From bc68c0d7ef32f293a8338708b6da40075fee0ecc Mon Sep 17 00:00:00 2001 From: Sujit Nayak Date: Wed, 22 Sep 2021 15:43:48 -0700 Subject: [PATCH 1/3] 6732: Default to sha2 digest for clickonce manifest when certificate signing algorithm is sha256/384/512 --- src/Tasks/ManifestUtil/SecurityUtil.cs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Tasks/ManifestUtil/SecurityUtil.cs b/src/Tasks/ManifestUtil/SecurityUtil.cs index cf4b7cdebe7..fa381fb5858 100644 --- a/src/Tasks/ManifestUtil/SecurityUtil.cs +++ b/src/Tasks/ManifestUtil/SecurityUtil.cs @@ -572,7 +572,9 @@ public static void SignFile(string certPath, SecureString certPassword, Uri time private static bool UseSha256Algorithm(X509Certificate2 cert) { Oid oid = cert.SignatureAlgorithm; - return string.Equals(oid.FriendlyName, "sha256RSA", StringComparison.OrdinalIgnoreCase); + return string.Equals(oid.FriendlyName, "sha256RSA", StringComparison.OrdinalIgnoreCase) || + string.Equals(oid.FriendlyName, "sha384RSA", StringComparison.OrdinalIgnoreCase) || + string.Equals(oid.FriendlyName, "sha512RSA", StringComparison.OrdinalIgnoreCase); } /// From 8f9d79e07aa7fbd1d657f24321262b6e6a263356 Mon Sep 17 00:00:00 2001 From: Sujit Nayak Date: Thu, 23 Sep 2021 14:45:38 -0700 Subject: [PATCH 2/3] add comment --- src/Tasks/ManifestUtil/SecurityUtil.cs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Tasks/ManifestUtil/SecurityUtil.cs b/src/Tasks/ManifestUtil/SecurityUtil.cs index fa381fb5858..c4c0d27a739 100644 --- a/src/Tasks/ManifestUtil/SecurityUtil.cs +++ b/src/Tasks/ManifestUtil/SecurityUtil.cs @@ -572,6 +572,8 @@ public static void SignFile(string certPath, SecureString certPassword, Uri time private static bool UseSha256Algorithm(X509Certificate2 cert) { Oid oid = cert.SignatureAlgorithm; + // Issue 6732: Clickonce does support sha384/sha512 hash so we default to sha256 + // for certs with that signature algorithm. return string.Equals(oid.FriendlyName, "sha256RSA", StringComparison.OrdinalIgnoreCase) || string.Equals(oid.FriendlyName, "sha384RSA", StringComparison.OrdinalIgnoreCase) || string.Equals(oid.FriendlyName, "sha512RSA", StringComparison.OrdinalIgnoreCase); From d9d1d59cb4ea0e610507ad457d6923b4534df157 Mon Sep 17 00:00:00 2001 From: Sujit Nayak Date: Thu, 23 Sep 2021 16:00:55 -0700 Subject: [PATCH 3/3] fix comment --- src/Tasks/ManifestUtil/SecurityUtil.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Tasks/ManifestUtil/SecurityUtil.cs b/src/Tasks/ManifestUtil/SecurityUtil.cs index c4c0d27a739..d74182f6ec8 100644 --- a/src/Tasks/ManifestUtil/SecurityUtil.cs +++ b/src/Tasks/ManifestUtil/SecurityUtil.cs @@ -572,7 +572,7 @@ public static void SignFile(string certPath, SecureString certPassword, Uri time private static bool UseSha256Algorithm(X509Certificate2 cert) { Oid oid = cert.SignatureAlgorithm; - // Issue 6732: Clickonce does support sha384/sha512 hash so we default to sha256 + // Issue 6732: Clickonce does not support sha384/sha512 file hash so we default to sha256 // for certs with that signature algorithm. return string.Equals(oid.FriendlyName, "sha256RSA", StringComparison.OrdinalIgnoreCase) || string.Equals(oid.FriendlyName, "sha384RSA", StringComparison.OrdinalIgnoreCase) ||