Can't specify hash algorithm for the Sign command

[thomaslevesque]

There are no properties in SignToolSignSettingsto specify:

• the use of a RFC 3161 timestamp server (/tr instead of /t)
• the digest algorithm to use for the signature (/fd)
• the digest algorithm to use for the timestamp (/td)

Worse, it's also not possible to use ArgumentCustomization to add these settings manually, because all options must come before all file arguments. If they're added at the end, SignTool treats them as files, which of course don't exist.

Suggested solution :

• a UseRfc3161TimestampServer property in SignToolSignSettings to control whether /t or /tr is used
• A SignatureDigestAlgorithm to control the /fd option
• A TimestampDigestAlgorithm to control the /td option

OR

A way to insert options before the file names with ArgumentCustomization. I suspect it would be more complex, since this is handled in the Tool<TSettings> base class.

[devlead]

@thomaslevesque yes this would be nice, good feedback.

FYI though, meanwhile you actually can use ArgumentCustomization it's a Func<ProcessArgumentBuilder,​ ProcessArgumentBuilder> so you could just ignore what comes in and replace it.

Example cake script, this is 2 min thrown together so not correct but hopefully you get the gist of it.

FilePath assembly = File("assembly.dll");

SignToolSignSettings settings;
settings = new SignToolSignSettings
            {
                ArgumentCustomization = args => new ProcessArgumentBuilder()
                                                    .Append("SIGN")
                                                    .AppendSwitchQuoted("/tr", settings.TimeStampUri.AbsoluteUri)
                                                    .AppendSwitchQuoted("/sha1", settings.CertThumbprint)
                                                    .Append("/fd")
                                                    .Append("/td")
                                                    .AppendQuoted(assembly.MakeAbsolute(Context.Environment).FullPath),
                TimeStampUri = new Uri("http://localhost"),
                CertThumbprint ="0101010010101001"
            };
Sign(
    assembly,
    settings
    );

This will ouptut something like
SIGN /tr "http://localhost/" /sha1 "http://localhost/" /fd /td "C:/temp/assembly.dll"

While testing things you can even to hacky things like ArgumentCustomization = args => args.Render().Replace("SIGN /t", "SIGN /tr")

[thomaslevesque]

FYI though, meanwhile you actually can use ArgumentCustomization it's a Func<ProcessArgumentBuilder,​ ProcessArgumentBuilder> so you could just ignore what comes in and replace it.

True, but it's equivalent to redoing most of the work done by SignToolSignRunner, so at this point I might as well just use StartProcess directly 😉
(which is what I'm doing now)

[devlead]

Well you get tool resolution and validation of known parameters so a little more than just StartProcess 😉

[thomaslevesque]

Fixed by #1308