Skip to content

Fix PE RFC3161 timestamps in code mode#16

Closed
Bradley Grainger (bgrainger) wants to merge 1 commit into
Devolutions:masterfrom
bgrainger:fix-time-stamping
Closed

Fix PE RFC3161 timestamps in code mode#16
Bradley Grainger (bgrainger) wants to merge 1 commit into
Devolutions:masterfrom
bgrainger:fix-time-stamping

Conversation

@bgrainger

@bgrainger Bradley Grainger (bgrainger) commented May 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Follow-up to #10 / #11.

As per #10 (comment) the outer NuGet package was signed and timestamped, but the DLLs inside were not time-stamped. This PR fixes that.

AI-generated Text Below

Summary

  • propagate code mode RFC3161 timestamp options into PE/WinMD signing
  • timestamp the newly signed PE signature row, including nested DLLs inside signed .nupkg containers
  • add regression coverage for top-level PE timestamping and nested PE timestamping in package signing

Repro

Using psign-tool code --mode portable to sign a real Logos.Test.1.0.0.nupkg package with Azure Artifact Signing and --timestamp-url http://timestamp.acs.microsoft.com/:

  • before this change, the package signature carried an RFC3161 timestamp but the embedded Logos.Test.dll signature did not
  • after this change, both the package signature and the embedded DLL carry the expected timestamp attributes

Testing

  • cargo test --test code_command
  • cargo test -- --skip code_signing_vector_manifest_committed_entries_are_current

@bgrainger
Fix PE RFC3161 timestamps in code mode
20882a2 
Propagate code-mode RFC3161 timestamp options into PE/WinMD signing so top-level PE targets and nested PE payloads inside signed containers receive Microsoft Authenticode timestamp attributes. Add regression coverage for top-level PE timestamping and for nested DLLs inside a .nupkg.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Merged
@mamoreau-devolutions

Marc-André Moreau (mamoreau-devolutions) commented May 25, 2026

Copy link
Copy Markdown
Contributor

Bradley Grainger (@bgrainger) I had another pull request ready with a bunch of fixes, but you caught something else, so I just incorporated it into #15

things go way too fast with AI these days ;)

Marc-André Moreau (mamoreau-devolutions) added a commit that referenced this pull request May 25, 2026
@mamoreau-devolutions @bgrainger
Expand portable Artifact Signing parity (#15)
ca1b678 
## Summary
- add portable Artifact Signing remote-sign embedding for CAB, MSI/MSP,
generic catalogs, and flat MSIX/AppX final signing
- add native-shaped portable batch ergonomics, expanded credential
resolution, and non-PE timestamp persistence
- incorporate [#16](#16) by
propagating code-mode RFC3161 timestamp options into PE/WinMD signing
- update docs and integration tests for the expanded replacement surface

## Validation
- cargo fmt --all
- cargo clippy --workspace --all-targets --locked
- cargo test --workspace --locked
- targeted Artifact Signing integration tests
- targeted code-mode RFC3161 timestamp regression tests from #16

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Bradley Grainger <bradley.grainger@logos.com>
@mamoreau-devolutions

Marc-André Moreau (mamoreau-devolutions) commented May 25, 2026

Copy link
Copy Markdown
Contributor

...and merged, so.closing this PR. Thanks a lot!

@mamoreau-devolutions

Marc-André Moreau (mamoreau-devolutions) commented May 26, 2026

Copy link
Copy Markdown
Contributor

Bradley Grainger (@bgrainger) I released 0.5.0 today, crossing fingers it works for you this time

@bgrainger

Bradley Grainger (bgrainger) commented May 26, 2026

Copy link
Copy Markdown
Contributor Author

Marc-André Moreau (@mamoreau-devolutions) worked great in local testing; now working to get it integrated in our full CI pipeline: Faithlife/FaithlifeBuild#94

@bgrainger

Bradley Grainger (bgrainger) commented May 28, 2026

Copy link
Copy Markdown
Contributor Author

Marc-André Moreau (@mamoreau-devolutions) Just following up; now that I've merged and published Faithlife/FaithlifeBuild#94 this is working great!

Example output from an internal GHA run:

Current runner version: '2.334.0'
Runner Image Provisioner
  Hosted Compute Agent
  Version: 20260520.533
  Commit: 189110e25284a9812c124fd27b339e2fb4f2f9db
  Build Date: 2026-05-20T17:44:04Z
  Worker ID: {9721ed4a-4854-4b31-8f6f-4fd2b596d495}
  Azure Region: westus
Operating System
  Ubuntu
  24.04.4
  LTS

Build: Starting... (publish) (skip dependencies)
Build: publish
  Build: publish: Starting...
  >> az account get-access-token --resource https://codesigning.azure.net/ --query accessToken --output tsv --only-show-errors
  >> /usr/share/dotnet/dotnet tool install --tool-path release/sign Devolutions.Psign.Tool
  You can invoke the tool using the following command: psign-tool
  Tool 'devolutions.psign.tool' (version '0.5.0') was successfully installed.
  signed release/XXX.1.35.0.nupkg -> /home/runner/work/XXX/XXX/release/XXX.1.35.0.signed.nupkg (.signature.p7s)
  >> /usr/share/dotnet/dotnet nuget push /home/runner/work/XXX/XXX/release/XXX.1.35.0.nupkg --source Azure --api-key AzureDevOps --skip-duplicate
  Pushing XXX.XXX.1.35.0.nupkg to 'XXX'...
  Your package was pushed.
  Pushing git tag v1.35.0 at XXX (using GitHub API).
  Build: publish: Succeeded (14.26 s)

@bgrainger

Bradley Grainger (bgrainger) commented May 30, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Found a problem: the signed DLL has a last-modified date of 12/31/1979 4:00pm (probably a PST thing?). This is breaking some last-modified checks once the DLL is extracted from the NuGet package.

Fix in #20.

@bgrainger Bradley Grainger (bgrainger) deleted the fix-time-stamping branch May 30, 2026 06:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bgrainger @mamoreau-devolutions