|
1 | 1 | SignCheck |
2 | 2 | ========= |
3 | 3 |
|
4 | | -This console tool scans files, archives, and packages to ensure their contents have Authenticode signatures. |
| 4 | +`SignCheck` is a tool that scans files, archives, and packages to ensure their contents have valid signatures. |
5 | 5 |
|
6 | 6 | ### Usage |
7 | 7 |
|
| 8 | +The `SignCheck` tooling is divided into two components, a task and a CLI tool. |
| 9 | + |
| 10 | +#### Signing Task |
| 11 | + |
| 12 | +Arcade defaults to using the signing task via script invocation for signing validation. This is the preferred method for signature validation. |
| 13 | + |
| 14 | +- **Supported Frameworks**: .NET Core and .NET Framework |
| 15 | +- **Invocation**: |
| 16 | + - On Linux/macOS: `./eng/common/sdk-task.sh --task SigningValidation` |
| 17 | + - On Windows: `./eng/common/sdk-task.ps1 -task SigningValidation` |
| 18 | +- **Task Options**: |
| 19 | + - **Input Files**: `/p:PackageBasePath` (required) |
| 20 | + A list of files to scan. Wildcards (* and ?) are supported. |
| 21 | + - **Exclusions File**: `/p:SignCheckExclusionsFile` |
| 22 | + Path to a file containing a list of files to ignore when verification fails. |
| 23 | + - **Enable JAR Signature Verification**: `/p:EnableJarSigningCheck` (default: false) |
| 24 | + Enable JAR signature verification. |
| 25 | + - **Verify Strong Name**: `/p:EnableStrongNameCheck` (default: false) |
| 26 | + Enable strong name checks for managed code files. |
| 27 | + - **Log File**: `/p:SignCheckLog` |
| 28 | + Output results to the specified log file. |
| 29 | + - **Error Log File**: `/p:SignCheckErrorLog` |
| 30 | + Log errors to a separate file. |
| 31 | + - **Results XML File**: `/p:SignCheckResultsXmlFile` |
| 32 | + Output signing results to the specified XML log file. |
| 33 | + |
| 34 | +#### Signing CLI Tool |
| 35 | + |
| 36 | +The CLI tool is maintained for legacy purposes and is only recommended for repositories that already use it. Refrane from using this; new repositories should use the Signing Task instead. |
| 37 | + |
| 38 | +- **Supported Frameworks**: .NET Framework only |
| 39 | +- **Invocation**: |
| 40 | + - `Microsoft.DotNet.SignCheck.exe` |
| 41 | +- **CLI Options**: |
8 | 42 | ``` |
9 | 43 | Microsoft.DotNet.SignCheck.exe [options] |
10 | 44 |
|
11 | 45 | Options: |
12 | 46 |
|
13 | 47 | -e, --error-log-file Log errors to a separate file. If the file already exists it will be overwritten. |
14 | 48 |
|
15 | | - -f, --file-status Report the status of a speficic set of files. Any combination of the following values are allowed. |
16 | | - Values are separated by a ','. |
17 | | - |
18 | | - 'UnsignedFiles', 'SignedFiles', 'SkippedFiles', 'ExcludedFiles', 'AllFiles'. Default is 'UnsignedFiles' |
| 49 | + -f, --file-status Report the status of a specific set of files. Default is 'UnsignedFiles'. |
19 | 50 |
|
20 | | - -g, --generate-exclusions-file Name of the exclusions file to generate. The entries in the file are generated using reported |
21 | | - unsigned files. If the file already exists it will be overwritten. |
| 51 | + -g, --generate-exclusions-file Name of the exclusions file to generate. If the file already exists it will be overwritten. |
22 | 52 |
|
23 | | - -i, --input-files A list of files to scan. Wildcards (* and ?) are supported. You can specify groups of files, |
24 | | - e.g. C:\Dir1\Dir*\File?.EXE or a URL (http or https). |
| 53 | + -i, --input-files A list of files to scan. Wildcards (* and ?) are supported. |
25 | 54 |
|
26 | | - -j, --verify-jar Enable JAR signature verification. By default, .jar files are no verified. |
| 55 | + -j, --verify-jar Enable JAR signature verification. By default, .jar files are not verified. |
27 | 56 |
|
28 | 57 | -l, --log-file Output results to the specified log file. If the file already exists it will be overwritten. |
29 | 58 |
|
| 59 | + --results-xml-file Output signing results to the specified XML log file. If the file already exists it will be overwritten. |
| 60 | +
|
30 | 61 | -m, --verify-xml Enable XML signature verification. By default, .xml files are not verified. |
31 | 62 |
|
32 | 63 | -p, --skip-timestamp Ignore timestamp checks for AuthentiCode signatures. |
33 | 64 |
|
34 | | - -r, --recursive Traverse subdirectories or container files such as .zip, .nupkg, .cab, and .msi |
| 65 | + -r, --recursive Traverse subdirectories or container files such as .zip, .nupkg, .cab, and .msi. |
35 | 66 |
|
36 | | - -s, --verify-strongname Enable strongname checks for managed code files (.exe and .dll) |
| 67 | + -s, --verify-strongname Enable strong name checks for managed code files. |
37 | 68 |
|
38 | | - -t, --traverse-subfolders Traverse subfolders to find files matching wildcard patterns used by the --input-files option. |
| 69 | + -t, --traverse-subfolders Traverse subfolders to find files matching wildcard patterns. |
39 | 70 |
|
40 | 71 | -v, --verbosity Set the verbosity level: Minimum, Normal, Detailed, Diagnostic. |
41 | 72 |
|
42 | | - -x, --exclusions-file Path to a file containing a list of files to ignore when verification fails. Exclusions are not |
43 | | - reported as errors. |
| 73 | + -x, --exclusions-file Path to a file containing a list of files to ignore when verification fails. |
44 | 74 |
|
45 | 75 | --help Display this help screen. |
46 | 76 |
|
47 | 77 | --version Display version information. |
48 | 78 | ``` |
| 79 | + |
| 80 | +### Supported Files |
| 81 | + |
| 82 | +#### Detected via File Extensions |
| 83 | + |
| 84 | +| File Extension | Platforms | .NET Product | |
| 85 | +|----------------|----------------------------|----------------------| |
| 86 | +| .a | macOS | .NET Core | |
| 87 | +| .app | macOS | .NET Core | |
| 88 | +| .cab | Windows | .NET Framework | |
| 89 | +| .deb | Linux | .NET Core | |
| 90 | +| .dll | Windows, macOS, Linux | .NET Framework, Core | |
| 91 | +| .dylib | macOS | .NET Core | |
| 92 | +| .exe | Windows, macOS, Linux | .NET Framework, Core | |
| 93 | +| .gz | macOS, Linux | .NET Core | |
| 94 | +| .jar | Windows | .NET Framework | |
| 95 | +| .js | Windows, macOS, Linux | .NET Framework, Core | |
| 96 | +| .lzma | Windows, macOS, Linux | .NET Framework, Core | |
| 97 | +| .macho | macOS | .NET Core | |
| 98 | +| .msi | Windows | .NET Framework | |
| 99 | +| .msp | Windows | .NET Framework | |
| 100 | +| .msu | Windows | .NET Framework | |
| 101 | +| .nupkg | Windows, macOS, Linux | .NET Framework, Core | |
| 102 | +| .pkg | macOS | .NET Core | |
| 103 | +| .ps1 | Windows | .NET Framework | |
| 104 | +| .ps1xml | Windows | .NET Framework | |
| 105 | +| .psd1 | Windows | .NET Framework | |
| 106 | +| .psm1 | Windows | .NET Framework | |
| 107 | +| .rpm | Linux | .NET Core | |
| 108 | +| .so | macOS | .NET Core | |
| 109 | +| .tar | macOS, Linux | .NET Core | |
| 110 | +| .tgz | macOS, Linux | .NET Core | |
| 111 | +| .vsix | Windows | .NET Framework | |
| 112 | +| .xml | Windows, macOS, Linux | .NET Framework, Core | |
| 113 | +| .zip | Windows, macOS, Linux | .NET Framework, Core | |
| 114 | + |
| 115 | +#### Detected via File Headers |
| 116 | + |
| 117 | +| File Type | Platforms | .NET Product | |
| 118 | +|----------------------------|----------------------------|----------------------| |
| 119 | +| Cab Files | Windows | .NET Framework | |
| 120 | +| EXE Files | Windows | .NET Framework | |
| 121 | +| Jar Files | Windows | .NET Framework | |
| 122 | +| Mach-O Files | macOS | .NET Core | |
| 123 | +| NuGet Packages | Windows, macOS, Linux | .NET Framework, Core | |
| 124 | +| PE Files | Windows | .NET Framework | |
| 125 | +| VSIX Files | Windows | .NET Framework | |
| 126 | +| Zip Files | Windows, macOS, Linux | .NET Framework, Core | |
0 commit comments