Lots of work.

* Support for rulesets.
* Minor refactorings.
* Upgrade to SDK project files.
* Drop dual signing requirement.

Author: Kevin Jones

AuthenticodeLint/AuthenticodeLint.csproj

@@ -1,114 +1,14 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
-  <PropertyGroup>
-    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
-    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
-    <ProjectGuid>{FF77FAED-3274-4C0E-BDA0-98D8A5FA831E}</ProjectGuid>
-    <OutputType>Exe</OutputType>
-    <AppDesignerFolder>Properties</AppDesignerFolder>
-    <RootNamespace>AuthenticodeLint</RootNamespace>
-    <AssemblyName>authlint</AssemblyName>
-    <TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
-    <FileAlignment>512</FileAlignment>
-    <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
-    <Deterministic>true</Deterministic>
-  </PropertyGroup>
-  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
-    <PlatformTarget>AnyCPU</PlatformTarget>
-    <DebugSymbols>true</DebugSymbols>
-    <DebugType>full</DebugType>
-    <Optimize>false</Optimize>
-    <OutputPath>bin\Debug\</OutputPath>
-    <DefineConstants>DEBUG;TRACE</DefineConstants>
-    <ErrorReport>prompt</ErrorReport>
-    <WarningLevel>4</WarningLevel>
-    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-    <Prefer32Bit>false</Prefer32Bit>
-    <UseVSHostingProcess>true</UseVSHostingProcess>
-  </PropertyGroup>
-  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
-    <PlatformTarget>AnyCPU</PlatformTarget>
-    <DebugType>pdbonly</DebugType>
-    <Optimize>true</Optimize>
-    <OutputPath>bin\Release\</OutputPath>
-    <DefineConstants>TRACE</DefineConstants>
-    <ErrorReport>prompt</ErrorReport>
-    <WarningLevel>4</WarningLevel>
-    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-    <Prefer32Bit>false</Prefer32Bit>
-  </PropertyGroup>
-  <PropertyGroup>
-    <ApplicationManifest>app.manifest</ApplicationManifest>
-  </PropertyGroup>
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <AssemblyName>authlint</AssemblyName>
+    <TargetFrameworks>net461</TargetFrameworks>
+    <VersionPrefix>0.10.0</VersionPrefix>
+    <Authors>Kevin Jones</Authors>
+    <LangVersion>latest</LangVersion>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+  </PropertyGroup>
   <ItemGroup>
-    <Reference Include="System" />
-    <Reference Include="System.Core" />
     <Reference Include="System.Security" />
-    <Reference Include="System.Xml.Linq" />
-    <Reference Include="System.Data.DataSetExtensions" />
-    <Reference Include="Microsoft.CSharp" />
-    <Reference Include="System.Data" />
-    <Reference Include="System.Net.Http" />
-    <Reference Include="System.Xml" />
-  </ItemGroup>
-  <ItemGroup>
-    <Compile Include="BitStrengthCalculator.cs" />
-    <Compile Include="CertificatePaddingExtractor.cs" />
-    <Compile Include="CheckEngine.cs" />
-    <Compile Include="CommandLineParser.cs" />
-    <Compile Include="ConfigurationValidator.cs" />
-    <Compile Include="Extraction.cs" />
-    <Compile Include="Interop\CertStoreSafeHandle.cs" />
-    <Compile Include="Interop\Crypt32.cs" />
-    <Compile Include="Interop\CryptMsgSafeHandle.cs" />
-    <Compile Include="Interop\LocalBufferSafeHandle.cs" />
-    <Compile Include="Interop\Pe.cs" />
-    <Compile Include="Interop\Wintrust.cs" />
-    <Compile Include="IRuleResultCollector.cs" />
-    <Compile Include="ISignature.cs" />
-    <Compile Include="KnownGuids.cs" />
-    <Compile Include="KnownOids.cs" />
-    <Compile Include="OidParser.cs" />
-    <Compile Include="PE\PortableExecutable.cs" />
-    <Compile Include="PublisherInformation.cs" />
-    <Compile Include="Signature.cs" />
-    <Compile Include="Rules\10013-MaxKeyLengthRule.cs" />
-    <Compile Include="Rules\10011-StrongKeyLengthRule.cs" />
-    <Compile Include="Rules\10012-RsaDsaPrimarySignatureRule.cs" />
-    <Compile Include="Rules\CertificateChainRuleBase.cs" />
-    <Compile Include="Rules\IAuthenticodeRule.cs" />
-    <Compile Include="Program.cs" />
-    <Compile Include="Properties\AssemblyInfo.cs" />
-    <Compile Include="Rules\10010-NoUnknownCertificatesRule.cs" />
-    <Compile Include="Rules\10002-NoWeakFileDigestAlgorithmsRule.cs" />
-    <Compile Include="Rules\10005-PublisherInformationUrlHttpsRule.cs" />
-    <Compile Include="Rules\10004-PublisherInformationRule.cs" />
-    <Compile Include="Rules\RuleResult.cs" />
-    <Compile Include="Rules\10000-Sha1PrimarySignatureRule.cs" />
-    <Compile Include="Rules\10001-Sha2SignatureExistsRule.cs" />
-    <Compile Include="Rules\10006-SigningCertificateDigestAlgorithmRule.cs" />
-    <Compile Include="Rules\10003-TimestampedRule.cs" />
-    <Compile Include="Rules\10007-TrustedSignatureRule.cs" />
-    <Compile Include="Rules\10009-NoUnknownUnsignedAttibuteRule.cs" />
-    <Compile Include="Rules\10008-WinCertificatePaddingRule.cs" />
-    <Compile Include="SignatureExtensions.cs" />
-    <Compile Include="SignatureExtractor.cs" />
-    <Compile Include="SignatureHasher.cs" />
-    <Compile Include="SignerInfoExtensions.cs" />
-    <Compile Include="StdOutRuleResultCollector.cs" />
-    <Compile Include="VerboseSignatureTextWriter.cs" />
-    <Compile Include="XmlRuleResultCollector.cs" />
-  </ItemGroup>
-  <ItemGroup>
-    <None Include="app.manifest" />
-  </ItemGroup>
-  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
-  <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
-       Other similar extension points exist, see Microsoft.Common.targets.
-  <Target Name="BeforeBuild">
-  </Target>
-  <Target Name="AfterBuild">
-  </Target>
-  -->
+  </ItemGroup>
 </Project>

AuthenticodeLint/CheckEngine.cs

@@ -46,17 +46,23 @@ public RuleEngineResult RunAllRules(string file, IReadOnlyList<ISignature> signa
                     {
                         result = RuleResult.Skip;
                     }
-                    else if (rule is IAuthenticodeFileRule)
+                    else if ((rule.RuleSet & configuration.RuleSet) == 0)
                     {
-                        result = ((IAuthenticodeFileRule)rule).Validate(file, verboseWriter, configuration);
-                    }
-                    else if (rule is IAuthenticodeSignatureRule)
-                    {
-                        result = ((IAuthenticodeSignatureRule)rule).Validate(signatures, verboseWriter, configuration);
+                        result = RuleResult.Excluded;
                     }
                     else
                     {
-                        throw new NotSupportedException("Rule type is not supported.");
+                        switch (rule)
+                        {
+                            case IAuthenticodeFileRule fileRule:
+                                result = fileRule.Validate(file, verboseWriter, configuration);
+                                break;
+                            case IAuthenticodeSignatureRule sigRule:
+                                result = sigRule.Validate(signatures, verboseWriter, configuration);
+                                break;
+                            default:
+                                throw new NotSupportedException("Rule type is not supported.");
+                        }
                     }
                 }
                 if (result == RuleResult.Fail)

AuthenticodeLint/ConfigurationValidator.cs

@@ -13,8 +13,9 @@ public class CheckConfiguration
         public bool Verbose { get; }
         public RevocationChecking RevocationMode {get;}
         public string ExtractPath { get; }
+        public RuleSet RuleSet { get; }
 
-        public CheckConfiguration(IReadOnlyList<string> inputPaths, string reportPath, bool quiet, HashSet<int> suppressErrorIDs, bool verbose, RevocationChecking revocationMode, string extract)
+        public CheckConfiguration(IReadOnlyList<string> inputPaths, string reportPath, bool quiet, HashSet<int> suppressErrorIDs, bool verbose, RevocationChecking revocationMode, string extract, RuleSet ruleSet)
         {
             InputPaths = inputPaths;
             ReportPath = reportPath;
@@ -23,6 +24,7 @@ public CheckConfiguration(IReadOnlyList<string> inputPaths, string reportPath, b
             Verbose = verbose;
             RevocationMode = revocationMode;
             ExtractPath = extract;
+            RuleSet = ruleSet;
         }
     }
 

AuthenticodeLint/KnownOids.cs

@@ -30,6 +30,8 @@ public static class EccCurves
         public const string OpusInfo  = "1.3.6.1.4.1.311.2.1.12";
         public const string CodeSigning = "1.3.6.1.5.5.7.3.3";
         public const string NestedSignatureOid = "1.3.6.1.4.1.311.2.4.1";
+        public const string SealingSignature = "1.3.6.1.4.1.311.2.4.3";
+        public const string SealingTimestamp = "1.3.6.1.4.1.311.2.4.4";
         public const string KeyId = "1.3.6.1.4.1.311.10.7.1";
 
 

AuthenticodeLint/Program.cs

@@ -35,6 +35,7 @@ static int Main(string[] args)
             string report = null;
             string extract = null;
             var revocation = RevocationChecking.None;
+            var ruleSet = RuleSet.Modern;
             foreach(var parameter in parsedCommandLine)
             {
                 if (parameter.Name == "in")
@@ -121,6 +122,19 @@ static int Main(string[] args)
                         return ExitCodes.InvalidInputOrConfig;
                     }
                 }
+                else if (parameter.Name == "ruleset")
+                {
+                    if (string.IsNullOrWhiteSpace(parameter.Value))
+                    {
+                        Console.Error.WriteLine($"-{parameter.Name} requires a value if specified.");
+                        return ExitCodes.InvalidInputOrConfig;
+                    }
+                    if (!Enum.TryParse(parameter.Value, true, out ruleSet) || parameter.Value.Equals("all", StringComparison.OrdinalIgnoreCase))
+                    {
+                        Console.Error.WriteLine($"-{parameter.Value} is an unrecognized ruleset.");
+                        return ExitCodes.InvalidInputOrConfig;
+                    }
+                }
                 else
                 {
                     Console.Error.WriteLine($"-{parameter.Name} is an unknown parameter.");
@@ -132,7 +146,7 @@ static int Main(string[] args)
                 Console.Error.WriteLine("Input is expected. See -help for usage.");
                 return ExitCodes.InvalidInputOrConfig;
             }
-            var configuration = new CheckConfiguration(inputs, report, quiet, suppress, verbose, revocation, extract);
+            var configuration = new CheckConfiguration(inputs, report, quiet, suppress, verbose, revocation, extract, ruleSet);
 
             if (!ConfigurationValidator.ValidateAndPrint(configuration, Console.Error))
             {
@@ -178,6 +192,8 @@ Checks the Authenticode signature of your binaries.
     -verbose:       Show verbose output. Cannot be combined with -quiet.
     -revocation:    Specify how revocation checking is done. Valid values are none, offline, online. None is the default.
     -extract:       Extracts all signature information to the specified directory.
+    -ruleset:       A set of rules to run. By intended behavior, such as modern signing, or compatibility.
+                    Possible values are ""compat"" and ""modern"", where the default is ""modern"". Optional.
 
 Exit codes:
 

AuthenticodeLint/Properties/AssemblyInfo.cs

@@ -0,0 +1,8 @@
+{
+  "profiles": {
+    "AuthenticodeLint": {
+      "commandName": "Project",
+      "commandLineArgs": "-in \"C:\\dev\\Personal\\AuthenticodeLint\\out\\authlint.exe\""
+    }
+  }
+}

AuthenticodeLint/Properties/launchSettings.json

@@ -0,0 +1,12 @@
+using System;
+
+namespace AuthenticodeLint
+{
+    [Flags]
+    public enum RuleSet : byte
+    {
+        Modern = 0x01,
+        Compat = 0x02,
+        All = 0xFF
+    }
+}

AuthenticodeLint/RuleSet.cs

@@ -11,6 +11,8 @@ public class Sha1PrimarySignatureRule : IAuthenticodeSignatureRule
 
         public string ShortDescription { get; } = "Primary signature should be SHA1.";
 
+        public RuleSet RuleSet { get; } = RuleSet.Compat;
+
         public RuleResult Validate(IReadOnlyList<ISignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
         {
             if (graph.Count == 0)

AuthenticodeLint/Rules/10000-Sha1PrimarySignatureRule.cs

@@ -13,6 +13,8 @@ public class Sha2SignatureExistsRule : IAuthenticodeSignatureRule
 
         public string ShortDescription { get; } = "A SHA2 signature should exist.";
 
+        public RuleSet RuleSet { get; } = RuleSet.All;
+
         public RuleResult Validate(IReadOnlyList<ISignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
         {
             var signatures = graph.VisitAll(SignatureKind.AnySignature);