[release/10.0] Enable generic detached signature support in SignTool (#16200)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Matt Mitchell (.NET) <mmitche@microsoft.com>
Co-authored-by: mmitche <8725170+mmitche@users.noreply.github.com>

Author: 3 people

Arcade.slnx

@@ -45,6 +45,7 @@
   <Project Path="src/Microsoft.DotNet.Arcade.Sdk/Microsoft.DotNet.Arcade.Sdk.csproj" />
   <Project Path="src/Microsoft.DotNet.ArcadeAzureIntegration/Microsoft.DotNet.ArcadeAzureIntegration.csproj" />
   <Project Path="src/Microsoft.DotNet.ArcadeLogging/Microsoft.DotNet.ArcadeLogging.csproj" />
+  <Project Path="src/Microsoft.DotNet.Baselines.Tasks/Microsoft.DotNet.Baselines.Tasks.csproj" />
   <Project Path="src/Microsoft.DotNet.Build.Manifest/Microsoft.DotNet.Build.Manifest.csproj" />
   <Project Path="src/Microsoft.DotNet.Build.Tasks.Archives/Microsoft.DotNet.Build.Tasks.Archives.csproj" />
   <Project Path="src/Microsoft.DotNet.Build.Tasks.Feed/Microsoft.DotNet.Build.Tasks.Feed.csproj" />
@@ -71,7 +72,6 @@
   <Project Path="src/Microsoft.DotNet.SourceBuild/tasks/Microsoft.DotNet.SourceBuild.Tasks.csproj" />
   <Project Path="src/Microsoft.DotNet.StrongName/Microsoft.DotNet.StrongName.csproj" />
   <Project Path="src/Microsoft.DotNet.Tar/Microsoft.DotNet.Tar.csproj" />
-  <Project Path="src/Microsoft.DotNet.Baselines.Tasks/Microsoft.DotNet.Baselines.Tasks.csproj" />
   <Project Path="src/Microsoft.DotNet.XliffTasks/Microsoft.DotNet.XliffTasks.csproj" />
   <Project Path="src/Microsoft.DotNet.XUnitAssert/src/Microsoft.DotNet.XUnitAssert.csproj" />
   <Project Path="src/Microsoft.DotNet.XUnitConsoleRunner/src/Microsoft.DotNet.XUnitConsoleRunner.csproj" />

src/Microsoft.DotNet.SignTool.Tests/Resources/InnerZipFile.zip

@@ -1278,6 +1278,93 @@ public void SignZipFile()
             });
         }
 
+        [Fact]
+        public void SignArchivesUsingDetachedSignature()
+        {
+            // List of files to be considered for signing
+            var itemsToSign = new List<ItemToSign>()
+            {
+                new ItemToSign(GetResourcePath("test.zip")),
+                new ItemToSign(GetResourcePath("test.tgz")),
+                new ItemToSign(GetResourcePath("NestedZip.zip")),
+                new ItemToSign(GetResourcePath("InnerZipFile.zip"))
+            };
+
+            var strongNameSignInfo = new Dictionary<string, List<SignInfo>>();
+
+            // Overriding information
+            var explicitCertKeys = new Dictionary<ExplicitCertificateKey, string>()
+            {
+                { new ExplicitCertificateKey("test.zip"), "ArchiveCert" },
+                { new ExplicitCertificateKey("test.tgz"), "ArchiveCert" },
+                { new ExplicitCertificateKey("InnerZipFile.zip"), "ArchiveCert" }
+            };
+
+            var additionalCertificateInfo = new Dictionary<string, List<AdditionalCertificateInformation>>()
+            {
+                {  "ArchiveCert",
+                    new List<AdditionalCertificateInformation>() {
+                        new AdditionalCertificateInformation() { GeneratesDetachedSignature = true }
+                    }
+                }
+            };
+
+            ValidateFileSignInfos(itemsToSign, strongNameSignInfo, explicitCertKeys, s_fileExtensionSignInfo, new[]
+            {
+                "File 'NativeLibrary.dll' Certificate='Microsoft400'",
+                "File 'SOS.NETCore.dll' TargetFramework='.NETCoreApp,Version=v1.0' Certificate='Microsoft400'",
+                "File 'Nested.NativeLibrary.dll' Certificate='Microsoft400'",
+                "File 'Nested.SOS.NETCore.dll' TargetFramework='.NETCoreApp,Version=v1.0' Certificate='Microsoft400'",
+                "File 'test.zip' Certificate='ArchiveCert'",
+                "File 'test.tgz' Certificate='ArchiveCert'",
+                "File 'InnerZipFile.zip' Certificate='ArchiveCert'",
+                "File 'Mid.SOS.NETCore.dll' TargetFramework='.NETCoreApp,Version=v1.0' Certificate='Microsoft400'",
+                "File 'MidNativeLibrary.dll' Certificate='Microsoft400'",
+                "File 'NestedZip.zip'",
+            },
+            additionalCertificateInfo: additionalCertificateInfo,
+            expectedCopyFiles: new[]
+            {
+                $"{Path.Combine(_tmpDir, "ContainerSigning", "6", "InnerZipFile.zip")} -> {Path.Combine(_tmpDir, "InnerZipFile.zip")}",
+                $"{Path.Combine(_tmpDir, "ContainerSigning", "6", "InnerZipFile.zip.sig")} -> {Path.Combine(_tmpDir, "InnerZipFile.zip.sig")}"
+            });
+
+            ValidateGeneratedProject(itemsToSign, strongNameSignInfo, explicitCertKeys, s_fileExtensionSignInfo, new[]
+            {
+$@"
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "0", "NativeLibrary.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "1", "SOS.NETCore.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "2", "this_is_a_big_folder_name_look/this_is_an_even_more_longer_folder_name/but_this_one_is_ever_longer_than_the_previous_other_two/Nested.NativeLibrary.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "3", "this_is_a_big_folder_name_look/this_is_an_even_more_longer_folder_name/but_this_one_is_ever_longer_than_the_previous_other_two/Nested.SOS.NETCore.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "7", "Mid.SOS.NETCore.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "8", "MidNativeLibrary.dll"))}"">
+  <Authenticode>Microsoft400</Authenticode>
+</FilesToSign>
+",
+$@"
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "test.zip"))}"">
+  <Authenticode>ArchiveCert</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "test.tgz"))}"">
+  <Authenticode>ArchiveCert</Authenticode>
+</FilesToSign>
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "ContainerSigning", "6", "InnerZipFile.zip"))}"">
+  <Authenticode>ArchiveCert</Authenticode>
+</FilesToSign>
+"
+            }, additionalCertificateInfo: additionalCertificateInfo);
+        }
+
         /// <summary>
         /// Verifies that signing of pkgs can be done on Windows, even though
         /// we will not unpack or repack them.
@@ -2587,6 +2674,11 @@ public void ValidateSignToolTaskParsing()
                 }),
                 // Signed pe file
                 new TaskItem(GetResourcePath("SignedLibrary.dll"), new Dictionary<string, string>
+                {
+                    { SignToolConstants.CollisionPriorityId, "123" }
+                }),
+                // Sign a test.zip
+                new TaskItem(GetResourcePath("test.zip"), new Dictionary<string, string>
                 {
                     { SignToolConstants.CollisionPriorityId, "123" }
                 })
@@ -2618,6 +2710,11 @@ public void ValidateSignToolTaskParsing()
                     { "CertificateName", "DualSignCertificate" },
                     { "PublicKeyToken", "31bf3856ad364e35" },
                     { "CollisionPriorityId", "123" }
+                }),
+                new TaskItem("test.zip", new Dictionary<string, string>
+                {
+                    { "CertificateName", "DetachedArchiveCert" },
+                    { "CollisionPriorityId", "123" }
                 })
             };
 
@@ -2634,7 +2731,11 @@ public void ValidateSignToolTaskParsing()
                     { "MacCertificate", "MacDeveloperHarden" },
                     { "MacNotarizationAppName", "com.microsoft.dotnet" },
                     { "CollisionPriorityId", "123" }
-                })
+                }),
+                new TaskItem("DetachedArchiveCert", new Dictionary<string, string>
+                {
+                    { "DetachedSignature", "true" }
+                }),
             };
 
             var task = new SignToolTask
@@ -2667,7 +2768,11 @@ public void ValidateSignToolTaskParsing()
                 "File 'ProjectOne.dll' TargetFramework='.NETCoreApp,Version=v2.1' Certificate='3PartySHA2' StrongName='ArcadeStrongTest'",
                 "File 'ProjectOne.dll' TargetFramework='.NETStandard,Version=v2.0' Certificate='OverrideCertificateName' StrongName='ArcadeStrongTest'",
                 "File 'ContainerOne.1.0.0.nupkg' Certificate='NuGet'",
-                "File 'SignedLibrary.dll' TargetFramework='.NETCoreApp,Version=v2.0' Certificate='DualSignCertificate'"
+                "File 'SignedLibrary.dll' TargetFramework='.NETCoreApp,Version=v2.0' Certificate='DualSignCertificate'",
+                "File 'SOS.NETCore.dll' TargetFramework='.NETCoreApp,Version=v1.0' Certificate='Microsoft400'",
+                "File 'Nested.NativeLibrary.dll' Certificate='Microsoft400'",
+                "File 'Nested.SOS.NETCore.dll' TargetFramework='.NETCoreApp,Version=v1.0' Certificate='Microsoft400'",
+                "File 'test.zip' Certificate='DetachedArchiveCert'"
             };
             task.ParsedSigningInput.FilesToSign.Select(f => f.ToString()).Should().BeEquivalentTo(expected);
         }

src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs

@@ -21,6 +21,10 @@ public class AdditionalCertificateInformation
         /// If the certificate name represents a sign+notarize operation, this is the name of the notarize operation.
         /// </summary>
         public string MacNotarizationAppName { get; set; }
+        /// <summary>
+        /// If true, this certificate should generate detached signatures instead of in-place signing.
+        /// </summary>
+        public bool GeneratesDetachedSignature { get; set; }
         public string CollisionPriorityId { get; set; }
     }
 }

src/Microsoft.DotNet.SignTool/src/AdditionalCertificateInformation.cs

@@ -554,16 +554,30 @@ private void VerifyCertificates(TaskLoggingHelper log)
                 }
                 else if (fileName.IsZip())
                 {
-                    if (fileName.SignInfo.Certificate != null)
+                    // Zip files can't be signed without a detached signature. If a certificate is provided but the signature is not detached.
+                    if (!fileName.SignInfo.GeneratesDetachedSignature && fileName.SignInfo.Certificate != null)
                     {
-                        log.LogError($"Zip {fileName} should not be signed with this certificate: {fileName.SignInfo.Certificate}");
+                        log.LogError($"'{fileName}' may only be signed with a detached signature. '{fileName.SignInfo.Certificate}' does not produce a detached signature");
                     }
 
                     if (fileName.SignInfo.StrongName != null)
                     {
                         log.LogError($"Zip {fileName} cannot be strong name signed.");
                     }
                 }
+                else if (fileName.IsTarGZip())
+                {
+                    // Tar.gz files can't be signed without a detached signature. If a certificate is provided but the signature is not detached.
+                    if (!fileName.SignInfo.GeneratesDetachedSignature && fileName.SignInfo.Certificate != null)
+                    {
+                        log.LogError($"'{fileName}' may only be signed with a detached signature. '{fileName.SignInfo.Certificate}' does not produce a detached signature");
+                    }
+                    
+                    if (fileName.SignInfo.StrongName != null)
+                    {
+                        log.LogError($"TarGZip {fileName} cannot be strong name signed.");
+                    }
+                }
                 if (fileName.IsExecutableWixContainer())
                 {
                     if (isInvalidEmptyCertificate)
@@ -589,7 +603,28 @@ private void VerifyAfterSign(TaskLoggingHelper log, FileSignInfo file)
             // No need to check if the file should not have been signed.
             if (file.SignInfo.ShouldSign)
             {
-                if (file.IsPEFile())
+                // For files with detached signatures, verify the .sig file exists
+                if (file.SignInfo.GeneratesDetachedSignature)
+                {
+                    string sigFilePath = file.DetachedSignatureFullPath;
+                    if (!File.Exists(sigFilePath))
+                    {
+                        _log.LogError($"Detached signature file {sigFilePath} does not exist for {file.FullPath}");
+                    }
+                    else
+                    {
+                        var fileInfo = new FileInfo(sigFilePath);
+                        if (fileInfo.Length == 0)
+                        {
+                            _log.LogError($"Detached signature file {sigFilePath} is empty.");
+                        }
+                        else
+                        {
+                            _log.LogMessage(MessageImportance.Low, $"Detached signature file {sigFilePath} exists and is non-empty.");
+                        }
+                    }
+                }
+                else if (file.IsPEFile())
                 {
                     using (var stream = File.OpenRead(file.FullPath))
                     {

src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs

@@ -224,6 +224,14 @@ private FileSignInfo TrackFile(PathWithHash file, PathWithHash parentContainer,
 
                 // Copy the signed content to the destination path.
                 _filesToCopy.Add(new KeyValuePair<string, string>(existingSignInfo.FullPath, file.FullPath));
+
+                // If this is a top-level file that uses detached signatures, also copy the detached signature file
+                if (existingSignInfo.SignInfo.GeneratesDetachedSignature)
+                {
+                    _filesToCopy.Add(new KeyValuePair<string, string>(existingSignInfo.DetachedSignatureFullPath, fileSignInfo.DetachedSignatureFullPath));
+                    _log.LogMessage(MessageImportance.Low, $"Will copy detached signature from '{existingSignInfo.DetachedSignatureFullPath}' to '{fileSignInfo.DetachedSignatureFullPath}'");
+                }
+                
                 return fileSignInfo;
             }
 
@@ -262,7 +270,7 @@ private FileSignInfo TrackFile(PathWithHash file, PathWithHash parentContainer,
                 // Only sign containers if the file itself is unsigned, or 
                 // an item in the container is unsigned.
                 hasSignableParts = _zipDataMap[fileSignInfo.FileContentKey].NestedParts.Values.Any(b => b.FileSignInfo.SignInfo.ShouldSign || b.FileSignInfo.HasSignableParts);
-                if(hasSignableParts)
+                if (hasSignableParts)
                 {
                     // If the file has contents that need to be signed, then re-evaluate the signing info
                     fileSignInfo = fileSignInfo.WithSignableParts();
@@ -529,6 +537,12 @@ private FileSignInfo ExtractSignInfo(
 
                 Check3rdPartyMicrosoftSignatureMismatch(file, peInfo, signInfo);
 
+                // Check if this cert should use detached signatures instead of in-place signing
+                if (ShouldUseDetachedSignature(file, signInfo))
+                {
+                    signInfo = signInfo.WithDetachedSignature(signInfo.Certificate);
+                }
+
                 return new FileSignInfo(file, signInfo, (peInfo != null && peInfo.TargetFramework != "") ? peInfo.TargetFramework : null, wixContentFilePath: wixContentFilePath);
             }
 
@@ -863,5 +877,27 @@ private bool ShouldSkip3rdPartyCheck(string fileName)
         {
             return _itemsToSkip3rdPartyCheck != null && _itemsToSkip3rdPartyCheck.Contains(Path.GetFileName(fileName));
         }
+
+        /// <summary>
+        /// Determines if a file should use detached signatures based on certificate configuration.
+        /// </summary>
+        /// <param name="file">The file to check</param>
+        /// <returns>True if the file should use detached signatures</returns>
+        private bool ShouldUseDetachedSignature(PathWithHash file, SignInfo signInfo)
+        {
+            // Check if the certificate is configured for detached signatures
+            if (signInfo.Certificate != null && _additionalCertificateInformation.TryGetValue(signInfo.Certificate, out var additionalInfo))
+            {
+                var additionalCertInfo = additionalInfo.FirstOrDefault(a => string.IsNullOrEmpty(a.CollisionPriorityId) ||
+                                                                   a.CollisionPriorityId == signInfo.CollisionPriorityId);
+                if (additionalCertInfo != null && additionalCertInfo.GeneratesDetachedSignature)
+                {
+                    _log.LogMessage(MessageImportance.Low, $"File {file.FileName} will use detached signatures based on certificate configuration");
+                    return true;
+                }
+            }
+            
+            return false;
+        }
     }
 }

src/Microsoft.DotNet.SignTool/src/Configuration.cs

@@ -25,20 +25,6 @@ public ExplicitCertificateKey(string fileName, string publicKeyToken = null, str
             ExecutableType = executableType;
         }
 
-        private static ExecutableType ParseExecutableType(string executableType)
-        {
-            if (string.IsNullOrEmpty(executableType))
-                return ExecutableType.None;
-
-            return executableType switch
-            {
-                "PE" => ExecutableType.PE,
-                "MachO" => ExecutableType.MachO,
-                "ELF" => ExecutableType.ELF,
-                _ => ExecutableType.None
-            };
-        }
-
         public override bool Equals(object obj)
             => obj is ExplicitCertificateKey key && Equals(key);
 

src/Microsoft.DotNet.SignTool/src/ExplicitCertificateKey.cs

@@ -17,6 +17,9 @@ internal readonly struct FileSignInfo
         internal readonly SignInfo SignInfo;
         internal ImmutableArray<byte> ContentHash => File.ContentHash;
         internal readonly string WixContentFilePath;
+        internal string DetachedSignatureFilePath => $"{FileName}.sig";
+        internal string DetachedSignatureFullPath => $"{FullPath}.sig";
+
         internal readonly PathWithHash File;
 
         // optional file information that allows to disambiguate among multiple files with the same name: