Better handling of files with no signature.

If the file lacks an Authenticode signature each rule is guaranteed to fail.

Author: vcsjones

AuthenticodeLint/CheckEngine.cs

@@ -38,16 +38,24 @@ public RuleEngineResult RunAllRules(string file, Graph<SignerInfo> signatures, L
             {
                 RuleResult result;
                 var verboseWriter = verbose ? new VerboseSignatureLogger() : SignatureLoggerBase.Null;
-                if (suppressedRuleIDs.Contains(rule.RuleId))
+                if (signatures.Items.Count == 0)
                 {
-                    result = RuleResult.Skip;
+                    result = RuleResult.Fail;
+                    verboseWriter.LogMessage("File is not Authenticode signed.");
                 }
                 else
                 {
-                    result = rule.Validate(signatures, verboseWriter);
-                    if (result != RuleResult.Pass)
+                    if (suppressedRuleIDs.Contains(rule.RuleId))
                     {
-                        engineResult = RuleEngineResult.NotAllPass;
+                        result = RuleResult.Skip;
+                    }
+                    else
+                    {
+                        result = rule.Validate(signatures, verboseWriter);
+                        if (result != RuleResult.Pass)
+                        {
+                            engineResult = RuleEngineResult.NotAllPass;
+                        }
                     }
                 }
                 collectors.ForEach(c => c.CollectResult(rule, result, verboseWriter.Messages));

AuthenticodeLint/ConfigurationValidator.cs

@@ -38,7 +38,7 @@ public static bool ValidateAndPrint(CheckConfiguration configuration, TextWriter
             {
                 if (!File.Exists(path))
                 {
-                    printer.WriteLine($"The input path ${path} does not exist.");
+                    printer.WriteLine($"The input path {path} does not exist.");
                     success = false;
                 }
             }

AuthenticodeLint/Rules/NoWeakFileDigestAlgorithmsRule.cs

@@ -18,17 +18,17 @@ public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseW
             {
                 if (signature.DigestAlgorithm.Value == KnownOids.MD2)
                 {
-                    verboseWriter.LogMessage(signature, $"Uses the {nameof(KnownOids.MD2)} digest algorithm.");
+                    verboseWriter.LogSignatureMessage(signature, $"Uses the {nameof(KnownOids.MD2)} digest algorithm.");
                     result = RuleResult.Fail;
                 }
                 else if (signature.DigestAlgorithm.Value == KnownOids.MD4)
                 {
-                    verboseWriter.LogMessage(signature, $"Uses the {nameof(KnownOids.MD4)} digest algorithm.");
+                    verboseWriter.LogSignatureMessage(signature, $"Uses the {nameof(KnownOids.MD4)} digest algorithm.");
                     result = RuleResult.Fail;
                 }
                 else if (signature.DigestAlgorithm.Value == KnownOids.MD5)
                 {
-                    verboseWriter.LogMessage(signature, $"Uses the {nameof(KnownOids.MD5)} digest algorithm.");
+                    verboseWriter.LogSignatureMessage(signature, $"Uses the {nameof(KnownOids.MD5)} digest algorithm.");
                     result = RuleResult.Fail;
                 }
             }

AuthenticodeLint/Rules/PublisherInformationRule.cs

@@ -29,24 +29,24 @@ public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseW
                 if (info == null)
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogMessage(signature, "Signature does not have any publisher information.");
+                    verboseWriter.LogSignatureMessage(signature, "Signature does not have any publisher information.");
                 }
                 if (string.IsNullOrWhiteSpace(info.Description))
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogMessage(signature, "Signature does not have an accompanying description.");
+                    verboseWriter.LogSignatureMessage(signature, "Signature does not have an accompanying description.");
                 }
 
                 if (string.IsNullOrWhiteSpace(info.UrlLink))
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogMessage(signature, "Signature does not have an accompanying URL.");
+                    verboseWriter.LogSignatureMessage(signature, "Signature does not have an accompanying URL.");
                 }
                 Uri uri;
                 if (!Uri.TryCreate(info.UrlLink, UriKind.Absolute, out uri))
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogMessage(signature, "Signature's accompanying URL is not a valid URI.");
+                    verboseWriter.LogSignatureMessage(signature, "Signature's accompanying URL is not a valid URI.");
                 }
             }
             return result;

AuthenticodeLint/Rules/PublisherInformationUrlHttpsRule.cs

@@ -29,17 +29,17 @@ public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseW
                 if (info == null)
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogMessage(signature, "Signature does not have any publisher information.");
+                    verboseWriter.LogSignatureMessage(signature, "Signature does not have any publisher information.");
                 }
                 if (string.IsNullOrWhiteSpace(info.UrlLink))
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogMessage(signature, "Signature does not have an accompanying URL.");
+                    verboseWriter.LogSignatureMessage(signature, "Signature does not have an accompanying URL.");
                 }
                 if (!info.UrlLink.StartsWith(Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
                 {
                     result = RuleResult.Fail;
-                    verboseWriter.LogMessage(signature, $"Signature's publisher information URL \"{info.UrlLink}\" does not use the secure HTTPS scheme.");
+                    verboseWriter.LogSignatureMessage(signature, $"Signature's publisher information URL \"{info.UrlLink}\" does not use the secure HTTPS scheme.");
                 }
             }
             return result;

AuthenticodeLint/Rules/Sha1PrimarySignatureRule.cs

@@ -23,7 +23,7 @@ public RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase verboseW
             }
             if (primary.DigestAlgorithm.Value != KnownOids.SHA1)
             {
-                verboseWriter.LogMessage(primary, $"Expected {nameof(KnownOids.SHA1)} digest algorithm but is {primary.DigestAlgorithm.FriendlyName}.");
+                verboseWriter.LogSignatureMessage(primary, $"Expected {nameof(KnownOids.SHA1)} digest algorithm but is {primary.DigestAlgorithm.FriendlyName}.");
                 return RuleResult.Fail;
             }
             return RuleResult.Pass;

AuthenticodeLint/Rules/TimestampedRule.cs

@@ -47,12 +47,12 @@ public unsafe RuleResult Validate(Graph<SignerInfo> graph, SignatureLoggerBase v
                 }
                 if (!isSigned)
                 {
-                    verboseWriter.LogMessage(signature, $"Signature is not timestamped.");
+                    verboseWriter.LogSignatureMessage(signature, $"Signature is not timestamped.");
                     pass = false;
                 }
                 else if (!strongSign)
                 {
-                    verboseWriter.LogMessage(signature, $"Signature is not timestamped with the expected hash algorithm {signature.DigestAlgorithm.FriendlyName}.");
+                    verboseWriter.LogSignatureMessage(signature, $"Signature is not timestamped with the expected hash algorithm {signature.DigestAlgorithm.FriendlyName}.");
                     pass = false;
                 }
             }

AuthenticodeLint/VerboseSignatureTextWriter.cs

@@ -9,7 +9,9 @@ namespace AuthenticodeLint
 {
     public class VerboseSignatureLogger : SignatureLoggerBase
     {
-        public override void LogMessage(SignerInfo signature, string message)
+        public override void LogMessage(string message) => Messages.Add(message);
+
+        public override void LogSignatureMessage(SignerInfo signature, string message)
         {
             var digest = signature.SignatureDigest();
             var digestString = digest.Aggregate(new StringBuilder(), (acc, b) => acc.AppendFormat("{0:x2}", b)).ToString();
@@ -19,7 +21,11 @@ public override void LogMessage(SignerInfo signature, string message)
 
     public class NullSignatureLogger : SignatureLoggerBase
     {
-        public override void LogMessage(SignerInfo signature, string message)
+        public override void LogMessage(string message)
+        {
+        }
+
+        public override void LogSignatureMessage(SignerInfo signature, string message)
         {
         }
     }
@@ -30,6 +36,7 @@ public abstract class SignatureLoggerBase
 
         internal List<string> Messages { get; } = new List<string>();
 
-        public abstract void LogMessage(SignerInfo signature, string message);
+        public abstract void LogSignatureMessage(SignerInfo signature, string message);
+        public abstract void LogMessage(string message);
     }
 }