winget-cli icon indicating copy to clipboard operation
winget-cli copied to clipboard
verified publisher icon microsoft

Microsoft.WinGetSourceCreator.Helpres not using time server for signing

Open JohnnyElvis opened this issue 1 year ago • 4 comments

Brief description of your issue

Microsoft.WinGetSourceCreator.Helpres SignFile is not using a time server for signing.

Once a code signing certificate expires signed packages will no longer be usable without a time stamp.

Steps to reproduce

Look into src\WinGetSourceCreator\Helpres.cs

Line 39

Expected behavior

Time stamp is added to signature

Actual behavior

No time stamp is added to signature

Image

Environment

Windows 11 Enterprise

JohnnyElvis avatar Nov 07 '24 13:11 JohnnyElvis

The PreIndexed package source is updated every time the publishing pipeline runs over at winget-pkgs. In general, the index gets refreshed mutiple times per day. I'm not sure we actually need or want to have this package to be usable if it's expired. The winget source reset --force command will reset the sources and the winget source update command would also help a user get the latest version of this package.

denelon avatar Nov 14 '24 19:11 denelon

@denelon, sry for the late reply. Yes, in my use case it needs to be usable even if the signing cert did expire. The pre-indexed package source is being bult on demand. Additionally it's distribution to other environments is chained to a change process.

It's literally less than 5 minutes of work to add this

JohnnyElvis avatar Oct 29 '25 14:10 JohnnyElvis

@denelon - to do this just alter code in "WingetSourceCreator\Helpers.cs" in the "SignFile" method to this:

string pathToSDK = SDKDetector.Instance.LatestSDKBinPath; string signtoolExecutable = Path.Combine(pathToSDK, "signtool.exe"); string command = $"sign /a /fd sha256 /f {signature.CertFile} "; if (!string.IsNullOrEmpty(signature.Password)) { command += $"/p {signature.Password} "; } if (!string.IsNullOrEmpty(signature.TimeServer)) { command += $"/tr {signature.TimeServer} /td SHA256 "; } command += fileToSign; RunCommand(signtoolExecutable, command);

The just add this line to "WingetSourceCreator\Model\Signature.cs" to the "Signature" class.

public string? TimeServer { get; set; }

It's done then!

JohnnyElvis avatar Oct 30 '25 09:10 JohnnyElvis

@JohnnyElvis I don't fully understand your scenario, but if you wanted to make a PR and reference this issue, I can have the engineering team review it.

denelon avatar Oct 30 '25 17:10 denelon