sign icon indicating copy to clipboard operation
sign copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Treat CAB files as containers

Open bricelam opened this issue 6 months ago • 11 comments

Fixes #874

bricelam avatar May 14 '25 00:05 bricelam

I am not sure if we should add this now and take a dependency on WixToolset.Dtf.Compression.Cab. Wondering if we should first take a good look at how AggregatingSigner is implemented. It feels like we are now putting too many things in a single place and I wonder if it's a good thing to add this now?

It also looks like that library requires an Open Source Maintenance Fee for: opening or commenting on issues, participating in discussions and downloading releases.

dlemstra avatar May 14 '25 06:05 dlemstra

I agree AggregateSigner and ContainerProvider needs some cleanup. But, IMHO, that’s orthogonal to adding this feature.

Also, Microsoft has paid the maintainer’s fee, so maybe you’re already good? 🤷‍♂️

I believe my MSI PR also adds the WixToolset.Dtf.Compression.Cab dependency transitively, so maybe along with that feature it’s justified.

Without CAB and MSI support, this tool really doesn’t live up to its stated design of nested signing.

bricelam avatar May 14 '25 12:05 bricelam

/cc @robmen in case you have any response to the OSMF FUD

bricelam avatar May 14 '25 13:05 bricelam

dotnet already takes dependencies on the WiX Toolset and Microsoft does pay the Open Source Maintenance Fee (thank you).

robmen avatar May 14 '25 13:05 robmen

There is no need to call my comment FUD. I only stated what I found on the readme page of that dependency and that this should be some something that should be looked at.

dlemstra avatar May 14 '25 13:05 dlemstra

There is no need to call my comment FUD.

My apologies, I forget there's a lot more negative connotations that come with labeling something as FUD nowadays. I just meant it purely in the sense of uncertainty and possible doubt. I'm definitely not accusing anyone of xenophobia or ignorant reluctance!

bricelam avatar May 14 '25 15:05 bricelam

@bricelam Trying to test this locally, and my MSI is failing to install once I sign the .cab it uses: image

I'm probably doing something wrong? I have both a .msi and a .cab then sign the .cab and try to install it via the .msi. If I manually extract the .cab the files inside are signed. I suspect it's because the hash and size of the files are being modified?

Foda avatar Jun 05 '25 17:06 Foda

Oh interesting, I bet you're right--we probably need to update the MSI after signing the CABs.

bricelam avatar Jun 05 '25 20:06 bricelam

Wait. That bug should already exist today without this change. External CAB files are already being signed--just not their contents.

bricelam avatar Jun 05 '25 20:06 bricelam

Wait. That bug should already exist today without this change. External CAB files are already being signed--just not their contents.

That did cross my mind too, but it didn't seem to cause any issues. I suspect it's because the contents change and the layout is no longer what it expects or something

Foda avatar Jun 06 '25 17:06 Foda

I'll dig into it and see what we can do. Hopefully, I'm just re-assembling the CAB file incorrectly (e.g. with a new nested directory or something) and we don't have to update referencing MSI files just because you recursively sign a CAB file.

bricelam avatar Jun 09 '25 13:06 bricelam