(cake-buildGH-685) Adds support for SHA-256 code signing and timestam…

…ps in SignTool
bjorkstromm · Oct 25, 2016 · 6c6d236 · 6c6d236
1 parent e4506a4
commit 6c6d236
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 2 deletions.
diff --git a/src/Cake.Common.Tests/Unit/Tools/SignTool/SignToolSignRunnerTests.cs b/src/Cake.Common.Tests/Unit/Tools/SignTool/SignToolSignRunnerTests.cs
@@ -4,6 +4,7 @@
 
 using System;
 using Cake.Common.Tests.Fixtures.Tools;
+using Cake.Common.Tools.SignTool;
 using Cake.Core;
 using Cake.Testing;
 using Xunit;
@@ -279,6 +280,48 @@ public void Should_Call_Sign_Tool_With_Correct_Parameters_With_Thumbprint()
                 // Then
                 Assert.Equal("SIGN /t \"https://t.com/\" /sha1 \"ThumbprintTest\" \"/Working/a.dll\"", result.Args);
             }
+
+            [Fact]
+            public void Should_Call_Sign_Tool_With_Correct_Parameters_With_Sha256_Digest_Algorithm()
+            {
+                // Given
+                var fixture = new SignToolSignRunnerFixture();
+                fixture.Settings.DigestAlgorithm = SignToolDigestAlgorithm.Sha256;
+
+                // When
+                var result = fixture.Run();
+
+                // Then
+                Assert.Equal("SIGN /fd sha256 /t \"https://t.com/\" /f \"/Working/cert.pfx\" /p secret \"/Working/a.dll\"", result.Args);
+            }
+
+            [Fact]
+            public void Should_Call_Sign_Tool_With_Correct_Parameters_With_RFC6131_Timestamp_Uri_And_Sha256_Timestamp_Algorithm()
+            {
+                // Given
+                var fixture = new SignToolSignRunnerFixture();
+                fixture.Settings.TimeStampDigestAlgorithm = SignToolDigestAlgorithm.Sha256;
+
+                // When
+                var result = fixture.Run();
+
+                // Then
+                Assert.Equal("SIGN /tr \"https://t.com/\" /td sha256 /f \"/Working/cert.pfx\" /p secret \"/Working/a.dll\"", result.Args);
+            }
+
+            [Fact]
+            public void Should_Call_Sign_Tool_With_Correct_Parameters_With_Append_Signature()
+            {
+                // Given
+                var fixture = new SignToolSignRunnerFixture();
+                fixture.Settings.AppendSignature = true;
+
+                // When
+                var result = fixture.Run();
+
+                // Then
+                Assert.Equal("SIGN /t \"https://t.com/\" /f \"/Working/cert.pfx\" /p secret /as \"/Working/a.dll\"", result.Args);
+            }
         }
     }
 }
diff --git a/src/Cake.Common/Tools/SignTool/SignToolDigestAlgorithm.cs b/src/Cake.Common/Tools/SignTool/SignToolDigestAlgorithm.cs
@@ -0,0 +1,18 @@
+namespace Cake.Common.Tools.SignTool
+{
+    /// <summary>
+    /// Digest algorithm for SignTool
+    /// </summary>
+    public enum SignToolDigestAlgorithm
+    {
+        /// <summary>
+        /// SHA-1 digest algorithm
+        /// </summary>
+        Sha1,
+
+        /// <summary>
+        /// SHA-256 digest algorithm.
+        /// </summary>
+        Sha256
+    }
+}
diff --git a/src/Cake.Common/Tools/SignTool/SignToolSignRunner.cs b/src/Cake.Common/Tools/SignTool/SignToolSignRunner.cs
@@ -104,9 +104,27 @@ private ProcessArgumentBuilder GetArguments(FilePath assemblyPath, SignToolSignS
             // SIGN Command.
             builder.Append("SIGN");
 
+            // SHA-256.
+            if (settings.DigestAlgorithm == SignToolDigestAlgorithm.Sha256)
+            {
+                builder.Append("/fd sha256");
+            }
+
             // TimeStamp server.
-            builder.Append("/t");
-            builder.AppendQuoted(settings.TimeStampUri.AbsoluteUri);
+            if (settings.TimeStampDigestAlgorithm == SignToolDigestAlgorithm.Sha256)
+            {
+                // If Sha256 use RFC 3161 timestamp server.
+                builder.Append("/tr");
+                builder.AppendQuoted(settings.TimeStampUri.AbsoluteUri);
+
+                builder.Append("/td sha256");
+            }
+            else
+            {
+                // Otherwise use SHA-1 Authenticode timestamp server
+                builder.Append("/t");
+                builder.AppendQuoted(settings.TimeStampUri.AbsoluteUri);
+            }
 
             if (settings.CertPath == null && string.IsNullOrEmpty(settings.CertThumbprint))
             {
@@ -180,6 +198,12 @@ private ProcessArgumentBuilder GetArguments(FilePath assemblyPath, SignToolSignS
                 builder.AppendQuoted(settings.DescriptionUri.AbsoluteUri);
             }
 
+            // Append signature.
+            if (settings.AppendSignature)
+            {
+                builder.Append("/as");
+            }
+
             // Target Assembly to sign.
             builder.AppendQuoted(assemblyPath.MakeAbsolute(_environment).FullPath);
 

diff --git a/src/Cake.Common/Tools/SignTool/SignToolSignSettings.cs b/src/Cake.Common/Tools/SignTool/SignToolSignSettings.cs
@@ -42,5 +42,20 @@ public sealed class SignToolSignSettings : ToolSettings
         /// Gets or sets the signed content's expanded description URL.
         /// </summary>
         public Uri DescriptionUri { get; set; }
+
+        /// <summary>
+        /// Gets or sets the file digest algorithm
+        /// </summary>
+        public SignToolDigestAlgorithm DigestAlgorithm { get; set; }
+
+        /// <summary>
+        /// Gets or sets the timestamp digest algorithm
+        /// </summary>
+        public SignToolDigestAlgorithm TimeStampDigestAlgorithm { get; set; }
+
+        /// <summary>
+        /// Gets or sets a value indicating whether the signature should be appended
+        /// </summary>
+        public bool AppendSignature { get; set; }
     }
 }