Bump LZMA-SDK version to avoid CG warning

[garath]

Update LZMA-SDK from version 18.1.0 to 19.0.0 to take the MIT license.

Because this library only exposes a subset of the total "lzma sdk", it happens that there are no code changes between these versions.

This project doesn't have unit tests and I'm not familiar with anything that holds signatures in an LZMA archive (the code seems to look for ".lzma"), so I have not been able to actually run this code path. Any advice welcome.

Given the simplicity of the library change I think this is safe to take.

[ghost]

@joeloff might be able to help with how to verify this.

[garath]

@joeloff Can you point me to any packages using LZMA that signcheck would deal with so that I can verify this change?

[joeloff]

That was added to deal with the .NET 2.0 SDK when we shipped the local feed of NuGet packages as an LZMA file inside the SDK MSI. 2.2 SDK might work too.

You can try https://download.microsoft.com/download/2/9/3/293BC432-348C-4D1C-B628-5AC8AB7FA162/dotnet-sdk-2.1.3-win-x64.exe

If you testing directly with SignCheck, you can feed it the URL as an input file (-i) and it should try download the file for you. You'll probably also need the -r to open the containers

[garath]

Thanks, @joeloff. That was exactly what I needed to know.

It took me a bit but I discovered the LZMA portion wasn't registering its extension correctly so hasn't been running. I've fixed it.

[joeloff]

Thanks, @joeloff. That was exactly what I needed to know.

It took me a bit but I discovered the LZMA portion wasn't registering its extension correctly so hasn't been running. I've fixed it.

Thanks. The catch with LZMA as I recall is that there is no magic header you can fall back to when you don't have a recognizable extension