Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArgumentNullException thrown viewing Authenticode signed assembly in NuGet package #1633

Open
martincostello opened this issue Oct 31, 2023 · 4 comments
Open

ArgumentNullException thrown viewing Authenticode signed assembly in NuGet package #1633

martincostello opened this issue Oct 31, 2023 · 4 comments

Comments

@martincostello
Copy link
Contributor

Type (choose one):

  • Bug

NPE version: 6.0.64+c118e46e01

OS version: Windows 11, Version 22H2 (OS Build 22621.2428)

Installed from: Microsoft Store

In case of a BUG:

While trying to publish a new release of Polly today, we encountered a failure when trying to validate the Authenticode signatures of the binaries in our NuGet packages. We do this by compiling AuthenticodeLint from source as the .NET 6 version is not available from NuGet.org (see vcsjones/AuthenticodeLint#34). There was no apparent feedback on what was wrong, just that the tool was failing to verify the signatures. See App-vNext/Polly#1760 for more context.

As part of investigating the issue, attempting to view the binaries inside the NuGet packages that were signed, NuGet Package Explorer fails to load the details for the DLLs, and instead shows this modal:

image

This error seems to correlate with the same exception I uncovered in AuthenticodeLint/AuthenticodeExaminer: vcsjones/AuthenticodeExaminer#19

Unpacking the NuGet package files shows the Authenticode signatures as valid in Windows Explorer, and rebuilding AuthenticodeLint as described in the issue above also then successfully validates the files (successful validation workflow).

I'm not aware of any workarounds to this issue - I expect that a dependency of some kind needs updating and the application recompiled and published for a new version to resolve the underlying code that has an issue with the signatures.
@martincostello martincostello mentioned this issue Oct 31, 2023
Merged
@martincostello
Copy link
Contributor Author

I didn't realise that you depended on AuthenticodeExaminer, so I guess this is just the exact same issue as vcsjones/AuthenticodeExaminer#19:

NuGetPackageExplorer/PackageViewModel/PackageViewModel.csproj

Line 13 in c06b7b6

<PackageReference Include="AuthenticodeExaminer" Version="0.3.0" />

I'm going to see if I can force a package update locally that updates the transient dependency and fixes the issue here.

@martincostello
Copy link
Contributor Author

Looking at the diff, it's not a dependency update that fixes it, but what looks like a bunch of code changes that have happened since v0.3.0 was released.

@bgrainger
Copy link

I just encountered the same problem. Call stack of NuGet Package Explorer:

 	System.Private.CoreLib.dll!System.ArgumentNullException.Throw(string paramName)	Unknown
 	System.Private.CoreLib.dll!System.Runtime.InteropServices.Marshal.CopyToManaged<byte>(nint source, byte[] destination, int startIndex, int length)	Unknown
 	AuthenticodeExaminer.dll!AuthenticodeExaminer.CmsSignatureBase.ReadBlob(AuthenticodeExaminer.Interop.CRYPTOAPI_BLOB blob)	Unknown
 	AuthenticodeExaminer.dll!AuthenticodeExaminer.CmsSignatureBase.ReadAttributes(AuthenticodeExaminer.Interop.CRYPT_ATTRIBUTES attributes)	Unknown
 	AuthenticodeExaminer.dll!AuthenticodeExaminer.CmsSignature.InitFromHandles(AuthenticodeExaminer.Interop.CryptMsgSafeHandle messageHandle, AuthenticodeExaminer.Interop.LocalBufferSafeHandle signerHandle)	Unknown
 	AuthenticodeExaminer.dll!AuthenticodeExaminer.CmsSignature.CmsSignature(System.Security.Cryptography.AsnEncodedData data, AuthenticodeExaminer.SignatureKind kind)	Unknown
 	AuthenticodeExaminer.dll!AuthenticodeExaminer.CmsSignature.GetNestedSignatures()	Unknown
 	AuthenticodeExaminer.dll!AuthenticodeExaminer.SignatureExtensions.VisitAll(AuthenticodeExaminer.ICmsSignature signature, AuthenticodeExaminer.SignatureKind kind, bool deep)	Unknown
 	AuthenticodeExaminer.dll!AuthenticodeExaminer.SignatureExtensions.VisitAll(System.Collections.Generic.IReadOnlyList<AuthenticodeExaminer.ICmsSignature> signatures, AuthenticodeExaminer.SignatureKind kind, bool deep)	Unknown
 	AuthenticodeExaminer.dll!AuthenticodeExaminer.FileInspector.GetSignatures()	Unknown
 	System.Private.CoreLib.dll!System.Collections.Generic.List<AuthenticodeExaminer.AuthenticodeSignature>.List(System.Collections.Generic.IEnumerable<AuthenticodeExaminer.AuthenticodeSignature> collection)	Unknown
 	System.Linq.dll!System.Linq.Enumerable.ToList<AuthenticodeExaminer.AuthenticodeSignature>(System.Collections.Generic.IEnumerable<AuthenticodeExaminer.AuthenticodeSignature> source)	Unknown
>	NuGetPackageExplorer.PackageViewModel.dll!PackageExplorerViewModel.ViewContentCommand.ShowFile(PackageExplorerViewModel.PackageFile file) Line 143	C#
 	NuGetPackageExplorer.PackageViewModel.dll!PackageExplorerViewModel.ViewContentCommand.Execute(object parameter) Line 59	C#
 	NuGetPackageExplorer.dll!PackageExplorer.PackageViewer.OnTreeViewItemDoubleClick(object sender, System.Windows.RoutedEventArgs args) Line 319	C#

If @vcsjones isn't publishing any new versions of AuthenticodeExaminer, would NPE update its dependency to a forked version (if one were published to NuGet)?

@vcsjones
Copy link

vcsjones commented Feb 7, 2025

Sorry for forgetting about this. I will get a fixed version out over the weekend.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bgrainger @vcsjones @martincostello