[Bug]: Signature validation is failing during tag releases

[martincostello]

Describe the bug

Trying to release 8.1.0, the validate-signed-packages job is failing as the Authenticode signatures appear to be invalid: workflow logs.

I've unpublished the release and deleted the tag while I investigate what's going wrong.

Expected behavior

The binaries are signed with a valid Authenticode signature.

Actual behavior

Multiple binaries are not correctly Authenticode signed.

Steps to reproduce

Create a new tag.

Exception(s) (if any)

See workflow logs.

Polly version

No response

.NET Version

No response

Anything else?

No response

[martincostello]

Looks like there was a new release of the sign tool yesterday - maybe updating that will help.

[martincostello]

Investigation so far:

1. Trying to view the Authenticode signatures of the DLLs inside the NuGet packages in NuGet Package Explorer fails with this exception:
   
2. Running vcsjones/AuthenticodeLint locally fails with a similar exception here:
   

System.ArgumentNullException
  HResult=0x80004003
  Message=Value cannot be null. Arg_ParamName_Name
  Source=System.Private.CoreLib
  StackTrace:
   at System.Runtime.InteropServices.Marshal.CopyToManaged[T](IntPtr source, T[] destination, Int32 startIndex, Int32 length)
   at AuthenticodeExaminer.CmsSignatureBase.ReadAttributes(CRYPT_ATTRIBUTES attributes)
   at AuthenticodeExaminer.CmsSignature.InitFromHandles(CryptMsgSafeHandle messageHandle, LocalBufferSafeHandle signerHandle)
   at AuthenticodeExaminer.CmsSignature..ctor(AsnEncodedData data, SignatureKind kind)
   at AuthenticodeExaminer.CmsSignature.GetNestedSignatures()
   at AuthenticodeLint.SignatureExtensions.<VisitAll>d__0.MoveNext() in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\SignatureExtensions.cs:line 10
   at AuthenticodeLint.SignatureExtensions.<VisitAll>d__1.MoveNext() in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\SignatureExtensions.cs:line 38
   at AuthenticodeLint.Rules.NoWeakFileDigestAlgorithmsRule.Validate(IReadOnlyList`1 graph, SignatureLogger verboseWriter, CheckConfiguration configuration) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\Rules\10002-NoWeakFileDigestAlgorithmsRule.cs:line 20
   at AuthenticodeLint.CheckEngine.RunAllRules(String file, IReadOnlyList`1 signatures, List`1 collectors, CheckConfiguration configuration) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\CheckEngine.cs:line 59
   at AuthenticodeLint.Program.Main(String[] args) in C:\Coding\vcsjones\AuthenticodeLint\AuthenticodeLint\Program.cs:line 175

Maybe something in the last two .NET SDK updates broke something in NuGet when packages are signed or something in Azure Sign Service broken something...

[martincostello]

Rebuilding the linter from source and building its dependency from source works as expected and validates the signatures.

Short-term fix is to commit that into a fork of the repository and to build and run that version in our release process. Once that's set up and working, I can dig further post-release to find the true root cause of the issue and sort things out in a less string-and-duct-tape way.

[martincostello]

Possibly somehow related to dotnet/sdk#33928.

[martincostello]

Resolved by #1761 - looks like the code issue is vcsjones/AuthenticodeExaminer#19, which also affects NuGet Package Explorer, but something else changed to trigger that underlying issue.