Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Axe.Windows files are signed with the 3rd party certificate #995

Closed
DaveTryon opened this issue Jan 26, 2024 · 1 comment
Closed

[BUG] Axe.Windows files are signed with the 3rd party certificate #995

DaveTryon opened this issue Jan 26, 2024 · 1 comment

Comments

@DaveTryon
Copy link
Contributor

Please check whether the bug has already been filed.

We've been signing the Axe.Windows files files the Microsoft 3rd party certiicate. This certificate is intended for external (non-Microsoft) files that we trust and redistribute with Microsoft products. We should probably be signing the Axe.Windows*.dll files with the same certificate that we use to sign Accessibility Insights (and that other teams use to sign the ApplicationInsights or ADO packages that Microsoft builds)

To Reproduce
Steps to reproduce the behavior:

  1. Go to https://www.nuget.org/packages/Axe.Windows
  2. Pick a version of the NuGet package
  3. Use the "Download package" link to download a copy
  4. Change the .nupkg extension to .zip
  5. Extract the contents of the .zip file
  6. Examine the properties of any of the DLL's under the lib\netstandard20 folder
  7. Check the details of the digital signature

Expected behavior

The signer name should (I think) be "Microsoft Corporation".

Actual behavior

The signer name is "Microsoft 3rd Party Application Component"

Additional context

I checked versions back to 2020. This is not a new problem and has nothing to do with any pipeline template work.

Priority requested -
@microsoft-github-policy-service microsoft-github-policy-service bot added the status: new This issue is new and requires triage by DRI. label Jan 26, 2024
@JGibson2019 JGibson2019 moved this from Needs triage to Accepted - vendor in Accessibility Insights Jan 29, 2024
@v-viyada v-viyada mentioned this issue Jan 31, 2024
Merged
1 task
v-viyada added a commit that referenced this issue Jan 31, 2024
@v-viyada
fix: Updated the certificate for signing (#998)
96f9440 
#### Details
Changed certificate from 3rd Party to Microsoft for signing output
files.

Verified the artifacts generated and files have Microsoft corporation
signature. Link for test run
https://dev.azure.com/mseng/1ES/_build/results?buildId=26036565&view=results
Steps used for verification:
1. Download .nupkg file from artifacts of the pipeline run
2. Change the .nupkg extension to .zip
3. Extract the contents of the .zip file
4. Examine the properties of any of the DLL's under the
lib\netstandard20 folder
5. Check the details of the digital signature

##### Motivation

addresses issue #995 

##### Context

<!-- Are there any parts that you've intentionally left out-of-scope for
a later PR to handle? -->

<!-- Were there any alternative approaches you considered? What
tradeoffs did you consider? -->

#### Pull request checklist
<!-- If a checklist item is not applicable to this change, write "n/a"
in the checkbox -->
- [x] Addresses an existing issue: #995
@v-viyada v-viyada added status: resolved This issue has been merged into main. and removed status: new This issue is new and requires triage by DRI. labels Jan 31, 2024
@v-viyada v-viyada moved this from Accepted - vendor to Needs release in Accessibility Insights Jan 31, 2024
@DaveTryon
Copy link
Contributor Author

This has been released in https://github.com/microsoft/axe-windows/releases/tag/v2.3.1. Closing.

@DaveTryon DaveTryon removed the status: resolved This issue has been merged into main. label Mar 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DaveTryon @v-viyada