PEBuilder.Sign: Calculate checksum after writing the signature (#25871)

Author: tmat

src/System.Reflection.Metadata/src/System/Reflection/PortableExecutable/PEBuilder.cs

@@ -502,11 +502,12 @@ internal void Sign(BlobBuilder peImage, Blob strongNameSignatureFixup, Func<IEnu
                 throw new InvalidOperationException(SR.SignatureProviderReturnedInvalidSignature);
             }
 
-            uint checksum = CalculateChecksum(peImage, _lazyChecksum);
-            new BlobWriter(_lazyChecksum).WriteUInt32(checksum);
-
             var writer = new BlobWriter(strongNameSignatureFixup);
             writer.WriteBytes(signature);
+
+            // Calculate the checksum after the strong name signature has been written.
+            uint checksum = CalculateChecksum(peImage, _lazyChecksum);
+            new BlobWriter(_lazyChecksum).WriteUInt32(checksum);
         }
 
         // internal for testing

src/System.Reflection.Metadata/tests/PortableExecutable/PEBuilderTests.cs

@@ -58,14 +58,15 @@ private static void WritePEImage(
             BlobBuilder ilBuilder, 
             MethodDefinitionHandle entryPointHandle,
             Blob mvidFixup = default(Blob),
-            byte[] privateKeyOpt = null)
+            byte[] privateKeyOpt = null,
+            bool publicSigned = false)
         {
             var peBuilder = new ManagedPEBuilder(
                 entryPointHandle.IsNil ? PEHeaderBuilder.CreateLibraryHeader() : PEHeaderBuilder.CreateExecutableHeader(),
                 new MetadataRootBuilder(metadataBuilder),
                 ilBuilder,
                 entryPoint: entryPointHandle,
-                flags: CorFlags.ILOnly | (privateKeyOpt != null ? CorFlags.StrongNameSigned : 0),
+                flags: CorFlags.ILOnly | (privateKeyOpt != null || publicSigned ? CorFlags.StrongNameSigned : 0),
                 deterministicIdProvider: content => s_contentId);
 
             var peBlob = new BlobBuilder();
@@ -108,7 +109,11 @@ public void BasicValidation()
                 var ilBuilder = new BlobBuilder();
                 var metadataBuilder = new MetadataBuilder();
                 var entryPoint = BasicValidationEmit(metadataBuilder, ilBuilder);
-                WritePEImage(peStream, metadataBuilder, ilBuilder, entryPoint);
+                WritePEImage(peStream, metadataBuilder, ilBuilder, entryPoint, publicSigned: true);
+
+                peStream.Position = 0;
+                var actualChecksum = new PEHeaders(peStream).PEHeader.CheckSum;
+                Assert.Equal(0U, actualChecksum);
 
                 VerifyPE(peStream);
             }
@@ -124,6 +129,14 @@ public void BasicValidationSigned()
                 var entryPoint = BasicValidationEmit(metadataBuilder, ilBuilder);
                 WritePEImage(peStream, metadataBuilder, ilBuilder, entryPoint, privateKeyOpt: Misc.KeyPair);
 
+                // The expected checksum can be determined by saving the PE stream to a file, 
+                // running "sn -R test.dll KeyPair.snk" and inspecting the resulting binary.
+                // The re-signed binary should be the same as the original one.
+                // See https://github.com/dotnet/corefx/issues/25829.
+                peStream.Position = 0;
+                var actualChecksum = new PEHeaders(peStream).PEHeader.CheckSum;
+                Assert.Equal(0x0000319cU, actualChecksum);
+
                 VerifyPE(peStream, expectedSignature: new byte[] 
                 {
                     0x58, 0xD4, 0xD7, 0x88, 0x3B, 0xF9, 0x19, 0x9F, 0x3A, 0x55, 0x8F, 0x1B, 0x88, 0xBE, 0xA8, 0x42,