Skip to content

Support skipping 3rd party signature check #15852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mmitche merged 7 commits into from
Jun 5, 2025
Merged

Support skipping 3rd party signature check #15852

mmitche merged 7 commits into from
Jun 5, 2025

Conversation

@mmitche
Copy link
Member

@mmitche mmitche commented May 20, 2025
edited
Loading

Native images don't have readable copyright info on Linux. Composite r2r images show up as fully native images, and trigger the 3rd party warning when signing on Mac/Linux. The list of these files is very small (currently a list of 1)

Support a "no check" list.

@mmitche
Avoid emitting 3rd party signature warnings on composite r2r images
4cbd5da 
These images don't have valid copyright info. If we emit the warning, various repos will just fail. To detect these, we need to read the export table. To do so, we use runtime's ILCompiler.Reflection.ReadyToRun.Experimental package, which has some PEReader extensions.
@mmitche mmitche requested a review from a team May 20, 2025 21:26
jkoritzinsky
jkoritzinsky reviewed May 20, 2025
View reviewed changes
jkoritzinsky
jkoritzinsky previously approved these changes May 21, 2025
View reviewed changes
Copy link
Member

@jkoritzinsky jkoritzinsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once tests are passing

@mmitche
Copy link
Member Author

mmitche commented May 21, 2025

Causes assembly load failures when using signtool with desktop msbuild.

@mmitche mmitche mentioned this pull request May 21, 2025
Closed
@mmitche mmitche force-pushed the composite-crossgen branch from 81ec0c6 to 4ba0121 Compare June 3, 2025 22:07
@mmitche
Copy link
Member Author

mmitche commented Jun 3, 2025

Dug a bit further and I really understand what is going on now. This issue primarily Windows vs. Linux. When you have a composite r2r image, the native PE image still has a resource section with the native copyright info. When we can't find the managed copyright attrs, we fall back to the native copyright info. This is obtained via FileVersionInfo. On Windows, this information is loaded via native interop. It is NOT populated on *nix.

So what is happening is that we end up with an empty copyright string, which then causes the warning. The workaround to detect a r2r image is reasonable, since the likelihood is that we created such an image, but it's not ideal.

I think a better methodology is to just add an explicit opt-out to the 3rd party check. The "I know what I'm doing for Blah.dll" config

@mmitche mmitche changed the title Avoid emitting 3rd party signature warnings on composite r2r images Support skipping 3rd party signature check Jun 3, 2025
ViktorHofer
ViktorHofer previously approved these changes Jun 4, 2025
View reviewed changes
@mmitche mmitche requested a review from ViktorHofer June 4, 2025 16:59
@mmitche mmitche enabled auto-merge (squash) June 4, 2025 16:59
@mmitche mmitche merged commit b305863 into dotnet:main Jun 5, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ViktorHofer ViktorHofer ViktorHofer approved these changes

@jkoritzinsky jkoritzinsky Awaiting requested review from jkoritzinsky

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mmitche @jkoritzinsky @ViktorHofer