There is no non-Obsolete way to read an Authenticode signer certificate in .NET 9

[BillArmstrong]

The X509Certificate.CreateFromSignedFile method is marked as obsolete in .Net 9.0 with the following text:

Loading certificate data through the constructor or Import is obsolete. Use X509CertificateLoader instead to load certificates.

The closest method in X509CertificateLoader is X509CertificateLoader.LoadCertificateFromFile, but if you try to use this method with a signed file, it fails with an exception. This is not surprising as the loader method indicates the following:

This method only loads plain certificates, which are identified as Cert by GetCertContentType(String)

The loader class does not appear to have a method to load a certificate from a signed file.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[bartonjs]

X509Certificate.CreateFromSignedFile doesn't do what you think it does... it's just a vanity wrapper over new X509Certificate2(bytes). It doesn't check that the contents are Authenticode.

So I've updated the title to reflect more what I think your concern is.

To set expectations: I don't think we're going to add something like X509CertificateLoader.LoadAuthenticodeSignerFromFile that does what new X509Certificate2(file) does for Authenticode inputs. That algorithm only returns the first signer of the first signature, which for things signed by Microsoft (at least, some/many/most of them) is the Windows-XP-compatible RSA+SHA-1 signature, instead of the newer RSA+SHA-2-256 signature.

So we probably need something more complicated. Either just a collection of the certificates, or a method on SignedCms to get the whole Authenticode block, or something. (Method on SignedCms probably makes the most sense, since that's really what new X509Certificate2(authenticode) does)

[BillArmstrong]

Yes I was aware that it was a vanity wrapper. In fact in my code I'm actually using the constructor. I just posted that description because the name of the method actually reflects what I'm doing. I'm loading the signing certificate from a signed file, which in our case it happens to be a RSA+SHA-2-256 signature because it is a file that we signed ourselves.

We're using the WinTrust library to do the actual Authenticode validation, but we also need to check that the certificate used is the specific certificate that we expect.

At any rate, any non-obsolete mechanism would be appreciated.

[krwq]

@BillArmstrong for now you can use @vcsjones's library https://www.nuget.org/packages/AuthenticodeExaminer (note that this is his repo and it's not Microsoft owned) - it's open source on MIT license so you can check how he does it or just use his lib for that. Repo README contains samples how to do that. If you feel strongly we should add such API into runtime please create an API suggestion and fill in the template - as @bartonjs mentioned if we decide to accept such API it likely belongs into SingedCms or an entirely separate class

[BillArmstrong]

Thank you for that. I get that the obsoleted API may not be useful to everyone in its current form, although it worked fine for my purposes. As long as there is a reasonable alternative available, I don't really have any strong feelings one way or another regarding the API being provided by the runtime. Whether or not it belongs in the runtime probably depends on how many developers have a need for it. All I can say is that I would use it if it was available.