Skip to content

Instantly share code, notes, and snippets.

@funkeyfreak
Last active January 6, 2020 20:35
Show Gist options
  • Save funkeyfreak/0bd0424f80ae309e94e4d45be7719775 to your computer and use it in GitHub Desktop.
Save funkeyfreak/0bd0424f80ae309e94e4d45be7719775 to your computer and use it in GitHub Desktop.
Get Check the Signing Status of Assemblies in a Nuget Package

Introduction

extract-and-test is a script which tests the .dll(s) in a nuget package to verify they are strong-name signed using the sn tool.

Extract And Check Demo

Setup - Windows

First, install scoop by running Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh'). Then, in a new window, install the remainding requirements for this script by running ./instal.ps1 in a new elevated instance of powershell.

Setup - Debian Linux

sudo apt-get install mono

Using This Tool

Run sh .\extract-and-check.sh <\path to your .nuget package>. This will produce a csv file containing details on the .dll(s) contained in the given package.

A Few Things to Consider

If your authenitcode cert is not installed on your local machine, chktrust will throw the following error:

ERROR! Microsoft.Bond.dll signature can't be traced back to a trusted root! This is to be expected, and is a good sign, as your .dll does have an authenticode signature.

#! /bin/bash
# extract-and-check - A script to produce a csv of signing details from a nuget package
# updates the states of the extraction job
function print_status_update() {
awk 'BEGIN {ORS=" "} {print "."}'
}
# inflates the nuget package into a directory
function nuget_inflator() {
printf "nuget_inflator $1...\n"
cp -rf "$NUGET_PACKAGE_PATH" "./$1.zip"
mkdir -p "./$1"
unzip -od "./$1" "./$1.zip" | print_status_update
printf '\ncomplete\n'
rm -f "./$1.zip"
}
# analyze the package and save the info to a csv file
function analyze_package() {
printf "Begin analyzing packages for $1\n"
echo "assembly-name,signed-error,strong-name-key-thumbprint,authenticode-error" > "./$1.csv"
for entry in $(du -a ./$1 | grep "\.dll[[:cntrl:]]*$" | cut -f2-) #$(ag ./$1 -g "\.dll[[:cntrl:]]*$")
do
report_on_assembly $entry $1 &
done
wait
}
# async handler for writing to the file
# TODO: handle file-writing race-conditions
function report_on_assembly() {
printf "Analyzing $1\n"
thumbprint=$(sn -q -T "$1" | head -n1)
signed=$(sn -q -vf "$1")
authenticode=$(chktrust -q -T "$1" | tail -n-3 | head -n2 | grep ERROR)
echo "$1,$signed,${thumbprint:18},$authenticode" >> "./$2.csv"
}
NUGET_PACKAGE_PATH="$1"
NUGET_PACKAGE=$(basename "$1")
if [[ -f "$NUGET_PACKAGE_PATH" ]] && [ "${NUGET_PACKAGE_PATH##*.}" = "nupkg" ]; then
echo "processing $NUGET_PACKAGE"
else
echo "non nuget package passed - please call function with a valid nuget pacakge file"
exit 1
fi
NUGET_PACKAGE_NAME="${NUGET_PACKAGE%.*}"
nuget_inflator "$NUGET_PACKAGE_NAME" && \
analyze_package "$NUGET_PACKAGE_NAME" && \
rm -rf "./$NUGET_PACKAGE_NAME" && \
printf "\n🎉🎉🎉\nAnalysis of $NUGET_PACKAGE_NAME complete!\n"
scoop install busybox
scoop install mono
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment