Signing assemblies patch

[monty241]

For security reasons as well as Microsoft requirements, we sign all assemblies. For .net 6 we use Obfuscar. On .net 6 however signing does not seem to work or I just don't understand the process documented in .

We use currently a certificate in a password-protected pfx. As documented in #153 , there is yet no support to sign the assemblies using a pfx file when protected by a password.

It was tried to use the key container VS_KEY_xxx, which was created by installing the pfx using the password (see #146 and https://github.com/obfuscar/obfuscar/blob/master/Obfuscar/Project.cs#L126). However, the output assemblies are not digitally signed.

Sample properties assembly when obfuscated using obfuscar:

Sample same assembly signed from another .net framework obfuscator:

The project file specifies the key container:

<?xml version="1.0" encoding="UTF-8"?>
<!--Generated by ACME Deploy to obfuscate .NET Core assemblies on 8/25/2023 1:47:39 PM (UTC).-->
<Obfuscator xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <Module file="PATH\ACME.Basics\solutions\ACME Basics\bin\net6.0\ACME.Basics.dll" />
   <Module file="PATH\ACME.Basics\solutions\ACME Basics\bin\net6.0\ACME.Basics.UnitTest.dll" />
   <AssemblySearchPath path="PATH\ACME.Basics\solutions\ACME Basics\bin\net6.0" />
   <Var name="OutPath" value="PATH\ACME.Basics\solutions\ACME Basics\obin\net6.0" />
   <Var name="LogFile" value="PATH\22.1.282-BETA\ACME Basics\map-net6.0\ACME.Basics.22.1.282-BETA-net6.0.xml-map.xml" />
   <Var name="XmlMapping" value="true" />
   <Var name="KeyContainer" value="VS_KEY_0523C04C0C08BDC5" />
   <Var name="HidePrivateApi" value="true" />
   <Var name="HideStrings" value="false" />
   <Var name="MarkedOnly" value="false" />
   <Var name="RenameEvents" value="true" />
   <Var name="RenameFields" value="true" />
   <Var name="RenameProperties" value="true" />
   <Var name="KeepPublicApi" value="true" />
   <Var name="ReuseNames" value="true" />
   <Var name="UseUnicodeNames" value="false" />
   <Var name="UseKoreanNames" value="false" />
   <Var name="OptimizeMethods" value="true" />
   <Var name="SuppressIldasm" value="true" />
   <Var name="AnalyzeXaml" value="true" />
</Obfuscator>

The indicated key container is used by the build as signaled by:

     4>CoreCompile:
         ...\Bin\Roslyn\csc.exe /noconfig /unsafe- /checked- /nowarn:1701,1702,1701,1702 /fullpaths /nostdlib+ /errorreport:prompt /warn:6 ... /debug- /debug:portable /filealign:512 /keycontainer:VS_KEY_0523C04C0C08BDC5 /optimize+ ...

but that might not be a good signal, since the original assembly is neither signed.

I have also tested to rewrite our signing following the instructions on https://medium.com/@szplaypiano/sign-the-assembly-with-visual-studio-without-going-crazy-36c6271af6bb to create a derivative pfx, creating the key container using SnInstallPfx, but to no result.

I seem unable to get signed assemblies as output of Obfuscar with a reasonable effort.

Question:

Are you open for a patch based upon #146 to include Obfuscar, which takes the PFX password from the XML and yields signed output?

[lextm]

Your description is ambiguous in several places, so I can only suggest you to debug the code base yourself and see what happens after line 220, https://github.com/obfuscar/obfuscar/blob/2.2.38/Obfuscar/Obfuscator.cs#L220

[monty241]

Thanks. I assume it is "yes" and provide PRs.

[PatrickHofman]

All three issues, #146, #153 and this one (#439) are still very much needed. Using the code proposed in #153 I have made signing working. Do you see these changes come into the actual release? It are just a few lines of code with a high impact. If you want to I can share the code through a pull request.