WIN_CERT_TYPE_PKCS_SIGNED_DATA`** row index (**`0`** = first).
+ #[arg(long, default_value_t = 0)]
+ index: usize,
+ #[arg(long, value_name = "PATH")]
+ output: Option,
+ },
+ /// List **`WIN_CERT_TYPE_PKCS_SIGNED_DATA`** PKCS#7 rows in the PE certificate table (**`pkcs7_entries=N`** then **`index=i byte_len=L`** per line).
+ ListPePkcs7 { path: PathBuf },
+ /// **SHA-256** (**32** octets) over a signer’s authenticated-attribute **`SET OF Attribute`** DER (**RFC 5652** §5.4).
+ ///
+ /// Same raw digest Azure Key Vault **`keys/sign`** expects for **`RS256`** (base64 **`value`** in JSON) when re-signing **CMS `SignerInfo`** on **RSA SHA-256** Authenticode. Differs from **`pe-digest`** (PE **image** hash). Requires **`SignerInfo.digestAlgorithm`** **SHA-256** and **`signedAttrs`**. **`--index`**: **`WIN_CERT_TYPE_PKCS_SIGNED_DATA`** row (**`0`** = first). **`--signer-index`**: **`SignerInfo`** within that PKCS#7’s **`SignedData`** (**`0`** = first; same as **`pkcs7-signer-rs256-prehash --signer-index`** after **`extract-pe-pkcs7`**).
+ PeSignerRs256Prehash {
+ path: PathBuf,
+ #[arg(long, default_value_t = 0)]
+ index: usize,
+ #[arg(long, default_value_t = 0)]
+ signer_index: usize,
+ #[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
+ encoding: DigestEncoding,
+ #[arg(long, value_name = "PATH")]
+ output: Option,
+ },
+ /// Same digest as **`pe-signer-rs256-prehash`**, but **`path`** is **PKCS#7** DER (**`ContentInfo`** wrapping **`SignedData`**, or bare **`SignedData`** normalized like **`extract-pe-pkcs7`** output).
+ ///
+ /// **`--signer-index`**: **`SignerInfo`** within this **`SignedData`** (**`0`** = first). For PE workflows, extract PKCS#7 first (**`extract-pe-pkcs7`**) then run this command.
+ Pkcs7SignerRs256Prehash {
+ path: PathBuf,
+ #[arg(long, default_value_t = 0)]
+ signer_index: usize,
+ #[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
+ encoding: DigestEncoding,
+ #[arg(long, value_name = "PATH")]
+ output: Option,
+ },
+ /// **Experimental:** Append raw PKCS#7 (**`SignedData`**) DER as a new **`WIN_CERTIFICATE`** row (**`pe_embed`**).
+ ///
+ /// Updates the PE security directory and recomputes **`Optional Header.CheckSum`** (**`pe_compute_image_checksum`**). Does **not** validate PKCS#7 ↔ image digest or replace **`SignerSignEx3`**. For hybrid tooling and future portable sign pipelines.
+ AppendPePkcs7 {
+ /// Input PE path (**read fully** before writing **`--output`**; same path allowed).
+ #[arg(long = "pe", value_name = "PATH")]
+ pe_path: PathBuf,
+ /// PKCS#7 DER file (**bare `SignedData`** is normalized like other portable PKCS#7 paths).
+ #[arg(long = "pkcs7", value_name = "PATH")]
+ pkcs7_path: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
+ },
+ /// Sign an unsigned PE image with portable Authenticode CMS + `WIN_CERTIFICATE` embedding.
+ ///
+ /// This is the first production-oriented portable Authenticode signing path. It supports local RSA
+ /// PKCS#1 v1.5 keys or Azure Key Vault RSA signing and SHA-2 digests; timestamp embedding and
+ /// non-PE formats remain separate backlog.
+ SignPe {
+ /// Input PE path.
+ #[arg(value_name = "PATH")]
+ path: PathBuf,
+ /// Signer certificate as DER or PEM.
+ #[arg(long, value_name = "PATH")]
+ cert: Option,
+ /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
+ #[arg(long, value_name = "PATH")]
+ key: Option,
+ /// Additional certificate to include in the PKCS#7 certificate set.
+ #[arg(long = "chain-cert", value_name = "PATH")]
+ chain_certs: Vec,
+ /// File digest algorithm for the PE Authenticode indirect digest and CMS signer.
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
+ /// RFC3161 timestamp URL to timestamp the primary PE signature after signing.
+ #[arg(long = "timestamp-url", visible_alias = "tr")]
+ timestamp_url: Option,
+ /// RFC3161 timestamp digest algorithm.
+ #[arg(long = "timestamp-digest", visible_alias = "td", value_enum)]
+ timestamp_digest: Option,
+ /// Azure Key Vault URL for remote RSA signing.
+ #[arg(long = "azure-key-vault-url", visible_alias = "kvu")]
+ azure_key_vault_url: Option,
+ /// Azure Key Vault certificate name for remote RSA signing.
+ #[arg(long = "azure-key-vault-certificate", visible_alias = "kvc")]
+ azure_key_vault_certificate: Option,
+ /// Optional Azure Key Vault certificate version.
+ #[arg(long = "azure-key-vault-certificate-version", visible_alias = "kvcv")]
+ azure_key_vault_certificate_version: Option,
+ #[arg(long = "azure-key-vault-accesstoken")]
+ azure_key_vault_access_token: Option,
+ #[arg(long = "azure-key-vault-managed-identity")]
+ azure_key_vault_managed_identity: bool,
+ #[arg(long = "azure-key-vault-tenant-id")]
+ azure_key_vault_tenant_id: Option,
+ #[arg(long = "azure-key-vault-client-id")]
+ azure_key_vault_client_id: Option,
+ #[arg(long = "azure-key-vault-client-secret")]
+ azure_key_vault_client_secret: Option,
+ #[arg(long = "azure-authority")]
+ azure_authority: Option,
+ #[command(flatten)]
+ artifact_signing: Box,
+ /// Output signed PE path.
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
+ },
+ /// Sign an unsigned CAB file with portable Authenticode CMS and CAB reserve-header embedding.
+ ///
+ /// Supports single-volume unsigned CABs without an existing reserve header.
+ SignCab {
+ /// Input CAB path.
+ #[arg(value_name = "PATH")]
+ path: PathBuf,
+ /// Signer certificate as DER or PEM.
+ #[arg(long, value_name = "PATH")]
+ cert: PathBuf,
+ /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
+ #[arg(long, value_name = "PATH")]
+ key: PathBuf,
+ /// Additional certificate to include in the PKCS#7 certificate set.
+ #[arg(long = "chain-cert", value_name = "PATH")]
+ chain_certs: Vec,
+ /// File digest algorithm for the CAB Authenticode indirect digest and CMS signer.
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
+ /// Output signed CAB path.
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
+ },
+ /// Sign an MSI/MSP OLE package with portable Authenticode CMS and a DigitalSignature stream.
+ SignMsi {
+ /// Input MSI/MSP path.
+ #[arg(value_name = "PATH")]
+ path: PathBuf,
+ /// Signer certificate as DER or PEM.
+ #[arg(long, value_name = "PATH")]
+ cert: PathBuf,
+ /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
+ #[arg(long, value_name = "PATH")]
+ key: PathBuf,
+ /// Additional certificate to include in the PKCS#7 certificate set.
+ #[arg(long = "chain-cert", value_name = "PATH")]
+ chain_certs: Vec,
+ /// File digest algorithm for the MSI Authenticode indirect digest and CMS signer.
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
+ /// Output signed MSI/MSP path.
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
+ },
+ /// Sign a portable generic file catalog (`.cat`) with CTL members and CMS `SignedData`.
+ ///
+ /// This authors explicit file membership entries for the provided subjects. It does not implement
+ /// driver/INF policy, OS catalog database installation/search, or MakeCat byte-for-byte output.
+ SignCatalog {
+ /// Subject file(s) to include as catalog members.
+ #[arg(required = true, value_name = "PATH")]
+ files: Vec,
+ /// Signer certificate as DER or PEM.
+ #[arg(long, value_name = "PATH")]
+ cert: PathBuf,
+ /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
+ #[arg(long, value_name = "PATH")]
+ key: PathBuf,
+ /// Additional certificate to include in the PKCS#7 certificate set.
+ #[arg(long = "chain-cert", value_name = "PATH")]
+ chain_certs: Vec,
+ /// File digest algorithm for catalog member digests and CMS signer.
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
+ /// Output signed catalog path.
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
+ },
+ /// Attach an RFC3161 timestamp token to an existing embedded PE Authenticode signature.
+ ///
+ /// Accepts either a raw `timeStampToken` `ContentInfo` DER file or a `TimeStampResp` DER file containing one.
+ TimestampPeRfc3161 {
+ /// Signed PE path to mutate.
+ #[arg(value_name = "PATH")]
+ path: PathBuf,
+ /// Embedded PKCS#7 row index in the PE certificate table.
+ #[arg(long, default_value_t = 0)]
+ index: usize,
+ /// SignerInfo index inside the selected PKCS#7 SignedData.
+ #[arg(long, default_value_t = 0)]
+ signer_index: usize,
+ /// Raw RFC3161 timeStampToken ContentInfo DER.
+ #[arg(long, value_name = "PATH", conflicts_with = "response")]
+ token: Option,
+ /// RFC3161 TimeStampResp DER containing a granted timeStampToken.
+ #[arg(long, value_name = "PATH", conflicts_with = "token")]
+ response: Option,
+ /// Output PE path.
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
+ },
+ /// Sign `.rdp` files using portable RDP SignScope/SecureSettingsBlob logic.
+ ///
+ /// Supply either **`--cert`** + **`--key`** for local RSA/SHA-256 PKCS#7 creation, or
+ /// **`--signature-pkcs7`** to embed an externally-created detached PKCS#7 for a single input.
+ Rdp {
+ /// Signer certificate as DER or PEM.
+ #[arg(
+ long,
+ value_name = "PATH",
+ requires = "key",
+ conflicts_with = "signature_pkcs7"
+ )]
+ cert: Option,
+ /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
+ #[arg(
+ long,
+ value_name = "PATH",
+ requires = "cert",
+ conflicts_with = "signature_pkcs7"
+ )]
+ key: Option,
+ /// Additional certificate to include in the PKCS#7 certificate set.
+ #[arg(
+ long = "chain-cert",
+ value_name = "PATH",
+ requires = "cert",
+ conflicts_with = "signature_pkcs7"
+ )]
+ chain_certs: Vec,
+ /// Detached PKCS#7 DER to serialize into the RDP `Signature` record.
+ #[arg(long = "signature-pkcs7", value_name = "PATH", conflicts_with_all = ["cert", "key", "chain_certs"])]
+ signature_pkcs7: Option,
+ /// Build and validate the signed shape without writing files.
+ #[arg(long)]
+ dry_run: bool,
+ /// Write output here instead of overwriting the input. Only valid with one input file.
+ #[arg(long, value_name = "PATH")]
+ output: Option,
+ /// `.rdp` file(s) to sign.
+ #[arg(required = true)]
+ files: Vec,
+ },
+ /// Write embedded Authenticode PKCS#7 (**raw DER**) from a signed **`.cab`** tail to stdout or **`--output`**.
+ ///
+ /// Layout: **`cab_digest::cab_signature_pkcs7_der`** (same bytes you would pass to **`pkcs7-signer-rs256-prehash`**).
+ ExtractCabPkcs7 {
+ path: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ output: Option,
+ },
+ /// Same digest as **`pkcs7-signer-rs256-prehash`** on PKCS#7 embedded at the end of a signed **`.cab`** (after **`extract-cab-pkcs7`**).
+ ///
+ /// **`--signer-index`**: **`SignerInfo`** within that **`SignedData`**. For AzureSignTool-style **KV `RS256`**, use **`--encoding raw`** (distinct from **`cab-digest`** MSCF subject hash).
+ CabSignerRs256Prehash {
+ path: PathBuf,
+ #[arg(long, default_value_t = 0)]
+ signer_index: usize,
+ #[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
+ encoding: DigestEncoding,
+ #[arg(long, value_name = "PATH")]
+ output: Option,
+ },
+ /// CAB with embedded PKCS#7: compare indirect digest to Rust CAB hash.
+ VerifyCab { path: PathBuf },
+ /// Custom ZIP Authenticode comment signature: compare ZIP digest binding and reconstructed script digest.
+ VerifyZip { path: PathBuf },
+ /// Write **`\\u{5}DigitalSignature`** stream (**raw PKCS#7 DER**) from an **`.msi`** to stdout or **`--output`**.
+ ///
+ /// Same blob as **`pkcs7-signer-rs256-prehash`** input for that signature. For real signed MSIs only; see **`tests/fixtures/msi-authenticode-upstream/README.md`** for the PKCS#7-only stub used in CI.
+ ExtractMsiPkcs7 {
+ path: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ output: Option,
+ },
+ /// Same digest as **`pkcs7-signer-rs256-prehash`** on PKCS#7 from **`\\u{5}DigitalSignature`** (after **`extract-msi-pkcs7`**).
+ ///
+ /// **`--signer-index`**: **`SignerInfo`** within **`SignedData`**. **`--encoding raw`** for Azure KV **`RS256`** (distinct from MSI SIP fingerprint / **`verify-msi`** subject hash).
+ MsiSignerRs256Prehash {
+ path: PathBuf,
+ #[arg(long, default_value_t = 0)]
+ signer_index: usize,
#[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
encoding: DigestEncoding,
- /// Write output here instead of stdout.
#[arg(long, value_name = "PATH")]
output: Option,
},
- /// Compare PE **`Optional Header.CheckSum`** to **`pe_compute_image_checksum`** (Windows **`CheckSumMappedFile`** style).
- ///
- /// Prints one line each: **`stored=0x…`**, **`computed=0x…`**, **`match=yes|no`**, **`file_bytes=N`**. **`--strict`**: exit with failure when **`match=no`** (CI / parity gate).
- PeChecksum {
+ /// Signed MSI: compare PKCS#7 indirect digest to Rust OLE fingerprint (and extended stream if present).
+ VerifyMsi { path: PathBuf },
+ /// Signed WIM/ESD: compare PKCS#7 indirect digest to Rust prefix hash.
+ VerifyEsd { path: PathBuf },
+ /// Cleartext MSIX/APPX/bundle: compare PKCS#7 indirect digest to Rust ZIP rehash (encrypted extensions rejected).
+ VerifyMsix { path: PathBuf },
+ /// Inspect cleartext MSIX/AppX `AppxManifest.xml` Identity metadata.
+ MsixManifestInfo { path: PathBuf },
+ /// Update cleartext MSIX/AppX `AppxManifest.xml` Identity Publisher before final signing.
+ MsixSetPublisher {
path: PathBuf,
- #[arg(long)]
- strict: bool,
+ #[arg(long, value_name = "SUBJECT")]
+ publisher: String,
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
},
- /// Require embedded PKCS#7; compare indirect digest to Rust PE recomputation for each Authenticode cert.
- VerifyPe { path: PathBuf },
- /// Verify PE Authenticode **trust**: PKCS#7 CMS validation + certificate chain to **explicit** anchors (no OS store).
- ///
- /// Supply **`--anchor-dir`** (Phase A: `.crt`/`.cer`/`.pem`) and/or **`--authroot-cab`** (extract certs + CTL thumbs from AuthRoot-style CAB `.stl` payloads). **`verify-pe`** remains digest-only; this subcommand adds chain + policy checks.
- TrustVerifyPe {
+ /// Inspect a ClickOnce `.deploy` payload and report the undeployed content name.
+ ClickonceDeployInfo { path: PathBuf },
+ /// Copy a ClickOnce `.deploy` payload to an explicit undeployed output path.
+ ClickonceCopyDeployPayload {
path: PathBuf,
- #[command(flatten)]
- shared: TrustVerifySharedArgs,
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
},
- /// Same trust pipeline as **`trust-verify-pe`** after CAB SIP digest consistency (**`verify-cab`**).
- TrustVerifyCab {
+ /// Verify file hashes recorded in a ClickOnce application or deployment manifest.
+ ClickonceManifestHashes {
path: PathBuf,
- #[command(flatten)]
- shared: TrustVerifySharedArgs,
+ #[arg(long, value_name = "DIR")]
+ base_directory: Option,
},
- /// Same trust pipeline as **`trust-verify-pe`** after MSI/MSP SIP digest consistency (**`verify-msi`**).
- TrustVerifyMsi {
+ /// Update file size and digest values in a ClickOnce application or deployment manifest.
+ ClickonceUpdateManifestHashes {
path: PathBuf,
- #[command(flatten)]
- shared: TrustVerifySharedArgs,
+ #[arg(long, value_name = "DIR")]
+ base_directory: Option,
+ #[arg(long, value_enum, default_value_t = HashAlg::Sha256)]
+ algorithm: HashAlg,
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
},
- /// Same trust pipeline as **`trust-verify-pe`** after WIM/ESD SIP digest consistency (**`verify-esd`**).
- TrustVerifyEsd {
+ /// Add a deterministic portable XMLDSig signature to a ClickOnce manifest.
+ ///
+ /// This is a portable structural helper for tests and non-Mage workflows; it does not claim
+ /// byte-for-byte Mage output or ClickOnce policy validation.
+ ClickonceSignManifest {
path: PathBuf,
- #[command(flatten)]
- shared: TrustVerifySharedArgs,
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
+ /// Signer certificate as DER or PEM.
+ #[arg(long, value_name = "PATH")]
+ cert: PathBuf,
+ /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
+ #[arg(long, value_name = "PATH")]
+ key: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
},
- /// CMS catalog digest consistency (**`verify-catalog`**) plus PKCS#7 chain to anchors when Authenticode-wrapped.
- TrustVerifyCatalog {
+ /// Compute the SignedInfo digest for externally signing ClickOnce manifest XMLDSig.
+ ClickonceSignManifestPrehash {
path: PathBuf,
- #[command(flatten)]
- shared: TrustVerifySharedArgs,
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
+ #[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
+ encoding: DigestEncoding,
+ #[arg(long, value_name = "PATH")]
+ output: Option,
},
- /// Detached PKCS#7 vs raw **`content`** bytes (digest inferred from PKCS#7 indirect length); PKCS#7 blob normalized like Win32 `CryptVerifyDetachedMessageSignature` helpers.
- TrustVerifyDetached {
- content: PathBuf,
+ /// Add a deterministic ClickOnce manifest XMLDSig from externally produced RSA signature bytes.
+ ClickonceSignManifestFromSignature {
+ path: PathBuf,
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
+ /// Signer certificate as DER or PEM.
+ #[arg(long, value_name = "PATH")]
+ cert: PathBuf,
+ /// Raw RSA PKCS#1 v1.5 signature bytes produced over `clickonce-sign-manifest-prehash`.
+ #[arg(long, value_name = "PATH")]
signature: PathBuf,
- #[command(flatten)]
- shared: TrustVerifySharedArgs,
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
},
- /// Custom ZIP Authenticode comment signature: verify ZIP digest binding plus PKCS#7 chain to anchors.
- TrustVerifyZip {
+ /// Verify the deterministic portable XMLDSig signature in a ClickOnce manifest.
+ ClickonceVerifyManifestSignature {
path: PathBuf,
+ /// Signer certificate as DER or PEM. Defaults to the embedded KeyInfo certificate.
+ #[arg(long, value_name = "PATH")]
+ cert: Option,
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
#[command(flatten)]
shared: TrustVerifySharedArgs,
},
- /// Print whether embedded PKCS#7 bytes contain **SPC_PE_IMAGE_PAGE_HASHES** attribute OIDs (V1/V2 DER scan).
- ///
- /// Outputs `yes` or `no` (does **not** validate page segments vs file bytes — use **`verify-pe-page-hashes`** for the experimental Rust check).
- PeHasPageHashes { path: PathBuf },
- /// Print structured **`SPC_PE_IMAGE_PAGE_HASHES`** rows from CMS **signed** attributes (one line per signer location).
- ///
- /// Includes **`parsed_page_hash_pairs`** when DER peeling + flat-table parsing succeeds (`-` otherwise).
- /// Empty stdout means no matching authenticated attributes were found. Does **not** validate pages vs file bytes.
- PePageHashInfo { path: PathBuf },
- /// **Experimental:** parse embedded page-hash tables and verify **contiguous raw file ranges** (see `psign_sip_digest::page_hashes::verify_pe_embedded_page_hash_tables`).
- ///
- /// Not a full `WinVerifyTrust` `/ph` clone — checksum / cert-directory exclusions may differ from native.
- VerifyPePageHashes { path: PathBuf },
- /// Print ordered **[`start`,`end`)** file byte ranges included in **PE Authenticode image digest** (same layout as `authenticode-rs` / `pe_authenticode_digest`).
- ///
- /// One line per range: `start=N end=M` (half-open end). Useful on Linux for tooling / future page-hash alignment vs `WinTrust`.
- PeAuthenticodeRanges { path: PathBuf },
- /// Decode **`SpcIndirectDataContent`** from an embedded Authenticode PKCS#7 (**JSON** to stdout; certificate-table order; default **`--index`** **`0`**).
+ /// Same digest as **`pkcs7-signer-rs256-prehash`** when **`path`** is raw PKCS#7 **`SignedData`** (typical **`.cat`** body — CTL or other CMS **`ContentInfo`**).
///
- /// Intended for Linux-side inspection and PKCS#7 rebuild experiments (Rust **`pkcs7`** module in **`psign-sip-digest`**); does **not** sign or embed signatures.
- InspectPeSpcIndirect {
+ /// For **KV `RS256`** over **`SignerInfo.signedAttrs`**, use **`--encoding raw`**. Does **not** run **`verify-catalog`** (CTL **`messageDigest`** vs **`eContent`** rules differ from Authenticode PE PKCS#7).
+ CatalogSignerRs256Prehash {
path: PathBuf,
- /// **`WIN_CERT_TYPE_PKCS_SIGNED_DATA`** row index (**`0`** = first; same order as **`extract-pe-pkcs7`** / **`list-pe-pkcs7`**).
#[arg(long, default_value_t = 0)]
- index: usize,
- /// Include lowercase hex of **`image_data.value`** DER (**`SpcPeImageData`**) — output can be large.
+ signer_index: usize,
+ #[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
+ encoding: DigestEncoding,
+ #[arg(long, value_name = "PATH")]
+ output: Option,
+ },
+ /// Signed catalog `.cat`: compare PKCS#7 indirect digest to Rust catalog digest scan.
+ VerifyCatalog { path: PathBuf },
+ /// Verify that a subject file is represented by a MakeCat-style CTL member in a signed catalog.
+ VerifyCatalogMember {
+ /// Catalog `.cat` file.
+ #[arg(long, value_name = "PATH")]
+ catalog: PathBuf,
+ /// Subject file whose catalog membership should be checked.
+ #[arg(value_name = "PATH")]
+ subject: PathBuf,
+ },
+ /// Script signed file (PowerShell-class or WSH): compare PKCS#7 indirect digest to Rust heuristic strip/hash.
+ VerifyScript { path: PathBuf },
+ /// Inspect PKCS#7 layers: signers, timestamp-related attribute OIDs, nested signatures (`1.3.6.1.4.1.311.2.4.1`). JSON to stdout.
+ InspectAuthenticode {
+ path: PathBuf,
+ /// Treat **`path`** as a PE image (**embedded** attribute certs) vs raw PKCS#7 bytes.
+ #[arg(long, value_enum, default_value_t = InspectInputKind::Pe)]
+ input: InspectInputKind,
+ },
+ /// Validate JSON metadata shape for Microsoft Artifact Signing (`Endpoint`, `CodeSigningAccountName`, `CertificateProfileName`; optional `ExcludeCredentials` string array). No network / no signing.
+ ///
+ /// Reads **`--path`** or stdin when omitted (use `-` for stdin explicitly).
+ ArtifactSigningMetadataCheck {
+ #[arg(long, value_name = "PATH")]
+ path: Option,
+ },
+ /// Azure Code Signing **`…:sign`** LRO (same REST contract as **`psign-tool artifact-signing-submit`**). Requires **`--features artifact-signing-rest`** at build time.
+ #[cfg(feature = "artifact-signing-rest")]
+ ArtifactSigningSubmit {
+ #[command(flatten)]
+ args: ArtifactSigningSubmitPortableArgs,
+ },
+ /// Azure Key Vault **`keys/sign`** over a **precomputed digest file** (RSA PKCS#1 or ECDSA). Requires **`--features azure-kv-sign-portable`**. Does **not** embed Authenticode — use **`psign-tool`** for that.
+ #[cfg(feature = "azure-kv-sign-portable")]
+ AzureKeyVaultSignDigest {
+ #[command(flatten)]
+ args: AzureKvSignDigestPortableArgs,
+ },
+ /// Build **RFC 3161** **`TimeStampReq`** DER from a **message imprint** preimage (raw digest bytes for **`MessageImprint.hashedMessage`** — not a second hash). For **`curl`** / OpenSSL **`ts -query`** against a TSA (**`application/timestamp-query`**).
+ ///
+ /// Supply exactly one of **`--digest-hex`** or **`--digest-file`**. Does **not** POST to a TSA.
+ Rfc3161TimestampReq {
+ #[arg(long, value_enum, default_value_t = HashAlg::Sha256)]
+ algorithm: HashAlg,
+ /// Raw digest bytes; length must match **`--algorithm`** (e.g. 32 for SHA-256).
+ #[arg(long, value_name = "PATH")]
+ digest_file: Option,
+ /// Lowercase hex digest (no **`0x`**); length must match **`--algorithm`**.
+ #[arg(long, value_name = "HEX")]
+ digest_hex: Option,
+ /// Optional **`nonce`** (**`INTEGER`**) in the request.
#[arg(long)]
- include_image_value_der_hex: bool,
+ nonce: Option,
+ /// Set **`certReq`** to **TRUE** (request certs inside **`TimeStampToken`**).
+ #[arg(long, default_value_t = false)]
+ cert_req: bool,
+ #[arg(long, value_enum, default_value_t = TimestampReqOutput::Der)]
+ output: TimestampReqOutput,
},
- /// Write an embedded Authenticode PKCS#7 (**raw DER**) to stdout or **`--output`** (certificate-table order; default **`--index`** **`0`**).
- ExtractPePkcs7 {
+ /// Parse **RFC 3161** **`TimeStampResp`** DER (**`application/timestamp-reply`**) and print **`pki_status`**, **`pki_status_int`**, **`granted`**, optional **`time_stamp_token`** length, first **16** octets of the token TLV as hex (**`time_stamp_token_prefix_hex`**, for CMS **`ContentInfo`** sniffing), **`status_strings_json`**, **`fail_info_tlv_hex`**, **`fail_info_flags_json`**. Does **not** verify CMS / TSA crypto.
+ Rfc3161TimestampRespInspect {
path: PathBuf,
- /// **`WIN_CERT_TYPE_PKCS_SIGNED_DATA`** row index (**`0`** = first).
- #[arg(long, default_value_t = 0)]
- index: usize,
+ /// Expected **`TSTInfo.messageImprint.hashedMessage`** hex for request-binding diagnostics.
+ #[arg(long, value_name = "HEX")]
+ expect_digest_hex: Option,
+ /// Expected **`TSTInfo.nonce`** integer for request-binding diagnostics.
+ #[arg(long)]
+ expect_nonce: Option,
+ },
+ /// POST **`TimeStampReq`** DER to a TSA (**`Content-Type: application/timestamp-query`**) and write **`TimeStampResp`** DER to stdout or **`--output`**. Requires **`--features timestamp-http`**. Does **not** verify the timestamp token.
+ #[cfg(feature = "timestamp-http")]
+ Rfc3161TimestampHttpPost {
+ /// TSA endpoint (**HTTPS** URL; POST body is raw **`TimeStampReq`** DER).
+ #[arg(long, value_name = "URL")]
+ url: String,
+ #[arg(long, value_enum, default_value_t = HashAlg::Sha256)]
+ algorithm: HashAlg,
+ #[arg(long, value_name = "PATH")]
+ digest_file: Option,
+ #[arg(long, value_name = "HEX")]
+ digest_hex: Option,
+ #[arg(long)]
+ nonce: Option,
+ #[arg(long, default_value_t = false)]
+ cert_req: bool,
#[arg(long, value_name = "PATH")]
output: Option,
},
- /// List **`WIN_CERT_TYPE_PKCS_SIGNED_DATA`** PKCS#7 rows in the PE certificate table (**`pkcs7_entries=N`** then **`index=i byte_len=L`** per line).
- ListPePkcs7 { path: PathBuf },
- /// **SHA-256** (**32** octets) over a signer’s authenticated-attribute **`SET OF Attribute`** DER (**RFC 5652** §5.4).
+ /// Print CAB Authenticode digest **without** requiring PKCS#7 (unsigned / structural check).
///
- /// Same raw digest Azure Key Vault **`keys/sign`** expects for **`RS256`** (base64 **`value`** in JSON) when re-signing **CMS `SignerInfo`** on **RSA SHA-256** Authenticode. Differs from **`pe-digest`** (PE **image** hash). Requires **`SignerInfo.digestAlgorithm`** **SHA-256** and **`signedAttrs`**. **`--index`**: **`WIN_CERT_TYPE_PKCS_SIGNED_DATA`** row (**`0`** = first). **`--signer-index`**: **`SignerInfo`** within that PKCS#7’s **`SignedData`** (**`0`** = first; same as **`pkcs7-signer-rs256-prehash --signer-index`** after **`extract-pe-pkcs7`**).
- PeSignerRs256Prehash {
+ /// Algorithm must match what will be used at signing time (default SHA-256). **`--encoding raw`** matches **`pe-digest`** for hash-file workflows.
+ CabDigest {
path: PathBuf,
- #[arg(long, default_value_t = 0)]
- index: usize,
- #[arg(long, default_value_t = 0)]
- signer_index: usize,
+ #[arg(long, value_enum, default_value_t = HashAlg::Sha256)]
+ algorithm: HashAlg,
#[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
encoding: DigestEncoding,
#[arg(long, value_name = "PATH")]
output: Option,
},
- /// Same digest as **`pe-signer-rs256-prehash`**, but **`path`** is **PKCS#7** DER (**`ContentInfo`** wrapping **`SignedData`**, or bare **`SignedData`** normalized like **`extract-pe-pkcs7`** output).
+ /// Inspect NuGet package-signature marker state (`.signature.p7s`) without validating CMS.
+ NupkgSignatureInfo { path: PathBuf },
+ /// Hash an unsigned NuGet package exactly as the package-signature properties document records it.
///
- /// **`--signer-index`**: **`SignerInfo`** within this **`SignedData`** (**`0`** = first). For PE workflows, extract PKCS#7 first (**`extract-pe-pkcs7`**) then run this command.
- Pkcs7SignerRs256Prehash {
+ /// This is the unsigned ZIP byte hash used before adding `.signature.p7s`; signed packages are rejected.
+ NupkgDigest {
path: PathBuf,
- #[arg(long, default_value_t = 0)]
- signer_index: usize,
+ #[arg(long, value_enum, default_value_t = NugetHashAlg::Sha256)]
+ algorithm: NugetHashAlg,
#[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
encoding: DigestEncoding,
#[arg(long, value_name = "PATH")]
output: Option,
},
- /// **Experimental:** Append raw PKCS#7 (**`SignedData`**) DER as a new **`WIN_CERTIFICATE`** row (**`pe_embed`**).
- ///
- /// Updates the PE security directory and recomputes **`Optional Header.CheckSum`** (**`pe_compute_image_checksum`**). Does **not** validate PKCS#7 ↔ image digest or replace **`SignerSignEx3`**. For hybrid tooling and future portable sign pipelines.
- AppendPePkcs7 {
- /// Input PE path (**read fully** before writing **`--output`**; same path allowed).
- #[arg(long = "pe", value_name = "PATH")]
- pe_path: PathBuf,
- /// PKCS#7 DER file (**bare `SignedData`** is normalized like other portable PKCS#7 paths).
- #[arg(long = "pkcs7", value_name = "PATH")]
- pkcs7_path: PathBuf,
- #[arg(long, value_name = "PATH")]
- output: PathBuf,
- },
- /// Sign an unsigned PE image with portable Authenticode CMS + `WIN_CERTIFICATE` embedding.
- ///
- /// This is the first production-oriented portable Authenticode signing path. It supports local RSA
- /// PKCS#1 v1.5 keys or Azure Key Vault RSA signing and SHA-2 digests; timestamp embedding and
- /// non-PE formats remain separate backlog.
- SignPe {
- /// Input PE path.
- #[arg(value_name = "PATH")]
+ /// Write NuGet signature content bytes (`Version` + package hash property) for an unsigned package.
+ ///
+ /// This is the CMS encapsulated content used by NuGet author signatures before `.signature.p7s` is embedded.
+ NupkgSignatureContent {
+ path: PathBuf,
+ #[arg(long, value_enum, default_value_t = NugetHashAlg::Sha256)]
+ algorithm: NugetHashAlg,
+ #[arg(long, value_name = "PATH")]
+ output: Option,
+ },
+ /// Create local RSA/SHA-2 CMS for NuGet signature content bytes.
+ NupkgSignaturePkcs7 {
path: PathBuf,
+ /// Package hash and CMS signer digest algorithm.
+ #[arg(long, value_enum, default_value_t = NugetHashAlg::Sha256)]
+ algorithm: NugetHashAlg,
/// Signer certificate as DER or PEM.
#[arg(long, value_name = "PATH")]
- cert: Option,
+ cert: PathBuf,
/// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
#[arg(long, value_name = "PATH")]
- key: Option,
+ key: PathBuf,
/// Additional certificate to include in the PKCS#7 certificate set.
#[arg(long = "chain-cert", value_name = "PATH")]
chain_certs: Vec,
- /// File digest algorithm for the PE Authenticode indirect digest and CMS signer.
- #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
- digest: PortableSignDigest,
- /// RFC3161 timestamp URL to timestamp the primary PE signature after signing.
+ /// RFC3161 timestamp URL to timestamp the NuGet CMS signature after signing.
#[arg(long = "timestamp-url", visible_alias = "tr")]
timestamp_url: Option,
/// RFC3161 timestamp digest algorithm.
#[arg(long = "timestamp-digest", visible_alias = "td", value_enum)]
timestamp_digest: Option,
- /// Azure Key Vault URL for remote RSA signing.
- #[arg(long = "azure-key-vault-url", visible_alias = "kvu")]
- azure_key_vault_url: Option,
- /// Azure Key Vault certificate name for remote RSA signing.
- #[arg(long = "azure-key-vault-certificate", visible_alias = "kvc")]
- azure_key_vault_certificate: Option,
- /// Optional Azure Key Vault certificate version.
- #[arg(long = "azure-key-vault-certificate-version", visible_alias = "kvcv")]
- azure_key_vault_certificate_version: Option,
- #[arg(long = "azure-key-vault-accesstoken")]
- azure_key_vault_access_token: Option,
- #[arg(long = "azure-key-vault-managed-identity")]
- azure_key_vault_managed_identity: bool,
- #[arg(long = "azure-key-vault-tenant-id")]
- azure_key_vault_tenant_id: Option,
- #[arg(long = "azure-key-vault-client-id")]
- azure_key_vault_client_id: Option,
- #[arg(long = "azure-key-vault-client-secret")]
- azure_key_vault_client_secret: Option,
- #[arg(long = "azure-authority")]
- azure_authority: Option,
- #[command(flatten)]
- artifact_signing: Box,
- /// Output signed PE path.
#[arg(long, value_name = "PATH")]
output: PathBuf,
},
- /// Sign an unsigned CAB file with portable Authenticode CMS and CAB reserve-header embedding.
+ /// Compute the signed-attributes digest for externally signing NuGet CMS.
///
- /// Supports single-volume unsigned CABs without an existing reserve header.
- SignCab {
- /// Input CAB path.
- #[arg(value_name = "PATH")]
+ /// Sign this digest with RSA PKCS#1 v1.5 using the selected SHA-2 algorithm, then pass the
+ /// signature bytes to `nupkg-signature-pkcs7-from-signature`.
+ NupkgSignaturePkcs7Prehash {
path: PathBuf,
- /// Signer certificate as DER or PEM.
- #[arg(long, value_name = "PATH")]
- cert: PathBuf,
- /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
- #[arg(long, value_name = "PATH")]
- key: PathBuf,
- /// Additional certificate to include in the PKCS#7 certificate set.
- #[arg(long = "chain-cert", value_name = "PATH")]
- chain_certs: Vec,
- /// File digest algorithm for the CAB Authenticode indirect digest and CMS signer.
- #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
- digest: PortableSignDigest,
- /// Output signed CAB path.
+ /// Package hash and CMS signer digest algorithm.
+ #[arg(long, value_enum, default_value_t = NugetHashAlg::Sha256)]
+ algorithm: NugetHashAlg,
+ #[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
+ encoding: DigestEncoding,
#[arg(long, value_name = "PATH")]
- output: PathBuf,
+ output: Option,
},
- /// Sign an MSI/MSP OLE package with portable Authenticode CMS and a DigitalSignature stream.
- SignMsi {
- /// Input MSI/MSP path.
- #[arg(value_name = "PATH")]
+ /// Create NuGet CMS from externally produced RSA PKCS#1 v1.5 signature bytes.
+ NupkgSignaturePkcs7FromSignature {
path: PathBuf,
+ /// Package hash and CMS signer digest algorithm.
+ #[arg(long, value_enum, default_value_t = NugetHashAlg::Sha256)]
+ algorithm: NugetHashAlg,
/// Signer certificate as DER or PEM.
#[arg(long, value_name = "PATH")]
cert: PathBuf,
- /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
- #[arg(long, value_name = "PATH")]
- key: PathBuf,
/// Additional certificate to include in the PKCS#7 certificate set.
#[arg(long = "chain-cert", value_name = "PATH")]
chain_certs: Vec,
- /// File digest algorithm for the MSI Authenticode indirect digest and CMS signer.
- #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
- digest: PortableSignDigest,
- /// Output signed MSI/MSP path.
+ /// Raw RSA PKCS#1 v1.5 signature bytes produced over `nupkg-signature-pkcs7-prehash`.
+ #[arg(long, value_name = "PATH")]
+ signature: PathBuf,
+ /// RFC3161 timestamp URL to timestamp the NuGet CMS signature after assembly.
+ #[arg(long = "timestamp-url", visible_alias = "tr")]
+ timestamp_url: Option,
+ /// RFC3161 timestamp digest algorithm.
+ #[arg(long = "timestamp-digest", visible_alias = "td", value_enum)]
+ timestamp_digest: Option,
#[arg(long, value_name = "PATH")]
output: PathBuf,
},
- /// Sign a portable generic file catalog (`.cat`) with CTL members and CMS `SignedData`.
- ///
- /// This authors explicit file membership entries for the provided subjects. It does not implement
- /// driver/INF policy, OS catalog database installation/search, or MakeCat byte-for-byte output.
- SignCatalog {
- /// Subject file(s) to include as catalog members.
- #[arg(required = true, value_name = "PATH")]
- files: Vec,
+ /// Create and embed a local RSA/SHA-2 NuGet `.signature.p7s` signature.
+ NupkgSign {
+ path: PathBuf,
+ /// Package hash and CMS signer digest algorithm.
+ #[arg(long, value_enum, default_value_t = NugetHashAlg::Sha256)]
+ algorithm: NugetHashAlg,
/// Signer certificate as DER or PEM.
#[arg(long, value_name = "PATH")]
cert: PathBuf,
@@ -798,257 +2406,238 @@ enum Command {
/// Additional certificate to include in the PKCS#7 certificate set.
#[arg(long = "chain-cert", value_name = "PATH")]
chain_certs: Vec,
- /// File digest algorithm for catalog member digests and CMS signer.
- #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
- digest: PortableSignDigest,
- /// Output signed catalog path.
+ /// RFC3161 timestamp URL to timestamp the NuGet CMS signature after signing.
+ #[arg(long = "timestamp-url", visible_alias = "tr")]
+ timestamp_url: Option,
+ /// RFC3161 timestamp digest algorithm.
+ #[arg(long = "timestamp-digest", visible_alias = "td", value_enum)]
+ timestamp_digest: Option,
#[arg(long, value_name = "PATH")]
output: PathBuf,
+ #[arg(long, default_value_t = false)]
+ overwrite: bool,
},
- /// Attach an RFC3161 timestamp token to an existing embedded PE Authenticode signature.
- ///
- /// Accepts either a raw `timeStampToken` `ContentInfo` DER file or a `TimeStampResp` DER file containing one.
- TimestampPeRfc3161 {
- /// Signed PE path to mutate.
- #[arg(value_name = "PATH")]
+ /// Verify NuGet signature content bytes against an unsigned package hash.
+ NupkgVerifySignatureContent {
path: PathBuf,
- /// Embedded PKCS#7 row index in the PE certificate table.
- #[arg(long, default_value_t = 0)]
- index: usize,
- /// SignerInfo index inside the selected PKCS#7 SignedData.
- #[arg(long, default_value_t = 0)]
- signer_index: usize,
- /// Raw RFC3161 timeStampToken ContentInfo DER.
- #[arg(long, value_name = "PATH", conflicts_with = "response")]
- token: Option,
- /// RFC3161 TimeStampResp DER containing a granted timeStampToken.
- #[arg(long, value_name = "PATH", conflicts_with = "token")]
- response: Option,
- /// Output PE path.
#[arg(long, value_name = "PATH")]
- output: PathBuf,
+ content: PathBuf,
},
- /// Sign `.rdp` files using portable RDP SignScope/SecureSettingsBlob logic.
- ///
- /// Supply either **`--cert`** + **`--key`** for local RSA/SHA-256 PKCS#7 creation, or
- /// **`--signature-pkcs7`** to embed an externally-created detached PKCS#7 for a single input.
- Rdp {
- /// Signer certificate as DER or PEM.
- #[arg(
- long,
- value_name = "PATH",
- requires = "key",
- conflicts_with = "signature_pkcs7"
- )]
- cert: Option,
- /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
- #[arg(
- long,
- value_name = "PATH",
- requires = "cert",
- conflicts_with = "signature_pkcs7"
- )]
- key: Option,
- /// Additional certificate to include in the PKCS#7 certificate set.
- #[arg(
- long = "chain-cert",
- value_name = "PATH",
- requires = "cert",
- conflicts_with = "signature_pkcs7"
- )]
- chain_certs: Vec,
- /// Detached PKCS#7 DER to serialize into the RDP `Signature` record.
- #[arg(long = "signature-pkcs7", value_name = "PATH", conflicts_with_all = ["cert", "key", "chain_certs"])]
- signature_pkcs7: Option,
- /// Build and validate the signed shape without writing files.
- #[arg(long)]
- dry_run: bool,
- /// Write output here instead of overwriting the input. Only valid with one input file.
- #[arg(long, value_name = "PATH")]
- output: Option,
- /// `.rdp` file(s) to sign.
- #[arg(required = true)]
- files: Vec,
+ /// Verify an embedded NuGet `.signature.p7s` against package content and explicit trust anchors.
+ NupkgVerifySignature {
+ path: PathBuf,
+ /// Package hash and CMS signer digest algorithm used to reconstruct NuGet signature content.
+ #[arg(long, value_enum, default_value_t = NugetHashAlg::Sha256)]
+ algorithm: NugetHashAlg,
+ #[command(flatten)]
+ shared: TrustVerifySharedArgs,
},
- /// Write embedded Authenticode PKCS#7 (**raw DER**) from a signed **`.cab`** tail to stdout or **`--output`**.
+ /// Embed a NuGet package author signature blob as root `.signature.p7s`.
///
- /// Layout: **`cab_digest::cab_signature_pkcs7_der`** (same bytes you would pass to **`pkcs7-signer-rs256-prehash`**).
- ExtractCabPkcs7 {
+ /// This is a package-native write primitive for split signing workflows; it does not create CMS.
+ NupkgEmbedSignature {
path: PathBuf,
#[arg(long, value_name = "PATH")]
- output: Option,
+ signature: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
+ #[arg(long, default_value_t = false)]
+ overwrite: bool,
},
- /// Same digest as **`pkcs7-signer-rs256-prehash`** on PKCS#7 embedded at the end of a signed **`.cab`** (after **`extract-cab-pkcs7`**).
+ /// Inspect VSIX OPC signature marker state without validating XMLDSig.
+ VsixSignatureInfo { path: PathBuf },
+ /// Embed a VSIX OPC signature XML part and signature-origin marker.
///
- /// **`--signer-index`**: **`SignerInfo`** within that **`SignedData`**. For AzureSignTool-style **KV `RS256`**, use **`--encoding raw`** (distinct from **`cab-digest`** MSCF subject hash).
- CabSignerRs256Prehash {
+ /// This is a structural write primitive for split XMLDSig workflows; it does not create XMLDSig.
+ VsixEmbedSignatureXml {
path: PathBuf,
- #[arg(long, default_value_t = 0)]
- signer_index: usize,
- #[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
- encoding: DigestEncoding,
#[arg(long, value_name = "PATH")]
- output: Option,
+ signature_xml: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
+ #[arg(long, default_value_t = false)]
+ overwrite: bool,
},
- /// CAB with embedded PKCS#7: compare indirect digest to Rust CAB hash.
- VerifyCab { path: PathBuf },
- /// Custom ZIP Authenticode comment signature: compare ZIP digest binding and reconstructed script digest.
- VerifyZip { path: PathBuf },
- /// Write **`\\u{5}DigitalSignature`** stream (**raw PKCS#7 DER**) from an **`.msi`** to stdout or **`--output`**.
- ///
- /// Same blob as **`pkcs7-signer-rs256-prehash`** input for that signature. For real signed MSIs only; see **`tests/fixtures/msi-authenticode-upstream/README.md`** for the PKCS#7-only stub used in CI.
- ExtractMsiPkcs7 {
+ /// Write deterministic VSIX XMLDSig Reference/DigestValue XML for package parts.
+ VsixSignatureReferenceXml {
path: PathBuf,
+ #[arg(long, value_enum, default_value_t = VsixHashAlg::Sha256)]
+ algorithm: VsixHashAlg,
#[arg(long, value_name = "PATH")]
output: Option,
},
- /// Same digest as **`pkcs7-signer-rs256-prehash`** on PKCS#7 from **`\\u{5}DigitalSignature`** (after **`extract-msi-pkcs7`**).
- ///
- /// **`--signer-index`**: **`SignerInfo`** within **`SignedData`**. **`--encoding raw`** for Azure KV **`RS256`** (distinct from MSI SIP fingerprint / **`verify-msi`** subject hash).
- MsiSignerRs256Prehash {
+ /// Create deterministic VSIX XMLDSig XML with local RSA/SHA-2 SignatureValue.
+ VsixSignatureXml {
path: PathBuf,
- #[arg(long, default_value_t = 0)]
- signer_index: usize,
- #[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
- encoding: DigestEncoding,
+ #[arg(long, value_enum, default_value_t = VsixHashAlg::Sha256)]
+ algorithm: VsixHashAlg,
+ /// Signer certificate as DER or PEM.
+ #[arg(long, value_name = "PATH")]
+ cert: PathBuf,
+ /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
+ #[arg(long, value_name = "PATH")]
+ key: PathBuf,
#[arg(long, value_name = "PATH")]
output: Option,
},
- /// Signed MSI: compare PKCS#7 indirect digest to Rust OLE fingerprint (and extended stream if present).
- VerifyMsi { path: PathBuf },
- /// Signed WIM/ESD: compare PKCS#7 indirect digest to Rust prefix hash.
- VerifyEsd { path: PathBuf },
- /// Cleartext MSIX/APPX/bundle: compare PKCS#7 indirect digest to Rust ZIP rehash (encrypted extensions rejected).
- VerifyMsix { path: PathBuf },
- /// Same digest as **`pkcs7-signer-rs256-prehash`** when **`path`** is raw PKCS#7 **`SignedData`** (typical **`.cat`** body — CTL or other CMS **`ContentInfo`**).
+ /// Compute the SignedInfo digest for externally signing VSIX XMLDSig.
///
- /// For **KV `RS256`** over **`SignerInfo.signedAttrs`**, use **`--encoding raw`**. Does **not** run **`verify-catalog`** (CTL **`messageDigest`** vs **`eContent`** rules differ from Authenticode PE PKCS#7).
- CatalogSignerRs256Prehash {
+ /// Sign this digest with RSA PKCS#1 v1.5 using the selected SHA-2 algorithm, then pass the
+ /// signature bytes to `vsix-signature-xml-from-signature`.
+ VsixSignatureXmlPrehash {
path: PathBuf,
- #[arg(long, default_value_t = 0)]
- signer_index: usize,
+ #[arg(long, value_enum, default_value_t = VsixHashAlg::Sha256)]
+ algorithm: VsixHashAlg,
#[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
encoding: DigestEncoding,
#[arg(long, value_name = "PATH")]
output: Option,
},
- /// Signed catalog `.cat`: compare PKCS#7 indirect digest to Rust catalog digest scan.
- VerifyCatalog { path: PathBuf },
- /// Verify that a subject file is represented by a MakeCat-style CTL member in a signed catalog.
- VerifyCatalogMember {
- /// Catalog `.cat` file.
+ /// Create deterministic VSIX XMLDSig XML from externally produced RSA signature bytes.
+ VsixSignatureXmlFromSignature {
+ path: PathBuf,
+ #[arg(long, value_enum, default_value_t = VsixHashAlg::Sha256)]
+ algorithm: VsixHashAlg,
+ /// Signer certificate as DER or PEM.
#[arg(long, value_name = "PATH")]
- catalog: PathBuf,
- /// Subject file whose catalog membership should be checked.
- #[arg(value_name = "PATH")]
- subject: PathBuf,
+ cert: PathBuf,
+ /// Raw RSA PKCS#1 v1.5 signature bytes produced over `vsix-signature-xml-prehash`.
+ #[arg(long, value_name = "PATH")]
+ signature: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ output: Option,
},
- /// Script signed file (PowerShell-class or WSH): compare PKCS#7 indirect digest to Rust heuristic strip/hash.
- VerifyScript { path: PathBuf },
- /// Inspect PKCS#7 layers: signers, timestamp-related attribute OIDs, nested signatures (`1.3.6.1.4.1.311.2.4.1`). JSON to stdout.
- InspectAuthenticode {
+ /// Create and embed deterministic VSIX XMLDSig XML with local RSA/SHA-2 SignatureValue.
+ VsixSign {
path: PathBuf,
- /// Treat **`path`** as a PE image (**embedded** attribute certs) vs raw PKCS#7 bytes.
- #[arg(long, value_enum, default_value_t = InspectInputKind::Pe)]
- input: InspectInputKind,
+ #[arg(long, value_enum, default_value_t = VsixHashAlg::Sha256)]
+ algorithm: VsixHashAlg,
+ /// Signer certificate as DER or PEM.
+ #[arg(long, value_name = "PATH")]
+ cert: PathBuf,
+ /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
+ #[arg(long, value_name = "PATH")]
+ key: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
+ #[arg(long, default_value_t = false)]
+ overwrite: bool,
},
- /// Validate JSON metadata shape for Microsoft Artifact Signing (`Endpoint`, `CodeSigningAccountName`, `CertificateProfileName`; optional `ExcludeCredentials` string array). No network / no signing.
- ///
- /// Reads **`--path`** or stdin when omitted (use `-` for stdin explicitly).
- ArtifactSigningMetadataCheck {
+ /// Verify VSIX XMLDSig Reference/DigestValue XML against package parts.
+ VsixVerifySignatureReferenceXml {
+ path: PathBuf,
#[arg(long, value_name = "PATH")]
- path: Option,
+ signature_xml: PathBuf,
+ #[arg(long, value_enum, default_value_t = VsixHashAlg::Sha256)]
+ algorithm: VsixHashAlg,
},
- /// Azure Code Signing **`…:sign`** LRO (same REST contract as **`psign-tool artifact-signing-submit`**). Requires **`--features artifact-signing-rest`** at build time.
- #[cfg(feature = "artifact-signing-rest")]
- ArtifactSigningSubmit {
+ /// Verify deterministic VSIX XMLDSig references and local RSA/SHA-2 SignatureValue.
+ VsixVerifySignatureXml {
+ path: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ signature_xml: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ cert: PathBuf,
+ #[arg(long, value_enum, default_value_t = VsixHashAlg::Sha256)]
+ algorithm: VsixHashAlg,
#[command(flatten)]
- args: ArtifactSigningSubmitPortableArgs,
+ shared: TrustVerifySharedArgs,
},
- /// Azure Key Vault **`keys/sign`** over a **precomputed digest file** (RSA PKCS#1 or ECDSA). Requires **`--features azure-kv-sign-portable`**. Does **not** embed Authenticode — use **`psign-tool`** for that.
- #[cfg(feature = "azure-kv-sign-portable")]
- AzureKeyVaultSignDigest {
+ /// Verify an embedded VSIX OPC XMLDSig signature part.
+ VsixVerifySignature {
+ path: PathBuf,
+ #[arg(long, value_name = "PATH")]
+ cert: Option,
+ #[arg(long, value_enum, default_value_t = VsixHashAlg::Sha256)]
+ algorithm: VsixHashAlg,
#[command(flatten)]
- args: AzureKvSignDigestPortableArgs,
+ shared: TrustVerifySharedArgs,
},
- /// Build **RFC 3161** **`TimeStampReq`** DER from a **message imprint** preimage (raw digest bytes for **`MessageImprint.hashedMessage`** — not a second hash). For **`curl`** / OpenSSL **`ts -query`** against a TSA (**`application/timestamp-query`**).
- ///
- /// Supply exactly one of **`--digest-hex`** or **`--digest-file`**. Does **not** POST to a TSA.
- Rfc3161TimestampReq {
- #[arg(long, value_enum, default_value_t = HashAlg::Sha256)]
- algorithm: HashAlg,
- /// Raw digest bytes; length must match **`--algorithm`** (e.g. 32 for SHA-256).
+ /// Inspect an App Installer descriptor and optional detached PKCS#7 companion signature.
+ AppinstallerInfo {
+ path: PathBuf,
#[arg(long, value_name = "PATH")]
- digest_file: Option,
- /// Lowercase hex digest (no **`0x`**); length must match **`--algorithm`**.
- #[arg(long, value_name = "HEX")]
- digest_hex: Option,
- /// Optional **`nonce`** (**`INTEGER`**) in the request.
- #[arg(long)]
- nonce: Option,
- /// Set **`certReq`** to **TRUE** (request certs inside **`TimeStampToken`**).
- #[arg(long, default_value_t = false)]
- cert_req: bool,
- #[arg(long, value_enum, default_value_t = TimestampReqOutput::Der)]
- output: TimestampReqOutput,
+ signature: Option,
},
- /// Parse **RFC 3161** **`TimeStampResp`** DER (**`application/timestamp-reply`**) and print **`pki_status`**, **`pki_status_int`**, **`granted`**, optional **`time_stamp_token`** length, first **16** octets of the token TLV as hex (**`time_stamp_token_prefix_hex`**, for CMS **`ContentInfo`** sniffing), **`status_strings_json`**, **`fail_info_tlv_hex`**, **`fail_info_flags_json`**. Does **not** verify CMS / TSA crypto.
- Rfc3161TimestampRespInspect {
+ /// Verify an App Installer XML descriptor against its detached PKCS#7 companion signature.
+ AppinstallerVerifyCompanion {
path: PathBuf,
- /// Expected **`TSTInfo.messageImprint.hashedMessage`** hex for request-binding diagnostics.
- #[arg(long, value_name = "HEX")]
- expect_digest_hex: Option,
- /// Expected **`TSTInfo.nonce`** integer for request-binding diagnostics.
- #[arg(long)]
- expect_nonce: Option,
+ #[arg(long, value_name = "PATH")]
+ signature: PathBuf,
+ #[command(flatten)]
+ shared: TrustVerifySharedArgs,
},
- /// POST **`TimeStampReq`** DER to a TSA (**`Content-Type: application/timestamp-query`**) and write **`TimeStampResp`** DER to stdout or **`--output`**. Requires **`--features timestamp-http`**. Does **not** verify the timestamp token.
- #[cfg(feature = "timestamp-http")]
- Rfc3161TimestampHttpPost {
- /// TSA endpoint (**HTTPS** URL; POST body is raw **`TimeStampReq`** DER).
- #[arg(long, value_name = "URL")]
- url: String,
- #[arg(long, value_enum, default_value_t = HashAlg::Sha256)]
- algorithm: HashAlg,
+ /// Create a detached PKCS#7 companion signature for an App Installer XML descriptor.
+ AppinstallerSignCompanion {
+ path: PathBuf,
+ /// Signer certificate as DER or PEM.
#[arg(long, value_name = "PATH")]
- digest_file: Option,
- #[arg(long, value_name = "HEX")]
- digest_hex: Option,
- #[arg(long)]
- nonce: Option,
- #[arg(long, default_value_t = false)]
- cert_req: bool,
+ cert: PathBuf,
+ /// RSA private key as PKCS#8 or PKCS#1, DER or unencrypted PEM.
#[arg(long, value_name = "PATH")]
- output: Option,
+ key: PathBuf,
+ /// Additional certificate to include in the PKCS#7 certificate set.
+ #[arg(long = "chain-cert", value_name = "PATH")]
+ chain_certs: Vec,
+ /// CMS signer digest algorithm.
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
+ /// RFC3161 timestamp URL to timestamp the companion CMS signature after signing.
+ #[arg(long = "timestamp-url", visible_alias = "tr")]
+ timestamp_url: Option,
+ /// RFC3161 timestamp digest algorithm.
+ #[arg(long = "timestamp-digest", visible_alias = "td", value_enum)]
+ timestamp_digest: Option,
+ /// Output detached PKCS#7 companion path.
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
},
- /// Print CAB Authenticode digest **without** requiring PKCS#7 (unsigned / structural check).
- ///
- /// Algorithm must match what will be used at signing time (default SHA-256). **`--encoding raw`** matches **`pe-digest`** for hash-file workflows.
- CabDigest {
+ /// Compute the CMS authenticated-attributes digest for externally signing an App Installer companion.
+ AppinstallerSignCompanionPrehash {
path: PathBuf,
- #[arg(long, value_enum, default_value_t = HashAlg::Sha256)]
- algorithm: HashAlg,
+ /// CMS signer digest algorithm.
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
#[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
encoding: DigestEncoding,
#[arg(long, value_name = "PATH")]
output: Option,
},
- /// Inspect NuGet package-signature marker state (`.signature.p7s`) without validating CMS.
- NupkgSignatureInfo { path: PathBuf },
- /// Hash an unsigned NuGet package exactly as the package-signature properties document records it.
- ///
- /// This is the unsigned ZIP byte hash used before adding `.signature.p7s`; signed packages are rejected.
- NupkgDigest {
+ /// Create an App Installer companion PKCS#7 from externally produced RSA signature bytes.
+ AppinstallerSignCompanionFromSignature {
path: PathBuf,
- #[arg(long, value_enum, default_value_t = NugetHashAlg::Sha256)]
- algorithm: NugetHashAlg,
- #[arg(long, value_enum, default_value_t = DigestEncoding::Hex)]
- encoding: DigestEncoding,
+ /// Signer certificate as DER or PEM.
#[arg(long, value_name = "PATH")]
- output: Option,
+ cert: PathBuf,
+ /// Additional certificate to include in the PKCS#7 certificate set.
+ #[arg(long = "chain-cert", value_name = "PATH")]
+ chain_certs: Vec,
+ /// CMS signer digest algorithm.
+ #[arg(long, value_enum, default_value_t = PortableSignDigest::Sha256)]
+ digest: PortableSignDigest,
+ /// Raw RSA PKCS#1 v1.5 signature bytes produced over `appinstaller-sign-companion-prehash`.
+ #[arg(long, value_name = "PATH")]
+ signature: PathBuf,
+ /// RFC3161 timestamp URL to timestamp the companion CMS signature after assembly.
+ #[arg(long = "timestamp-url", visible_alias = "tr")]
+ timestamp_url: Option,
+ /// RFC3161 timestamp digest algorithm.
+ #[arg(long = "timestamp-digest", visible_alias = "td", value_enum)]
+ timestamp_digest: Option,
+ /// Output detached PKCS#7 companion path.
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
},
- /// Inspect VSIX OPC signature marker state without validating XMLDSig.
- VsixSignatureInfo { path: PathBuf },
+ /// Update MainPackage/MainBundle Publisher attributes in an App Installer descriptor.
+ AppinstallerSetPublisher {
+ path: PathBuf,
+ #[arg(long, value_name = "SUBJECT")]
+ publisher: String,
+ #[arg(long, value_name = "PATH")]
+ output: PathBuf,
+ },
+ /// Inspect a Dynamics 365 Business Central `.app` package header.
+ BusinessCentralAppInfo { path: PathBuf },
}
#[derive(Clone, Copy, Debug, Eq, PartialEq, ValueEnum)]
@@ -1124,6 +2713,182 @@ impl From for nuget::NuGetHashAlgorithm {
}
}
+impl From for PortableSignDigest {
+ fn from(value: NugetHashAlg) -> Self {
+ match value {
+ NugetHashAlg::Sha256 => Self::Sha256,
+ NugetHashAlg::Sha384 => Self::Sha384,
+ NugetHashAlg::Sha512 => Self::Sha512,
+ }
+ }
+}
+
+#[derive(Clone, Copy, Debug, Eq, PartialEq, ValueEnum)]
+enum VsixHashAlg {
+ Sha256,
+ Sha384,
+ Sha512,
+}
+
+impl From for vsix::VsixHashAlgorithm {
+ fn from(value: VsixHashAlg) -> Self {
+ match value {
+ VsixHashAlg::Sha256 => Self::Sha256,
+ VsixHashAlg::Sha384 => Self::Sha384,
+ VsixHashAlg::Sha512 => Self::Sha512,
+ }
+ }
+}
+
+fn nuget_hash_alg_label(value: nuget::NuGetHashAlgorithm) -> &'static str {
+ match value {
+ nuget::NuGetHashAlgorithm::Sha256 => "sha256",
+ nuget::NuGetHashAlgorithm::Sha384 => "sha384",
+ nuget::NuGetHashAlgorithm::Sha512 => "sha512",
+ }
+}
+
+fn vsix_hash_alg_label(value: vsix::VsixHashAlgorithm) -> &'static str {
+ match value {
+ vsix::VsixHashAlgorithm::Sha256 => "sha256",
+ vsix::VsixHashAlgorithm::Sha384 => "sha384",
+ vsix::VsixHashAlgorithm::Sha512 => "sha512",
+ }
+}
+
+fn sign_xml_signed_info(
+ algorithm: vsix::VsixHashAlgorithm,
+ private_key: rsa::RsaPrivateKey,
+ signed_info: &[u8],
+) -> Result> {
+ let signature = match algorithm {
+ vsix::VsixHashAlgorithm::Sha256 => {
+ let key = rsa::pkcs1v15::SigningKey::::new(private_key);
+ key.sign(signed_info).to_vec()
+ }
+ vsix::VsixHashAlgorithm::Sha384 => {
+ let key = rsa::pkcs1v15::SigningKey::::new(private_key);
+ key.sign(signed_info).to_vec()
+ }
+ vsix::VsixHashAlgorithm::Sha512 => {
+ let key = rsa::pkcs1v15::SigningKey::::new(private_key);
+ key.sign(signed_info).to_vec()
+ }
+ };
+ Ok(signature)
+}
+
+fn sign_clickonce_signed_info(
+ digest: PortableSignDigest,
+ private_key: rsa::RsaPrivateKey,
+ signed_info: &[u8],
+) -> Result> {
+ let signature = match digest {
+ PortableSignDigest::Sha256 => {
+ let key = rsa::pkcs1v15::SigningKey::::new(private_key);
+ key.sign(signed_info).to_vec()
+ }
+ PortableSignDigest::Sha384 => {
+ let key = rsa::pkcs1v15::SigningKey::::new(private_key);
+ key.sign(signed_info).to_vec()
+ }
+ PortableSignDigest::Sha512 => {
+ let key = rsa::pkcs1v15::SigningKey::::new(private_key);
+ key.sign(signed_info).to_vec()
+ }
+ };
+ Ok(signature)
+}
+
+fn xml_signed_info_remote_prehash(
+ algorithm: vsix::VsixHashAlgorithm,
+ signed_info: &[u8],
+) -> Vec {
+ match algorithm {
+ vsix::VsixHashAlgorithm::Sha256 => Sha256::digest(signed_info).to_vec(),
+ vsix::VsixHashAlgorithm::Sha384 => Sha384::digest(signed_info).to_vec(),
+ vsix::VsixHashAlgorithm::Sha512 => Sha512::digest(signed_info).to_vec(),
+ }
+}
+
+fn verify_xml_signed_info(
+ algorithm: vsix::VsixHashAlgorithm,
+ signer_cert: &x509_cert::Certificate,
+ signed_info: &[u8],
+ signature: &[u8],
+) -> Result<()> {
+ let spki_der = signer_cert
+ .tbs_certificate
+ .subject_public_key_info
+ .to_der()
+ .map_err(|e| anyhow!("encode signer certificate SubjectPublicKeyInfo: {e}"))?;
+ let public_key = rsa::RsaPublicKey::from_public_key_der(&spki_der)
+ .map_err(|e| anyhow!("RSA public key from signer certificate: {e}"))?;
+ match algorithm {
+ vsix::VsixHashAlgorithm::Sha256 => {
+ let signature = rsa::pkcs1v15::Signature::try_from(signature)
+ .map_err(|e| anyhow!("VSIX SignatureValue PKCS#1 v1.5 octets: {e}"))?;
+ rsa::pkcs1v15::VerifyingKey::::new(public_key)
+ .verify(signed_info, &signature)
+ .map_err(|e| anyhow!("verify VSIX SignatureValue: {e}"))?;
+ }
+ vsix::VsixHashAlgorithm::Sha384 => {
+ let signature = rsa::pkcs1v15::Signature::try_from(signature)
+ .map_err(|e| anyhow!("VSIX SignatureValue PKCS#1 v1.5 octets: {e}"))?;
+ rsa::pkcs1v15::VerifyingKey::::new(public_key)
+ .verify(signed_info, &signature)
+ .map_err(|e| anyhow!("verify VSIX SignatureValue: {e}"))?;
+ }
+ vsix::VsixHashAlgorithm::Sha512 => {
+ let signature = rsa::pkcs1v15::Signature::try_from(signature)
+ .map_err(|e| anyhow!("VSIX SignatureValue PKCS#1 v1.5 octets: {e}"))?;
+ rsa::pkcs1v15::VerifyingKey::::new(public_key)
+ .verify(signed_info, &signature)
+ .map_err(|e| anyhow!("verify VSIX SignatureValue: {e}"))?;
+ }
+ }
+ Ok(())
+}
+
+fn verify_clickonce_signed_info(
+ digest: PortableSignDigest,
+ signer_cert: &x509_cert::Certificate,
+ signed_info: &[u8],
+ signature: &[u8],
+) -> Result<()> {
+ let spki_der = signer_cert
+ .tbs_certificate
+ .subject_public_key_info
+ .to_der()
+ .map_err(|e| anyhow!("encode signer certificate SubjectPublicKeyInfo: {e}"))?;
+ let public_key = rsa::RsaPublicKey::from_public_key_der(&spki_der)
+ .map_err(|e| anyhow!("RSA public key from signer certificate: {e}"))?;
+ match digest {
+ PortableSignDigest::Sha256 => {
+ let signature = rsa::pkcs1v15::Signature::try_from(signature)
+ .map_err(|e| anyhow!("ClickOnce SignatureValue PKCS#1 v1.5 octets: {e}"))?;
+ rsa::pkcs1v15::VerifyingKey::::new(public_key)
+ .verify(signed_info, &signature)
+ .map_err(|e| anyhow!("verify ClickOnce SignatureValue: {e}"))?;
+ }
+ PortableSignDigest::Sha384 => {
+ let signature = rsa::pkcs1v15::Signature::try_from(signature)
+ .map_err(|e| anyhow!("ClickOnce SignatureValue PKCS#1 v1.5 octets: {e}"))?;
+ rsa::pkcs1v15::VerifyingKey::::new(public_key)
+ .verify(signed_info, &signature)
+ .map_err(|e| anyhow!("verify ClickOnce SignatureValue: {e}"))?;
+ }
+ PortableSignDigest::Sha512 => {
+ let signature = rsa::pkcs1v15::Signature::try_from(signature)
+ .map_err(|e| anyhow!("ClickOnce SignatureValue PKCS#1 v1.5 octets: {e}"))?;
+ rsa::pkcs1v15::VerifyingKey::::new(public_key)
+ .verify(signed_info, &signature)
+ .map_err(|e| anyhow!("verify ClickOnce SignatureValue: {e}"))?;
+ }
+ }
+ Ok(())
+}
+
impl From for PeAuthenticodeHashKind {
fn from(value: HashAlg) -> Self {
match value {
@@ -2821,6 +4586,168 @@ where
msix_digest::verify_msix_digest_consistency(&path)
.with_context(|| format!("verify-msix {}", path.display()))?;
}
+ Command::MsixManifestInfo { path } => {
+ let info = inspect_msix_manifest_path(&path)
+ .with_context(|| format!("msix-manifest-info {}", path.display()))?;
+ println!("package_name={}", info.package_name.unwrap_or("-".to_string()));
+ println!("publisher={}", info.publisher.unwrap_or("-".to_string()));
+ println!("version={}", info.version.unwrap_or("-".to_string()));
+ println!(
+ "processor_architecture={}",
+ info.processor_architecture.unwrap_or("-".to_string())
+ );
+ }
+ Command::MsixSetPublisher {
+ path,
+ publisher,
+ output,
+ } => {
+ set_msix_manifest_publisher_path(&path, &output, &publisher)
+ .with_context(|| format!("msix-set-publisher {}", path.display()))?;
+ println!("output={}", output.display());
+ println!("publisher={publisher}");
+ }
+ Command::ClickonceDeployInfo { path } => {
+ let info = inspect_clickonce_deploy_payload(&path)
+ .with_context(|| format!("clickonce-deploy-info {}", path.display()))?;
+ println!("deployed={}", if info.deployed { "yes" } else { "no" });
+ println!(
+ "content_name={}",
+ info.content_name.unwrap_or("-".to_string())
+ );
+ println!("len={}", info.len);
+ }
+ Command::ClickonceCopyDeployPayload { path, output } => {
+ let content_name = clickonce_deploy_content_name(&path).ok_or_else(|| {
+ anyhow!(
+ "ClickOnce deploy payload name must end with .deploy: {}",
+ path.display()
+ )
+ })?;
+ let bytes = copy_clickonce_deploy_payload(&path, &output)
+ .with_context(|| format!("clickonce-copy-deploy-payload {}", path.display()))?;
+ println!("content_name={content_name}");
+ println!("output={}", output.display());
+ println!("bytes={bytes}");
+ }
+ Command::ClickonceManifestHashes {
+ path,
+ base_directory,
+ } => {
+ let entries = clickonce_manifest_hashes(&path, base_directory.as_deref())
+ .with_context(|| format!("clickonce-manifest-hashes {}", path.display()))?;
+ println!("references={}", entries.len());
+ let mut mismatches = 0usize;
+ for entry in entries {
+ if entry.status() != "valid" {
+ mismatches += 1;
+ }
+ println!(
+ "path={} algorithm={} expected_size={} actual_size={} status={}",
+ entry.path,
+ hash_alg_label(entry.algorithm),
+ entry
+ .expected_size
+ .map(|size| size.to_string())
+ .unwrap_or_else(|| "-".to_string()),
+ entry.actual_size,
+ entry.status()
+ );
+ println!("expected_digest_b64={}", entry.expected_digest_b64);
+ println!("actual_digest_b64={}", entry.actual_digest_b64);
+ }
+ println!("mismatches={mismatches}");
+ if mismatches > 0 {
+ return Err(anyhow!(
+ "ClickOnce manifest file hash verification failed ({mismatches} mismatch(es))"
+ ));
+ }
+ }
+ Command::ClickonceUpdateManifestHashes {
+ path,
+ base_directory,
+ algorithm,
+ output,
+ } => {
+ let updated =
+ update_clickonce_manifest_hashes(&path, base_directory.as_deref(), &output, algorithm)
+ .with_context(|| {
+ format!("clickonce-update-manifest-hashes {}", path.display())
+ })?;
+ println!("output={}", output.display());
+ println!("updated={updated}");
+ println!("algorithm={}", hash_alg_label(algorithm));
+ }
+ Command::ClickonceSignManifest {
+ path,
+ digest,
+ cert,
+ key,
+ output,
+ } => {
+ let report = sign_clickonce_manifest_path(&path, &cert, &key, digest, &output)
+ .with_context(|| format!("clickonce-sign-manifest {}", path.display()))?;
+ println!("output={}", output.display());
+ println!("digest={:?}", report.digest);
+ println!("manifest_digest_b64={}", report.manifest_digest_b64);
+ println!("signature_len={}", report.signature_len);
+ }
+ Command::ClickonceSignManifestPrehash {
+ path,
+ digest,
+ encoding,
+ output,
+ } => {
+ let text = std::fs::read_to_string(&path)
+ .with_context(|| format!("read ClickOnce manifest {}", path.display()))?;
+ let unsigned = unsigned_clickonce_manifest_text(&text)?;
+ let signed_info = clickonce_manifest_signed_info_xml(&unsigned, digest);
+ let prehash = clickonce_signed_info_remote_prehash(digest, &signed_info);
+ write_digest_output(encoding, &prehash, output.as_deref())
+ .with_context(|| format!("clickonce-sign-manifest-prehash {}", path.display()))?;
+ }
+ Command::ClickonceSignManifestFromSignature {
+ path,
+ digest,
+ cert,
+ signature,
+ output,
+ } => {
+ let report = sign_clickonce_manifest_from_external_signature_path(
+ &path, &cert, &signature, digest, &output,
+ )
+ .with_context(|| {
+ format!(
+ "clickonce-sign-manifest-from-signature {}",
+ path.display()
+ )
+ })?;
+ println!("output={}", output.display());
+ println!("digest={:?}", report.digest);
+ println!("manifest_digest_b64={}", report.manifest_digest_b64);
+ println!("signature_len={}", report.signature_len);
+ }
+ Command::ClickonceVerifyManifestSignature {
+ path,
+ cert,
+ digest,
+ shared,
+ } => {
+ let report =
+ verify_clickonce_manifest_signature_path(&path, cert.as_deref(), digest, &shared)
+ .with_context(|| {
+ format!("clickonce-verify-manifest-signature {}", path.display())
+ })?;
+ println!("clickonce-verify-manifest-signature: ok");
+ println!("digest={:?}", report.digest);
+ println!("manifest_digest_b64={}", report.manifest_digest_b64);
+ println!("manifest_digest_match=yes");
+ println!("signature_value_match=yes");
+ println!("signature_len={}", report.signature_len);
+ if trust_verify_args_present(&shared) {
+ println!("signer_trust_chain=yes");
+ }
+ }
Command::CatalogSignerRs256Prehash {
path,
signer_index,
@@ -2979,6 +4906,191 @@ where
.with_context(|| format!("nupkg-digest {}", path.display()))?;
write_digest_output(encoding, &digest, output.as_deref())?;
}
+ Command::NupkgSignatureContent {
+ path,
+ algorithm,
+ output,
+ } => {
+ use std::io::Write;
+ let content = nuget::unsigned_package_signature_content_path(&path, algorithm.into())
+ .with_context(|| format!("nupkg-signature-content {}", path.display()))?;
+ match output {
+ Some(path) => std::fs::write(&path, &content)
+ .with_context(|| format!("write {}", path.display()))?,
+ None => std::io::stdout()
+ .write_all(&content)
+ .context("write NuGet signature content to stdout")?,
+ }
+ }
+ Command::NupkgSignaturePkcs7 {
+ path,
+ algorithm,
+ cert,
+ key,
+ chain_certs,
+ timestamp_url,
+ timestamp_digest,
+ output,
+ } => {
+ let content = nuget::unsigned_package_signature_content_path(&path, algorithm.into())
+ .with_context(|| format!("nupkg-signature-pkcs7 {}", path.display()))?;
+ let pkcs7 =
+ sign_pkcs7_id_data(&content, &cert, &key, chain_certs, algorithm.into())
+ .with_context(|| {
+ format!(
+ "nupkg-signature-pkcs7 create CMS for {}",
+ path.display()
+ )
+ })?;
+ let pkcs7 = timestamp_pkcs7_if_requested(
+ &pkcs7,
+ timestamp_url,
+ timestamp_digest,
+ "nupkg-signature-pkcs7",
+ )?;
+ std::fs::write(&output, &pkcs7).with_context(|| format!("write {}", output.display()))?;
+ println!("output={}", output.display());
+ println!("package_hash_algorithm={}", nuget_hash_alg_label(algorithm.into()));
+ println!("signature_len={}", pkcs7.len());
+ }
+ Command::NupkgSignaturePkcs7Prehash {
+ path,
+ algorithm,
+ encoding,
+ output,
+ } => {
+ let content = nuget::unsigned_package_signature_content_path(&path, algorithm.into())
+ .with_context(|| {
+ format!("nupkg-signature-pkcs7-prehash {}", path.display())
+ })?;
+ let prehash = pkcs7_id_data_remote_prehash(&content, algorithm.into())?;
+ write_digest_output(encoding, &prehash, output.as_deref())?;
+ }
+ Command::NupkgSignaturePkcs7FromSignature {
+ path,
+ algorithm,
+ cert,
+ chain_certs,
+ signature,
+ timestamp_url,
+ timestamp_digest,
+ output,
+ } => {
+ let content = nuget::unsigned_package_signature_content_path(&path, algorithm.into())
+ .with_context(|| {
+ format!(
+ "nupkg-signature-pkcs7-from-signature {}",
+ path.display()
+ )
+ })?;
+ let signature_bytes = std::fs::read(&signature)
+ .with_context(|| format!("read {}", signature.display()))?;
+ let pkcs7 = sign_pkcs7_id_data_with_external_signature(
+ &content,
+ &cert,
+ chain_certs,
+ algorithm.into(),
+ &signature_bytes,
+ )
+ .with_context(|| {
+ format!(
+ "nupkg-signature-pkcs7-from-signature create CMS for {}",
+ path.display()
+ )
+ })?;
+ let pkcs7 = timestamp_pkcs7_if_requested(
+ &pkcs7,
+ timestamp_url,
+ timestamp_digest,
+ "nupkg-signature-pkcs7-from-signature",
+ )?;
+ std::fs::write(&output, &pkcs7).with_context(|| format!("write {}", output.display()))?;
+ println!("output={}", output.display());
+ println!("package_hash_algorithm={}", nuget_hash_alg_label(algorithm.into()));
+ println!("signature_len={}", pkcs7.len());
+ }
+ Command::NupkgSign {
+ path,
+ algorithm,
+ cert,
+ key,
+ chain_certs,
+ timestamp_url,
+ timestamp_digest,
+ output,
+ overwrite,
+ } => {
+ let content = nuget::unsigned_package_signature_content_path(&path, algorithm.into())
+ .with_context(|| format!("nupkg-sign {}", path.display()))?;
+ let pkcs7 =
+ sign_pkcs7_id_data(&content, &cert, &key, chain_certs, algorithm.into())
+ .with_context(|| {
+ format!("nupkg-sign create CMS for {}", path.display())
+ })?;
+ let pkcs7 = timestamp_pkcs7_if_requested(
+ &pkcs7,
+ timestamp_url,
+ timestamp_digest,
+ "nupkg-sign",
+ )?;
+ nuget::embed_signature_path(&path, &output, &pkcs7, overwrite)
+ .with_context(|| format!("nupkg-sign embed signature into {}", output.display()))?;
+ println!("output={}", output.display());
+ println!("package_hash_algorithm={}", nuget_hash_alg_label(algorithm.into()));
+ println!("embedded_signature={}", nuget::PACKAGE_SIGNATURE_FILE_NAME);
+ println!("signature_len={}", pkcs7.len());
+ }
+ Command::NupkgVerifySignatureContent { path, content } => {
+ let content_bytes =
+ std::fs::read(&content).with_context(|| format!("read {}", content.display()))?;
+ let parsed = nuget::verify_unsigned_package_signature_content_path(&path, &content_bytes)
+ .with_context(|| format!("nupkg-verify-signature-content {}", path.display()))?;
+ println!(
+ "package_hash_algorithm={}",
+ nuget_hash_alg_label(parsed.hash_algorithm)
+ );
+ println!("package_hash={}", hex_lower(&parsed.package_hash));
+ println!("package_hash_match=yes");
+ }
+ Command::NupkgVerifySignature {
+ path,
+ algorithm,
+ shared,
+ } => {
+ let alg = algorithm.into();
+ let signature_der = nuget::extract_signature_path(&path)
+ .with_context(|| format!("nupkg-verify-signature {}", path.display()))?;
+ let content = nuget::signed_package_signature_content_path(&path, alg)
+ .with_context(|| format!("nupkg-verify-signature {}", path.display()))?;
+ let parsed = nuget::parse_signature_content(&content)
+ .context("parse reconstructed NuGet signature content")?;
+ let opts = trust_verify_options_from_shared(&shared)?;
+ let report = trust_verify_detached_bytes(&content, &signature_der, &opts)
+ .with_context(|| format!("nupkg-verify-signature {}", path.display()))?;
+ print_trust_ok("nupkg-verify-signature", &report);
+ println!("signature_present=yes");
+ println!("package_hash_algorithm={}", nuget_hash_alg_label(alg));
+ println!("package_hash={}", hex_lower(&parsed.package_hash));
+ println!("package_hash_match=yes");
+ println!("signature_len={}", signature_der.len());
+ }
+ Command::NupkgEmbedSignature {
+ path,
+ signature,
+ output,
+ overwrite,
+ } => {
+ let signature_der =
+ std::fs::read(&signature).with_context(|| format!("read {}", signature.display()))?;
+ nuget::embed_signature_path(&path, &output, &signature_der, overwrite)
+ .with_context(|| format!("nupkg-embed-signature {}", path.display()))?;
+ println!(
+ "embedded_signature={}\noutput={}\nsignature_len={}",
+ nuget::PACKAGE_SIGNATURE_FILE_NAME,
+ output.display(),
+ signature_der.len()
+ );
+ }
Command::VsixSignatureInfo { path } => {
let info = vsix::inspect_vsix_path(&path)
.with_context(|| format!("vsix-signature-info {}", path.display()))?;
@@ -3000,6 +5112,382 @@ where
}
println!("entries={}", info.package.entries.len());
}
+ Command::VsixEmbedSignatureXml {
+ path,
+ signature_xml,
+ output,
+ overwrite,
+ } => {
+ let xml = std::fs::read(&signature_xml)
+ .with_context(|| format!("read {}", signature_xml.display()))?;
+ vsix::embed_signature_xml_path(&path, &output, &xml, overwrite)
+ .with_context(|| format!("vsix-embed-signature-xml {}", path.display()))?;
+ println!(
+ "embedded_signature_xml={}\noutput={}\nsignature_xml_len={}",
+ vsix::DEFAULT_VSIX_SIGNATURE_PART,
+ output.display(),
+ xml.len()
+ );
+ }
+ Command::VsixSignatureReferenceXml {
+ path,
+ algorithm,
+ output,
+ } => {
+ use std::io::Write;
+ let xml = vsix::signature_reference_xml_path(&path, algorithm.into())
+ .with_context(|| format!("vsix-signature-reference-xml {}", path.display()))?;
+ match output {
+ Some(path) => {
+ std::fs::write(&path, &xml).with_context(|| format!("write {}", path.display()))?
+ }
+ None => std::io::stdout()
+ .write_all(&xml)
+ .context("write VSIX signature reference XML to stdout")?,
+ }
+ }
+ Command::VsixSignatureXml {
+ path,
+ algorithm,
+ cert,
+ key,
+ output,
+ } => {
+ use std::io::Write;
+ let algorithm = vsix::VsixHashAlgorithm::from(algorithm);
+ let cert_bytes = std::fs::read(&cert).with_context(|| format!("read {}", cert.display()))?;
+ rdp::parse_certificate(&cert_bytes)
+ .with_context(|| format!("parse signer certificate {}", cert.display()))?;
+ let key_bytes =
+ std::fs::read(&key).with_context(|| format!("read {}", key.display()))?;
+ let private_key = rdp::parse_rsa_private_key(&key_bytes)
+ .with_context(|| format!("parse RSA private key {}", key.display()))?;
+ let signed_info = vsix::signed_info_xml_path(&path, algorithm)
+ .with_context(|| format!("vsix-signature-xml {}", path.display()))?;
+ let signature = sign_xml_signed_info(algorithm, private_key, &signed_info)?;
+ let xml = vsix::signature_xml_from_signed_info(&signed_info, &signature, Some(&cert_bytes))
+ .into_bytes();
+ match output {
+ Some(path) => {
+ std::fs::write(&path, &xml).with_context(|| format!("write {}", path.display()))?
+ }
+ None => std::io::stdout()
+ .write_all(&xml)
+ .context("write VSIX signature XML to stdout")?,
+ }
+ }
+ Command::VsixSignatureXmlPrehash {
+ path,
+ algorithm,
+ encoding,
+ output,
+ } => {
+ let algorithm = vsix::VsixHashAlgorithm::from(algorithm);
+ let signed_info = vsix::signed_info_xml_path(&path, algorithm)
+ .with_context(|| format!("vsix-signature-xml-prehash {}", path.display()))?;
+ let prehash = xml_signed_info_remote_prehash(algorithm, &signed_info);
+ write_digest_output(encoding, &prehash, output.as_deref())?;
+ }
+ Command::VsixSignatureXmlFromSignature {
+ path,
+ algorithm,
+ cert,
+ signature,
+ output,
+ } => {
+ use std::io::Write;
+ let algorithm = vsix::VsixHashAlgorithm::from(algorithm);
+ let cert_bytes =
+ std::fs::read(&cert).with_context(|| format!("read {}", cert.display()))?;
+ rdp::parse_certificate(&cert_bytes)
+ .with_context(|| format!("parse signer certificate {}", cert.display()))?;
+ let signature_bytes = std::fs::read(&signature)
+ .with_context(|| format!("read {}", signature.display()))?;
+ let signed_info = vsix::signed_info_xml_path(&path, algorithm).with_context(|| {
+ format!("vsix-signature-xml-from-signature {}", path.display())
+ })?;
+ let xml =
+ vsix::signature_xml_from_signed_info(&signed_info, &signature_bytes, Some(&cert_bytes))
+ .into_bytes();
+ match output {
+ Some(path) => {
+ std::fs::write(&path, &xml).with_context(|| format!("write {}", path.display()))?
+ }
+ None => std::io::stdout()
+ .write_all(&xml)
+ .context("write VSIX signature XML to stdout")?,
+ }
+ }
+ Command::VsixSign {
+ path,
+ algorithm,
+ cert,
+ key,
+ output,
+ overwrite,
+ } => {
+ let algorithm = vsix::VsixHashAlgorithm::from(algorithm);
+ let cert_bytes = std::fs::read(&cert).with_context(|| format!("read {}", cert.display()))?;
+ rdp::parse_certificate(&cert_bytes)
+ .with_context(|| format!("parse signer certificate {}", cert.display()))?;
+ let key_bytes =
+ std::fs::read(&key).with_context(|| format!("read {}", key.display()))?;
+ let private_key = rdp::parse_rsa_private_key(&key_bytes)
+ .with_context(|| format!("parse RSA private key {}", key.display()))?;
+ let signed_info = vsix::signed_info_xml_path(&path, algorithm)
+ .with_context(|| format!("vsix-sign {}", path.display()))?;
+ let signature = sign_xml_signed_info(algorithm, private_key, &signed_info)?;
+ let xml =
+ vsix::signature_xml_from_signed_info(&signed_info, &signature, Some(&cert_bytes))
+ .into_bytes();
+ vsix::embed_signature_xml_path(&path, &output, &xml, overwrite)
+ .with_context(|| format!("vsix-sign embed signature XML into {}", output.display()))?;
+ println!("output={}", output.display());
+ println!("signature_xml_part={}", vsix::DEFAULT_VSIX_SIGNATURE_PART);
+ println!("reference_digest_algorithm={}", vsix_hash_alg_label(algorithm));
+ println!("signature_xml_len={}", xml.len());
+ }
+ Command::VsixVerifySignatureReferenceXml {
+ path,
+ signature_xml,
+ algorithm,
+ } => {
+ let algorithm = vsix::VsixHashAlgorithm::from(algorithm);
+ let xml = std::fs::read(&signature_xml)
+ .with_context(|| format!("read {}", signature_xml.display()))?;
+ let references = vsix::verify_signature_reference_xml_path(&path, &xml, algorithm)
+ .with_context(|| {
+ format!(
+ "vsix-verify-signature-reference-xml {}",
+ path.display()
+ )
+ })?;
+ println!("reference_digest_algorithm={}", vsix_hash_alg_label(algorithm));
+ println!("reference_count={references}");
+ println!("reference_digest_match=yes");
+ }
+ Command::VsixVerifySignatureXml {
+ path,
+ signature_xml,
+ cert,
+ algorithm,
+ shared,
+ } => {
+ let algorithm = vsix::VsixHashAlgorithm::from(algorithm);
+ let xml = std::fs::read(&signature_xml)
+ .with_context(|| format!("read {}", signature_xml.display()))?;
+ let references = vsix::verify_signature_reference_xml_path(&path, &xml, algorithm)
+ .with_context(|| format!("vsix-verify-signature-xml {}", path.display()))?;
+ let cert_bytes = std::fs::read(&cert).with_context(|| format!("read {}", cert.display()))?;
+ let signer_cert = rdp::parse_certificate(&cert_bytes)
+ .with_context(|| format!("parse signer certificate {}", cert.display()))?;
+ let signed_info = vsix::signed_info_xml_from_signature_xml(&xml)?;
+ let signature = vsix::signature_value_from_signature_xml(&xml)?;
+ verify_xml_signed_info(algorithm, &signer_cert, &signed_info, &signature)?;
+ let trust_anchor_count = if trust_verify_args_present(&shared) {
+ Some(verify_xml_signer_certificate_trust(&cert_bytes, &shared)?)
+ } else {
+ None
+ };
+ println!("reference_digest_algorithm={}", vsix_hash_alg_label(algorithm));
+ println!("reference_count={references}");
+ println!("reference_digest_match=yes");
+ println!("signature_value_match=yes");
+ if let Some(count) = trust_anchor_count {
+ println!("signer_trust_chain=yes");
+ println!("trust_anchor_count={count}");
+ }
+ }
+ Command::VsixVerifySignature {
+ path,
+ cert,
+ algorithm,
+ shared,
+ } => {
+ let algorithm = vsix::VsixHashAlgorithm::from(algorithm);
+ let xml = vsix::extract_signature_xml_path(&path)
+ .with_context(|| format!("vsix-verify-signature {}", path.display()))?;
+ let references = vsix::verify_signature_reference_xml_path(&path, &xml, algorithm)
+ .with_context(|| format!("vsix-verify-signature {}", path.display()))?;
+ let cert_bytes = match cert {
+ Some(cert) => std::fs::read(&cert)
+ .with_context(|| format!("read {}", cert.display()))?,
+ None => vsix::signer_certificate_from_signature_xml(&xml)
+ .context("read embedded VSIX signer certificate")?,
+ };
+ let signer_cert =
+ rdp::parse_certificate(&cert_bytes).context("parse VSIX signer certificate")?;
+ let signed_info = vsix::signed_info_xml_from_signature_xml(&xml)?;
+ let signature = vsix::signature_value_from_signature_xml(&xml)?;
+ verify_xml_signed_info(algorithm, &signer_cert, &signed_info, &signature)?;
+ let trust_anchor_count = if trust_verify_args_present(&shared) {
+ Some(verify_xml_signer_certificate_trust(&cert_bytes, &shared)?)
+ } else {
+ None
+ };
+ println!("vsix-verify-signature: ok");
+ println!("signature_xml_present=yes");
+ println!("signature_xml_part={}", vsix::DEFAULT_VSIX_SIGNATURE_PART);
+ println!("reference_digest_algorithm={}", vsix_hash_alg_label(algorithm));
+ println!("reference_count={references}");
+ println!("reference_digest_match=yes");
+ println!("signature_value_match=yes");
+ if let Some(count) = trust_anchor_count {
+ println!("signer_trust_chain=yes");
+ println!("trust_anchor_count={count}");
+ }
+ }
+ Command::AppinstallerInfo { path, signature } => {
+ let text =
+ std::fs::read_to_string(&path).with_context(|| format!("read {}", path.display()))?;
+ let info = parse_appinstaller_descriptor(&text)
+ .with_context(|| format!("appinstaller-info {}", path.display()))?;
+ println!("root={}", info.root);
+ println!("namespace={}", info.namespace.unwrap_or("-".to_string()));
+ println!(
+ "main_package={}",
+ if info.has_main_package { "yes" } else { "no" }
+ );
+ println!(
+ "main_bundle={}",
+ if info.has_main_bundle { "yes" } else { "no" }
+ );
+ println!("publisher={}", info.publisher.unwrap_or("-".to_string()));
+ if let Some(signature) = signature {
+ let metadata = std::fs::metadata(&signature)
+ .with_context(|| format!("stat {}", signature.display()))?;
+ println!("companion_signature={}", signature.display());
+ println!("companion_signature_len={}", metadata.len());
+ } else {
+ println!("companion_signature=-");
+ println!("companion_signature_len=-");
+ }
+ }
+ Command::AppinstallerVerifyCompanion {
+ path,
+ signature,
+ shared,
+ } => {
+ let text =
+ std::fs::read_to_string(&path).with_context(|| format!("read {}", path.display()))?;
+ parse_appinstaller_descriptor(&text)
+ .with_context(|| format!("appinstaller-verify-companion {}", path.display()))?;
+ let sig_bytes = std::fs::read(&signature)
+ .with_context(|| format!("read {}", signature.display()))?;
+ let opts = trust_verify_options_from_shared(&shared)?;
+ let report = trust_verify_detached_bytes(text.as_bytes(), &sig_bytes, &opts)
+ .with_context(|| format!("appinstaller-verify-companion {}", path.display()))?;
+ print_trust_ok("appinstaller-verify-companion", &report);
+ }
+ Command::AppinstallerSignCompanion {
+ path,
+ cert,
+ key,
+ chain_certs,
+ digest,
+ timestamp_url,
+ timestamp_digest,
+ output,
+ } => {
+ let text =
+ std::fs::read_to_string(&path).with_context(|| format!("read {}", path.display()))?;
+ parse_appinstaller_descriptor(&text)
+ .with_context(|| format!("appinstaller-sign-companion {}", path.display()))?;
+ let pkcs7 = sign_pkcs7_id_data(text.as_bytes(), &cert, &key, chain_certs, digest)
+ .with_context(|| {
+ format!(
+ "appinstaller-sign-companion create detached PKCS#7 for {}",
+ path.display()
+ )
+ })?;
+ let pkcs7 = timestamp_pkcs7_if_requested(
+ &pkcs7,
+ timestamp_url,
+ timestamp_digest,
+ "appinstaller-sign-companion",
+ )?;
+ std::fs::write(&output, &pkcs7).with_context(|| format!("write {}", output.display()))?;
+ println!("output={}", output.display());
+ println!("digest={digest:?}");
+ println!("companion_signature_len={}", pkcs7.len());
+ }
+ Command::AppinstallerSignCompanionPrehash {
+ path,
+ digest,
+ encoding,
+ output,
+ } => {
+ let text =
+ std::fs::read_to_string(&path).with_context(|| format!("read {}", path.display()))?;
+ parse_appinstaller_descriptor(&text)
+ .with_context(|| format!("appinstaller-sign-companion-prehash {}", path.display()))?;
+ let prehash = pkcs7_id_data_remote_prehash(text.as_bytes(), digest)?;
+ write_digest_output(encoding, &prehash, output.as_deref())?;
+ }
+ Command::AppinstallerSignCompanionFromSignature {
+ path,
+ cert,
+ chain_certs,
+ digest,
+ signature,
+ timestamp_url,
+ timestamp_digest,
+ output,
+ } => {
+ let text =
+ std::fs::read_to_string(&path).with_context(|| format!("read {}", path.display()))?;
+ parse_appinstaller_descriptor(&text).with_context(|| {
+ format!(
+ "appinstaller-sign-companion-from-signature {}",
+ path.display()
+ )
+ })?;
+ let signature_bytes = std::fs::read(&signature)
+ .with_context(|| format!("read {}", signature.display()))?;
+ let pkcs7 = sign_pkcs7_id_data_with_external_signature(
+ text.as_bytes(),
+ &cert,
+ chain_certs,
+ digest,
+ &signature_bytes,
+ )
+ .with_context(|| {
+ format!(
+ "appinstaller-sign-companion-from-signature create detached PKCS#7 for {}",
+ path.display()
+ )
+ })?;
+ let pkcs7 = timestamp_pkcs7_if_requested(
+ &pkcs7,
+ timestamp_url,
+ timestamp_digest,
+ "appinstaller-sign-companion-from-signature",
+ )?;
+ std::fs::write(&output, &pkcs7).with_context(|| format!("write {}", output.display()))?;
+ println!("output={}", output.display());
+ println!("digest={digest:?}");
+ println!("companion_signature_len={}", pkcs7.len());
+ }
+ Command::AppinstallerSetPublisher {
+ path,
+ publisher,
+ output,
+ } => {
+ let text =
+ std::fs::read_to_string(&path).with_context(|| format!("read {}", path.display()))?;
+ let updated = update_appinstaller_publisher(&text, &publisher)
+ .with_context(|| format!("appinstaller-set-publisher {}", path.display()))?;
+ std::fs::write(&output, updated).with_context(|| format!("write {}", output.display()))?;
+ println!("output={}", output.display());
+ println!("publisher={publisher}");
+ }
+ Command::BusinessCentralAppInfo { path } => {
+ let info = inspect_business_central_app(&path)
+ .with_context(|| format!("business-central-app-info {}", path.display()))?;
+ println!("business_central_app={}", if info.is_navx { "yes" } else { "no" });
+ println!("header={}", if info.is_navx { "NAVX" } else { "-" });
+ println!("len={}", info.len);
+ }
}
Ok(())
}
diff --git a/crates/psign-opc-sign/Cargo.toml b/crates/psign-opc-sign/Cargo.toml
index c742ba7..3a25659 100644
--- a/crates/psign-opc-sign/Cargo.toml
+++ b/crates/psign-opc-sign/Cargo.toml
@@ -1,6 +1,6 @@
[package]
name = "psign-opc-sign"
-version = "0.2.0"
+version = "0.3.0"
edition = "2024"
description = "Portable OPC, VSIX, and NuGet package signing primitives"
license.workspace = true
@@ -8,6 +8,7 @@ repository.workspace = true
[dependencies]
anyhow = "1"
+base64 = "0.22"
sha2 = "0.10"
zip = { version = "0.6.6", default-features = false, features = ["deflate"] }
diff --git a/crates/psign-opc-sign/src/nuget.rs b/crates/psign-opc-sign/src/nuget.rs
index d6fe58f..3ac9675 100644
--- a/crates/psign-opc-sign/src/nuget.rs
+++ b/crates/psign-opc-sign/src/nuget.rs
@@ -1,9 +1,14 @@
-use crate::opc::{PackageSummary, inspect_package_path};
+use crate::opc::{PackageSummary, inspect_package_path, normalize_zip_part_name};
use anyhow::{Context, Result, anyhow};
+use base64::{Engine as _, engine::general_purpose::STANDARD as BASE64_STANDARD};
use sha2::{Digest, Sha256, Sha384, Sha512};
+use std::fs::File;
+use std::io::{Read, Seek, Write};
use std::path::Path;
+use zip::write::FileOptions;
pub const PACKAGE_SIGNATURE_FILE_NAME: &str = ".signature.p7s";
+pub const SIGNATURE_CONTENT_VERSION: &str = "1";
#[derive(Clone, Copy, Debug, Eq, PartialEq)]
pub enum NuGetHashAlgorithm {
@@ -28,6 +33,15 @@ impl NuGetHashAlgorithm {
Self::Sha512 => Sha512::digest(bytes).to_vec(),
}
}
+
+ pub fn from_oid(oid: &str) -> Option {
+ match oid {
+ "2.16.840.1.101.3.4.2.1" => Some(Self::Sha256),
+ "2.16.840.1.101.3.4.2.2" => Some(Self::Sha384),
+ "2.16.840.1.101.3.4.2.3" => Some(Self::Sha512),
+ _ => None,
+ }
+ }
}
#[derive(Clone, Debug, Eq, PartialEq)]
@@ -38,6 +52,12 @@ pub struct NuGetPackageInfo {
pub signature_is_stored: Option,
}
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct NuGetSignatureContent {
+ pub hash_algorithm: NuGetHashAlgorithm,
+ pub package_hash: Vec,
+}
+
pub fn inspect_nupkg_path(path: &Path) -> Result {
let package = inspect_package_path(path)?;
let signature_len = package
@@ -67,10 +87,286 @@ pub fn unsigned_package_digest_path(path: &Path, algorithm: NuGetHashAlgorithm)
Ok(algorithm.hash(&bytes))
}
+pub fn canonical_unsigned_package_bytes_path(path: &Path) -> Result> {
+ let reader = File::open(path).with_context(|| format!("open {}", path.display()))?;
+ canonical_unsigned_package_bytes(reader)
+ .with_context(|| format!("canonicalize unsigned NuGet package {}", path.display()))
+}
+
+pub fn canonical_unsigned_package_bytes(reader: R) -> Result>
+where
+ R: Read + Seek,
+{
+ let mut out = std::io::Cursor::new(Vec::new());
+ write_package_without_signature_impl(reader, &mut out, false)?;
+ Ok(out.into_inner())
+}
+
+pub fn signed_package_unsigned_bytes_path(path: &Path) -> Result> {
+ let reader = File::open(path).with_context(|| format!("open {}", path.display()))?;
+ let mut out = std::io::Cursor::new(Vec::new());
+ write_package_without_signature_impl(reader, &mut out, true)
+ .with_context(|| format!("remove NuGet signature from {}", path.display()))?;
+ Ok(out.into_inner())
+}
+
+pub fn signed_package_signature_content_path(
+ path: &Path,
+ algorithm: NuGetHashAlgorithm,
+) -> Result> {
+ let unsigned = signed_package_unsigned_bytes_path(path)?;
+ Ok(signature_content_bytes(
+ algorithm,
+ &algorithm.hash(&unsigned),
+ ))
+}
+
pub fn package_hash_property_name(algorithm: NuGetHashAlgorithm) -> String {
format!("{}-Hash", algorithm.oid())
}
+pub fn unsigned_package_signature_content_path(
+ path: &Path,
+ algorithm: NuGetHashAlgorithm,
+) -> Result> {
+ let unsigned = canonical_unsigned_package_bytes_path(path)?;
+ let digest = algorithm.hash(&unsigned);
+ Ok(signature_content_bytes(algorithm, &digest))
+}
+
+pub fn signature_content_bytes(algorithm: NuGetHashAlgorithm, package_hash: &[u8]) -> Vec {
+ format!(
+ "Version:{}\n\n{}:{}\n\n",
+ SIGNATURE_CONTENT_VERSION,
+ package_hash_property_name(algorithm),
+ BASE64_STANDARD.encode(package_hash)
+ )
+ .into_bytes()
+}
+
+pub fn parse_signature_content(bytes: &[u8]) -> Result {
+ let text = std::str::from_utf8(bytes).context("NuGet signature content is not UTF-8")?;
+ let mut sections = text.split("\n\n");
+ let header = sections
+ .next()
+ .ok_or_else(|| anyhow!("NuGet signature content is missing header section"))?;
+ let hash_section = sections
+ .next()
+ .ok_or_else(|| anyhow!("NuGet signature content is missing package hash section"))?;
+
+ let mut version = None;
+ for line in header.lines().filter(|line| !line.is_empty()) {
+ let (key, value) = split_signature_content_pair(line)?;
+ if key == "Version" {
+ version = Some(value);
+ }
+ }
+ match version {
+ Some(SIGNATURE_CONTENT_VERSION) => {}
+ Some(value) => {
+ return Err(anyhow!(
+ "unsupported NuGet signature content version {value}; expected {SIGNATURE_CONTENT_VERSION}"
+ ));
+ }
+ None => return Err(anyhow!("NuGet signature content is missing Version")),
+ }
+
+ for line in hash_section.lines().filter(|line| !line.is_empty()) {
+ let (key, value) = split_signature_content_pair(line)?;
+ if let Some(oid) = key.strip_suffix("-Hash")
+ && let Some(hash_algorithm) = NuGetHashAlgorithm::from_oid(oid)
+ {
+ let package_hash = BASE64_STANDARD
+ .decode(value)
+ .context("NuGet signature content package hash is not valid base64")?;
+ if package_hash.is_empty() {
+ return Err(anyhow!("NuGet signature content package hash is empty"));
+ }
+ return Ok(NuGetSignatureContent {
+ hash_algorithm,
+ package_hash,
+ });
+ }
+ }
+
+ Err(anyhow!(
+ "NuGet signature content does not contain a supported package hash property"
+ ))
+}
+
+pub fn verify_unsigned_package_signature_content_path(
+ path: &Path,
+ content: &[u8],
+) -> Result {
+ let parsed = parse_signature_content(content)?;
+ let unsigned = canonical_unsigned_package_bytes_path(path)?;
+ let actual = parsed.hash_algorithm.hash(&unsigned);
+ if actual != parsed.package_hash {
+ return Err(anyhow!(
+ "NuGet package hash mismatch for {}; signature content records a different unsigned package digest",
+ path.display()
+ ));
+ }
+ Ok(parsed)
+}
+
+pub fn extract_signature_path(path: &Path) -> Result> {
+ let reader = File::open(path).with_context(|| format!("open {}", path.display()))?;
+ extract_signature(reader)
+ .with_context(|| format!("extract NuGet signature from {}", path.display()))
+}
+
+pub fn extract_signature(reader: R) -> Result>
+where
+ R: Read + Seek,
+{
+ let mut input = zip::ZipArchive::new(reader).context("open NuGet ZIP")?;
+ let mut file = input
+ .by_name(PACKAGE_SIGNATURE_FILE_NAME)
+ .with_context(|| format!("package does not contain {PACKAGE_SIGNATURE_FILE_NAME}"))?;
+ let mut signature = Vec::new();
+ file.read_to_end(&mut signature)
+ .context("read NuGet package signature")?;
+ if signature.is_empty() {
+ return Err(anyhow!("NuGet package signature payload is empty"));
+ }
+ Ok(signature)
+}
+
+pub fn write_package_without_signature(reader: R, writer: W) -> Result<()>
+where
+ R: Read + Seek,
+ W: Write + Seek,
+{
+ write_package_without_signature_impl(reader, writer, true)
+}
+
+fn write_package_without_signature_impl(
+ reader: R,
+ writer: W,
+ require_signature: bool,
+) -> Result<()>
+where
+ R: Read + Seek,
+ W: Write + Seek,
+{
+ let mut input = zip::ZipArchive::new(reader).context("open NuGet ZIP")?;
+ let mut output = zip::ZipWriter::new(writer);
+ let mut had_signature = false;
+
+ for i in 0..input.len() {
+ let mut file = input.by_index(i).context("read NuGet ZIP entry")?;
+ let name = normalize_zip_part_name(file.name())?;
+ if name == PACKAGE_SIGNATURE_FILE_NAME {
+ had_signature = true;
+ continue;
+ }
+
+ let options = FileOptions::default().compression_method(file.compression());
+ if file.is_dir() {
+ output.add_directory(name, options)?;
+ } else {
+ output.start_file(name, options)?;
+ std::io::copy(&mut file, &mut output)?;
+ }
+ }
+
+ if require_signature && !had_signature {
+ return Err(anyhow!(
+ "package does not contain {PACKAGE_SIGNATURE_FILE_NAME}"
+ ));
+ }
+
+ output.finish()?;
+ Ok(())
+}
+
+fn split_signature_content_pair(line: &str) -> Result<(&str, &str)> {
+ line.split_once(':')
+ .ok_or_else(|| anyhow!("invalid NuGet signature content line {line:?}"))
+ .and_then(|(key, value)| {
+ if key.is_empty() || value.is_empty() {
+ Err(anyhow!("invalid NuGet signature content line {line:?}"))
+ } else {
+ Ok((key, value))
+ }
+ })
+}
+
+pub fn embed_signature_path(
+ input: &Path,
+ output: &Path,
+ signature_der: &[u8],
+ overwrite: bool,
+) -> Result<()> {
+ if signature_der.is_empty() {
+ return Err(anyhow!("NuGet package signature payload is empty"));
+ }
+ let info = inspect_nupkg_path(input)?;
+ if info.signed && !overwrite {
+ return Err(anyhow!(
+ "{} already contains {}; pass overwrite to replace it",
+ input.display(),
+ PACKAGE_SIGNATURE_FILE_NAME
+ ));
+ }
+ let reader = File::open(input).with_context(|| format!("open {}", input.display()))?;
+ let writer = File::create(output).with_context(|| format!("create {}", output.display()))?;
+ embed_signature(reader, writer, signature_der, overwrite)
+ .with_context(|| format!("embed NuGet signature into {}", output.display()))
+}
+
+pub fn embed_signature(
+ reader: R,
+ writer: W,
+ signature_der: &[u8],
+ overwrite: bool,
+) -> Result<()>
+where
+ R: Read + Seek,
+ W: Write + Seek,
+{
+ if signature_der.is_empty() {
+ return Err(anyhow!("NuGet package signature payload is empty"));
+ }
+ let mut input = zip::ZipArchive::new(reader).context("open NuGet ZIP")?;
+ let mut output = zip::ZipWriter::new(writer);
+ let mut had_signature = false;
+
+ for i in 0..input.len() {
+ let mut file = input.by_index(i).context("read NuGet ZIP entry")?;
+ let name = normalize_zip_part_name(file.name())?;
+ if name == PACKAGE_SIGNATURE_FILE_NAME {
+ had_signature = true;
+ if overwrite {
+ continue;
+ }
+ return Err(anyhow!(
+ "package already contains {}; pass overwrite to replace it",
+ PACKAGE_SIGNATURE_FILE_NAME
+ ));
+ }
+
+ let options = FileOptions::default().compression_method(file.compression());
+ if file.is_dir() {
+ output.add_directory(name, options)?;
+ } else {
+ output.start_file(name, options)?;
+ std::io::copy(&mut file, &mut output)?;
+ }
+ }
+
+ if !had_signature || overwrite {
+ output.start_file(
+ PACKAGE_SIGNATURE_FILE_NAME,
+ FileOptions::default().compression_method(zip::CompressionMethod::Stored),
+ )?;
+ output.write_all(signature_der)?;
+ }
+ output.finish()?;
+ Ok(())
+}
+
#[cfg(test)]
mod tests {
use super::*;
@@ -117,6 +413,141 @@ mod tests {
);
}
+ #[test]
+ fn signature_content_round_trips_package_hash_property() {
+ let bytes = signature_content_bytes(NuGetHashAlgorithm::Sha384, b"package-digest");
+
+ let parsed = parse_signature_content(&bytes).unwrap();
+
+ assert_eq!(parsed.hash_algorithm, NuGetHashAlgorithm::Sha384);
+ assert_eq!(parsed.package_hash, b"package-digest");
+ assert_eq!(
+ String::from_utf8(bytes).unwrap(),
+ "Version:1\n\n2.16.840.1.101.3.4.2.2-Hash:cGFja2FnZS1kaWdlc3Q=\n\n"
+ );
+ }
+
+ #[test]
+ fn signature_content_rejects_unsupported_version() {
+ let err = parse_signature_content(
+ b"Version:2\n\n2.16.840.1.101.3.4.2.1-Hash:cGFja2FnZS1kaWdlc3Q=\n\n",
+ )
+ .unwrap_err();
+
+ assert!(err.to_string().contains("unsupported"));
+ }
+
+ #[test]
+ fn unsigned_package_signature_content_verifies_matching_digest() {
+ let zip = zip_with(&[("lib/net8.0/a.dll", b"pe")]);
+ let tmp = tempfile_path("unsigned-for-content.nupkg");
+ std::fs::write(&tmp, &zip).unwrap();
+
+ let content =
+ unsigned_package_signature_content_path(&tmp, NuGetHashAlgorithm::Sha256).unwrap();
+ let parsed = verify_unsigned_package_signature_content_path(&tmp, &content).unwrap();
+ let canonical = canonical_unsigned_package_bytes_path(&tmp).unwrap();
+
+ assert_eq!(parsed.hash_algorithm, NuGetHashAlgorithm::Sha256);
+ assert_eq!(
+ parsed.package_hash,
+ NuGetHashAlgorithm::Sha256.hash(&canonical)
+ );
+ let _ = std::fs::remove_file(tmp);
+ }
+
+ #[test]
+ fn unsigned_package_signature_content_rejects_tampered_package() {
+ let tmp = tempfile_path("tampered-for-content.nupkg");
+ std::fs::write(&tmp, zip_with(&[("lib/net8.0/a.dll", b"pe")])).unwrap();
+ let content =
+ unsigned_package_signature_content_path(&tmp, NuGetHashAlgorithm::Sha256).unwrap();
+ std::fs::write(&tmp, zip_with(&[("lib/net8.0/a.dll", b"changed")])).unwrap();
+
+ let err = verify_unsigned_package_signature_content_path(&tmp, &content).unwrap_err();
+
+ assert!(err.to_string().contains("hash mismatch"));
+ let _ = std::fs::remove_file(tmp);
+ }
+
+ #[test]
+ fn embed_signature_adds_stored_root_signature() {
+ let zip = zip_with(&[("lib/net8.0/a.dll", b"pe")]);
+ let mut out = Cursor::new(Vec::new());
+
+ embed_signature(Cursor::new(zip), &mut out, b"cms", false).unwrap();
+ let info = inspect_package_reader_for_test(out.into_inner());
+
+ assert_eq!(
+ info.entry(PACKAGE_SIGNATURE_FILE_NAME)
+ .map(|e| e.uncompressed_size),
+ Some(3)
+ );
+ assert_eq!(
+ info.entry(PACKAGE_SIGNATURE_FILE_NAME)
+ .map(|e| e.compression.as_str()),
+ Some("Stored")
+ );
+ }
+
+ #[test]
+ fn embed_signature_rejects_existing_signature_without_overwrite() {
+ let zip = zip_with(&[(PACKAGE_SIGNATURE_FILE_NAME, b"old")]);
+ let err =
+ embed_signature(Cursor::new(zip), Cursor::new(Vec::new()), b"new", false).unwrap_err();
+
+ assert!(err.to_string().contains("already contains"));
+ }
+
+ #[test]
+ fn embed_signature_replaces_existing_signature_with_overwrite() {
+ let zip = zip_with(&[(PACKAGE_SIGNATURE_FILE_NAME, b"old")]);
+ let mut out = Cursor::new(Vec::new());
+
+ embed_signature(Cursor::new(zip), &mut out, b"new-signature", true).unwrap();
+ let info = inspect_package_reader_for_test(out.into_inner());
+
+ assert_eq!(
+ info.entry(PACKAGE_SIGNATURE_FILE_NAME)
+ .map(|e| e.uncompressed_size),
+ Some(13)
+ );
+ }
+
+ #[test]
+ fn extract_signature_returns_embedded_signature_bytes() {
+ let zip = zip_with(&[
+ ("lib/net8.0/a.dll", b"pe"),
+ (PACKAGE_SIGNATURE_FILE_NAME, b"cms"),
+ ]);
+
+ let signature = extract_signature(Cursor::new(zip)).unwrap();
+
+ assert_eq!(signature, b"cms");
+ }
+
+ #[test]
+ fn write_package_without_signature_removes_root_signature() {
+ let zip = zip_with(&[
+ ("lib/net8.0/a.dll", b"pe"),
+ (PACKAGE_SIGNATURE_FILE_NAME, b"cms"),
+ ]);
+ let mut out = Cursor::new(Vec::new());
+
+ write_package_without_signature(Cursor::new(zip), &mut out).unwrap();
+ let info = inspect_package_reader_for_test(out.into_inner());
+
+ assert!(info.entry(PACKAGE_SIGNATURE_FILE_NAME).is_none());
+ assert_eq!(
+ info.entry("lib/net8.0/a.dll").map(|e| e.uncompressed_size),
+ Some(2)
+ );
+ }
+
+ fn inspect_package_reader_for_test(bytes: Vec) -> PackageSummary {
+ crate::opc::inspect_package_reader(Cursor::new(bytes)).unwrap()
+ }
+
fn tempfile_path(name: &str) -> std::path::PathBuf {
let mut path = std::env::temp_dir();
path.push(format!("psign-opc-sign-{}-{name}", std::process::id()));
diff --git a/crates/psign-opc-sign/src/vsix.rs b/crates/psign-opc-sign/src/vsix.rs
index 25aa9de..1186562 100644
--- a/crates/psign-opc-sign/src/vsix.rs
+++ b/crates/psign-opc-sign/src/vsix.rs
@@ -1,6 +1,28 @@
-use crate::opc::{PackageSummary, inspect_package_path};
-use anyhow::Result;
+use crate::opc::{
+ CONTENT_TYPES_PART, OPC_SIGNATURE_ORIGIN_PART, OPC_SIGNATURES_PREFIX, PackageSummary,
+ ROOT_RELATIONSHIPS_PART, inspect_package_path, normalize_zip_part_name,
+};
+use anyhow::{Context, Result, anyhow};
+use base64::{Engine as _, engine::general_purpose::STANDARD as BASE64_STANDARD};
+use sha2::{Digest, Sha256, Sha384, Sha512};
+use std::collections::BTreeMap;
+use std::fs::File;
+use std::io::{Read, Seek, Write};
use std::path::Path;
+use zip::write::FileOptions;
+
+pub const DEFAULT_VSIX_SIGNATURE_PART: &str =
+ "package/services/digital-signature/xml-signature/psign-signature.psdsxs";
+const OPC_SIGNATURE_ORIGIN_RELS_PART: &str =
+ "package/services/digital-signature/_rels/origin.psdsor.rels";
+const OPC_SIGNATURE_ORIGIN_CONTENT_TYPE: &str =
+ "application/vnd.openxmlformats-package.digital-signature-origin";
+const OPC_SIGNATURE_XML_CONTENT_TYPE: &str =
+ "application/vnd.openxmlformats-package.digital-signature-xmlsignature+xml";
+const OPC_SIGNATURE_ORIGIN_REL_TYPE: &str =
+ "http://schemas.openxmlformats.org/package/2006/relationships/digital-signature/origin";
+const OPC_SIGNATURE_REL_TYPE: &str =
+ "http://schemas.openxmlformats.org/package/2006/relationships/digital-signature/signature";
#[derive(Clone, Debug, Eq, PartialEq)]
pub struct VsixPackageInfo {
@@ -8,6 +30,39 @@ pub struct VsixPackageInfo {
pub has_opc_signature: bool,
}
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub enum VsixHashAlgorithm {
+ Sha256,
+ Sha384,
+ Sha512,
+}
+
+impl VsixHashAlgorithm {
+ pub fn digest_uri(self) -> &'static str {
+ match self {
+ Self::Sha256 => "http://www.w3.org/2001/04/xmlenc#sha256",
+ Self::Sha384 => "http://www.w3.org/2001/04/xmldsig-more#sha384",
+ Self::Sha512 => "http://www.w3.org/2001/04/xmlenc#sha512",
+ }
+ }
+
+ pub fn signature_uri(self) -> &'static str {
+ match self {
+ Self::Sha256 => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+ Self::Sha384 => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+ Self::Sha512 => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+ }
+ }
+
+ pub fn hash(self, bytes: &[u8]) -> Vec {
+ match self {
+ Self::Sha256 => Sha256::digest(bytes).to_vec(),
+ Self::Sha384 => Sha384::digest(bytes).to_vec(),
+ Self::Sha512 => Sha512::digest(bytes).to_vec(),
+ }
+ }
+}
+
pub fn inspect_vsix_path(path: &Path) -> Result {
let package = inspect_package_path(path)?;
let has_opc_signature =
@@ -17,3 +72,624 @@ pub fn inspect_vsix_path(path: &Path) -> Result {
has_opc_signature,
})
}
+
+pub fn signature_reference_xml_path(path: &Path, algorithm: VsixHashAlgorithm) -> Result> {
+ let reader = File::open(path).with_context(|| format!("open {}", path.display()))?;
+ signature_reference_xml(reader, algorithm)
+ .with_context(|| format!("create VSIX signature reference XML for {}", path.display()))
+}
+
+pub fn signature_reference_xml(reader: R, algorithm: VsixHashAlgorithm) -> Result>
+where
+ R: Read + Seek,
+{
+ let signed_info = signed_info_xml(reader, algorithm)?;
+ Ok(signature_xml_from_signed_info(&signed_info, &[], None).into_bytes())
+}
+
+pub fn signed_info_xml_path(path: &Path, algorithm: VsixHashAlgorithm) -> Result> {
+ let reader = File::open(path).with_context(|| format!("open {}", path.display()))?;
+ signed_info_xml(reader, algorithm)
+ .with_context(|| format!("create VSIX SignedInfo XML for {}", path.display()))
+}
+
+pub fn signed_info_xml(reader: R, algorithm: VsixHashAlgorithm) -> Result>
+where
+ R: Read + Seek,
+{
+ let references = reference_digests(reader, algorithm)?;
+ if references.is_empty() {
+ return Err(anyhow!(
+ "VSIX package has no non-signature parts to reference"
+ ));
+ }
+
+ let mut xml = String::new();
+ xml.push_str("");
+ xml.push_str(
+ r#""#,
+ );
+ xml.push_str(&format!(
+ r#""#,
+ algorithm.signature_uri()
+ ));
+ for (name, digest) in references {
+ xml.push_str(&format!(
+ r#"{}"#,
+ xml_escape_attr(&name),
+ algorithm.digest_uri(),
+ BASE64_STANDARD.encode(digest)
+ ));
+ }
+ xml.push_str("");
+ Ok(xml.into_bytes())
+}
+
+pub fn signature_xml_path(
+ path: &Path,
+ algorithm: VsixHashAlgorithm,
+ signature_value: &[u8],
+ signer_cert_der: Option<&[u8]>,
+) -> Result> {
+ let signed_info = signed_info_xml_path(path, algorithm)?;
+ Ok(signature_xml_from_signed_info(&signed_info, signature_value, signer_cert_der).into_bytes())
+}
+
+pub fn signature_xml_from_signed_info(
+ signed_info_xml: &[u8],
+ signature_value: &[u8],
+ signer_cert_der: Option<&[u8]>,
+) -> String {
+ let signed_info = String::from_utf8_lossy(signed_info_xml);
+ let mut xml = String::new();
+ xml.push_str(r#""#);
+ xml.push_str(&signed_info);
+ xml.push_str("");
+ xml.push_str(&BASE64_STANDARD.encode(signature_value));
+ xml.push_str("");
+ if let Some(cert) = signer_cert_der {
+ xml.push_str("");
+ xml.push_str(&BASE64_STANDARD.encode(cert));
+ xml.push_str("");
+ }
+ xml.push_str("");
+ xml
+}
+
+pub fn verify_signature_reference_xml_path(
+ path: &Path,
+ signature_xml: &[u8],
+ algorithm: VsixHashAlgorithm,
+) -> Result {
+ let reader = File::open(path).with_context(|| format!("open {}", path.display()))?;
+ verify_signature_reference_xml(reader, signature_xml, algorithm)
+ .with_context(|| format!("verify VSIX signature references for {}", path.display()))
+}
+
+pub fn verify_signature_reference_xml(
+ reader: R,
+ signature_xml: &[u8],
+ algorithm: VsixHashAlgorithm,
+) -> Result
+where
+ R: Read + Seek,
+{
+ let expected = reference_digests(reader, algorithm)?;
+ let actual = parse_reference_digests(signature_xml, algorithm)?;
+ if actual.len() != expected.len() {
+ return Err(anyhow!(
+ "VSIX signature reference count mismatch: expected {}, found {}",
+ expected.len(),
+ actual.len()
+ ));
+ }
+ for (name, digest) in &expected {
+ match actual.get(name) {
+ Some(actual_digest) if actual_digest == digest => {}
+ Some(_) => {
+ return Err(anyhow!(
+ "VSIX signature reference digest mismatch for {name}"
+ ));
+ }
+ None => return Err(anyhow!("VSIX signature reference missing for {name}")),
+ }
+ }
+ Ok(expected.len())
+}
+
+pub fn extract_signature_xml_path(path: &Path) -> Result> {
+ let reader = File::open(path).with_context(|| format!("open {}", path.display()))?;
+ extract_signature_xml(reader)
+ .with_context(|| format!("extract VSIX signature XML from {}", path.display()))
+}
+
+pub fn extract_signature_xml(reader: R) -> Result>
+where
+ R: Read + Seek,
+{
+ let mut archive = zip::ZipArchive::new(reader).context("open VSIX ZIP")?;
+ let mut signature_part = None;
+ for i in 0..archive.len() {
+ let file = archive.by_index(i).context("read VSIX ZIP entry")?;
+ let name = normalize_zip_part_name(file.name())?;
+ if !file.is_dir()
+ && name.starts_with(OPC_SIGNATURES_PREFIX)
+ && signature_part.replace(name.clone()).is_some()
+ {
+ return Err(anyhow!(
+ "VSIX package contains multiple OPC signature XML parts"
+ ));
+ }
+ }
+ let signature_part =
+ signature_part.ok_or_else(|| anyhow!("VSIX package does not contain OPC signature XML"))?;
+ let mut file = archive
+ .by_name(&signature_part)
+ .with_context(|| format!("read VSIX signature XML part {signature_part}"))?;
+ let mut xml = Vec::new();
+ file.read_to_end(&mut xml)
+ .context("read VSIX signature XML")?;
+ if xml.is_empty() {
+ return Err(anyhow!("VSIX signature XML payload is empty"));
+ }
+ Ok(xml)
+}
+
+fn reference_digests(
+ reader: R,
+ algorithm: VsixHashAlgorithm,
+) -> Result>>
+where
+ R: Read + Seek,
+{
+ let mut archive = zip::ZipArchive::new(reader).context("open VSIX ZIP")?;
+ let mut references = BTreeMap::new();
+ for i in 0..archive.len() {
+ let mut file = archive.by_index(i).context("read VSIX ZIP entry")?;
+ let name = normalize_zip_part_name(file.name())?;
+ if file.is_dir()
+ || name == CONTENT_TYPES_PART
+ || name == ROOT_RELATIONSHIPS_PART
+ || is_opc_signature_entry(&name)
+ {
+ continue;
+ }
+ let mut bytes = Vec::with_capacity(file.size() as usize);
+ file.read_to_end(&mut bytes)?;
+ references.insert(name, algorithm.hash(&bytes));
+ }
+ Ok(references)
+}
+
+fn parse_reference_digests(
+ signature_xml: &[u8],
+ algorithm: VsixHashAlgorithm,
+) -> Result>> {
+ let text = std::str::from_utf8(signature_xml).context("VSIX signature XML is not UTF-8")?;
+ let mut references = BTreeMap::new();
+ let mut cursor = 0usize;
+ while let Some(reference_start) = text[cursor..].find("')
+ .map(|offset| reference_start + offset)
+ .ok_or_else(|| anyhow!("VSIX signature XML Reference tag is not closed"))?;
+ let close_start = text[tag_end..]
+ .find("")
+ .map(|offset| tag_end + offset)
+ .ok_or_else(|| anyhow!("VSIX signature XML Reference element is not closed"))?;
+ let tag = &text[reference_start..=tag_end];
+ let body = &text[tag_end + 1..close_start];
+ let uri = xml_attr(tag, "URI")
+ .ok_or_else(|| anyhow!("VSIX signature XML Reference is missing URI"))?;
+ let name = uri
+ .strip_prefix('/')
+ .ok_or_else(|| anyhow!("VSIX signature XML Reference URI must be package-absolute"))?;
+ let name = normalize_zip_part_name(name)?;
+ if !body.contains(&format!(
+ r#""#,
+ algorithm.digest_uri()
+ )) {
+ return Err(anyhow!(
+ "VSIX signature XML Reference for {name} does not use expected digest algorithm"
+ ));
+ }
+ let digest_value = element_text(body, "DigestValue").ok_or_else(|| {
+ anyhow!("VSIX signature XML Reference for {name} is missing DigestValue")
+ })?;
+ let digest = BASE64_STANDARD
+ .decode(digest_value)
+ .context("VSIX signature XML DigestValue is not valid base64")?;
+ if references.insert(name.clone(), digest).is_some() {
+ return Err(anyhow!("duplicate VSIX signature XML Reference for {name}"));
+ }
+ cursor = close_start + "".len();
+ }
+ Ok(references)
+}
+
+pub fn signed_info_xml_from_signature_xml(signature_xml: &[u8]) -> Result> {
+ let text = std::str::from_utf8(signature_xml).context("VSIX signature XML is not UTF-8")?;
+ let start = text
+ .find("")
+ .ok_or_else(|| anyhow!("VSIX signature XML is missing SignedInfo"))?;
+ let end = text[start..]
+ .find("")
+ .map(|offset| start + offset + "".len())
+ .ok_or_else(|| anyhow!("VSIX signature XML SignedInfo element is not closed"))?;
+ Ok(text.as_bytes()[start..end].to_vec())
+}
+
+pub fn signature_value_from_signature_xml(signature_xml: &[u8]) -> Result> {
+ let text = std::str::from_utf8(signature_xml).context("VSIX signature XML is not UTF-8")?;
+ let value = element_text(text, "SignatureValue")
+ .ok_or_else(|| anyhow!("VSIX signature XML is missing SignatureValue"))?;
+ let signature = BASE64_STANDARD
+ .decode(value)
+ .context("VSIX SignatureValue is not valid base64")?;
+ if signature.is_empty() {
+ return Err(anyhow!("VSIX SignatureValue is empty"));
+ }
+ Ok(signature)
+}
+
+pub fn signer_certificate_from_signature_xml(signature_xml: &[u8]) -> Result