Support detached signature verification for tars and zips

ellahathaway · ellahathaway · commit 2b6ca9ce1758 · 2026-03-17T23:37:33.000Z
diff --git a/src/SignCheck/Microsoft.SignCheck/Utils.cs b/src/SignCheck/Microsoft.SignCheck/Utils.cs
@@ -189,7 +189,7 @@ public static (int exitCode, string output, string error) RunBashCommand(string
         }
 
         /// <summary>
-        /// Download the Microsoft and Azure Linux public keys and import them into the keyring.
+        /// Download the Microsoft, Azure Linux, and .NET release public keys and import them into the keyring.
         /// </summary>
         public static void DownloadAndConfigurePublicKeys(string tempDir)
         {
@@ -198,7 +198,8 @@ public static void DownloadAndConfigurePublicKeys(string tempDir)
                 "https://packages.microsoft.com/keys/microsoft.asc", // Microsoft public key
                 "https://packages.microsoft.com/keys/microsoft-2025.asc", // Microsoft public key for distributions that do not allow SHA1
                 "https://packages.microsoft.com/keys/microsoft-rolling.asc", // Non-SHA1 Microsoft public keys for non-Azure Linux distributions
-                "https://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/azurelinux-repos/MICROSOFT-RPM-GPG-KEY" // Azure linux public key
+                "https://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/azurelinux-repos/MICROSOFT-RPM-GPG-KEY", // Azure linux public key
+                "https://dot.net/release-key-2023", // .NET release public key
             };
             foreach (string keyUrl in keyUrls)
             {
diff --git a/src/SignCheck/Microsoft.SignCheck/Verification/DebVerifier.cs b/src/SignCheck/Microsoft.SignCheck/Verification/DebVerifier.cs
@@ -9,7 +9,7 @@
 
 namespace Microsoft.SignCheck.Verification
 {
-    public class DebVerifier : LinuxPackageVerifier
+    public class DebVerifier : PgpVerifier
     {
         public DebVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options) : base(log, exclusions, options, ".deb") { }
 
diff --git a/src/SignCheck/Microsoft.SignCheck/Verification/PgpVerifier.cs b/src/SignCheck/Microsoft.SignCheck/Verification/PgpVerifier.cs
@@ -10,12 +10,24 @@
 
 namespace Microsoft.SignCheck.Verification
 {
-    public abstract class LinuxPackageVerifier : ArchiveVerifier
+    public abstract class PgpVerifier : ArchiveVerifier
     {
-        protected LinuxPackageVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options, string fileExtension) : base(log, exclusions, options, fileExtension) { }
+        private bool _supportsDetachedSignature;
+
+        protected PgpVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options, string fileExtension, bool supportsDetachedSignature = false)
+        : base(log, exclusions, options, fileExtension)
+        {
+            _supportsDetachedSignature = supportsDetachedSignature;
+        }
 
         public override SignatureVerificationResult VerifySignature(string path, string parent, string virtualPath)
-            => VerifySupportedFileType(path, parent, virtualPath);
+        {
+            if (_supportsDetachedSignature && File.Exists(path + ".sig"))
+            {
+                return VerifySupportedFileType(path, parent, virtualPath);
+            }
+            return VerifyUnsupportedFileType(path, parent, virtualPath);
+        }
 
         /// <summary>
         /// Returns the paths to the signature document and the signable content.
@@ -24,13 +36,25 @@ public override SignatureVerificationResult VerifySignature(string path, string
         /// <param name="path"></param>
         /// <param name="tempDir"></param>
         /// <returns></returns>
-        protected abstract (string signatureDocument, string signableContent) GetSignatureDocumentAndSignableContent(string path, string tempDir);
+        protected virtual (string signatureDocument, string signableContent) GetSignatureDocumentAndSignableContent(string path, string tempDir)
+        {
+            if (_supportsDetachedSignature)
+            {
+                string signature = $"{path}.sig";
+                string signatureDocument = Path.Combine(tempDir, Path.GetFileName(signature));
+                File.Copy(signature, signatureDocument, overwrite: true);
+
+                return (signatureDocument, path);
+            }
+
+            throw new InvalidOperationException("GetSignatureDocumentAndSignableContent must be overridden for supported archive types that do not use detached signatures.");
+        }
 
         protected override bool IsSigned(string path, SignatureVerificationResult svr)
         {
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
             {
-                throw new PlatformNotSupportedException("Linux package verification is not supported on Windows.");
+                throw new PlatformNotSupportedException("Pgp verification is not supported on Windows.");
             }
 
             string tempDir = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
diff --git a/src/SignCheck/Microsoft.SignCheck/Verification/RpmVerifier.cs b/src/SignCheck/Microsoft.SignCheck/Verification/RpmVerifier.cs
@@ -11,7 +11,7 @@
 
 namespace Microsoft.SignCheck.Verification
 {
-    public class RpmVerifier : LinuxPackageVerifier
+    public class RpmVerifier : PgpVerifier
     {
         public RpmVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options) : base(log, exclusions, options, ".rpm") { }
 
diff --git a/src/SignCheck/Microsoft.SignCheck/Verification/SignatureVerificationManager.cs b/src/SignCheck/Microsoft.SignCheck/Verification/SignatureVerificationManager.cs
@@ -116,7 +116,7 @@ public SignatureVerificationManager(Exclusions exclusions, Log log, SignatureVer
             AddFileVerifier(new NupkgVerifier(log, exclusions, options));
             AddFileVerifier(new PortableExecutableVerifier(log, exclusions, options, ".dll"));
             AddFileVerifier(new XmlVerifier(log, exclusions, options));
-            AddFileVerifier(new ZipVerifier(log, exclusions, options));
+            AddFileVerifier(new ZipVerifier(log, exclusions, options, supportsDetachedSignature: true));
         }
 
         /// <summary>
diff --git a/src/SignCheck/Microsoft.SignCheck/Verification/TarVerifier.cs b/src/SignCheck/Microsoft.SignCheck/Verification/TarVerifier.cs
@@ -10,19 +10,16 @@
 
 namespace Microsoft.SignCheck.Verification
 {
-    public class TarVerifier : ArchiveVerifier
+    public class TarVerifier : PgpVerifier
     {
-        public TarVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options, string fileExtension) : base(log, exclusions, options, fileExtension)
+        public TarVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options, string fileExtension) : base(log, exclusions, options, fileExtension, supportsDetachedSignature: true)
         {
             if (fileExtension != ".tar" && fileExtension != ".gz" && fileExtension != ".tgz")
             {
-                throw new ArgumentException("fileExtension must be .tar or .gz");
+                throw new ArgumentException("fileExtension must be .tar, .gz, or .tgz");
             }
         }
 
-        public override SignatureVerificationResult VerifySignature(string path, string parent, string virtualPath)
-            => VerifyUnsupportedFileType(path, parent, virtualPath);
-
         protected override IEnumerable<ArchiveEntry> ReadArchiveEntries(string archivePath)
         {
             using (var fileStream = File.Open(archivePath, FileMode.Open))
diff --git a/src/SignCheck/Microsoft.SignCheck/Verification/ZipVerifier.cs b/src/SignCheck/Microsoft.SignCheck/Verification/ZipVerifier.cs
@@ -8,15 +8,9 @@
 
 namespace Microsoft.SignCheck.Verification
 {
-    public class ZipVerifier : ArchiveVerifier
+    public class ZipVerifier : PgpVerifier
     {
-        public ZipVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options, string fileExtension = ".zip") : base(log, exclusions, options, fileExtension)
-        {
-
-        }
-
-        public override SignatureVerificationResult VerifySignature(string path, string parent, string virtualPath)
-            => VerifyUnsupportedFileType(path, parent, virtualPath);
+        public ZipVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options, string fileExtension = ".zip", bool supportsDetachedSignature = false) : base(log, exclusions, options, fileExtension, supportsDetachedSignature) { }
 
         protected override IEnumerable<ArchiveEntry> ReadArchiveEntries(string archivePath)
         {

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ public static (int exitCode, string output, string error) RunBashCommand(string`
`189`	`189`	`}`
`190`	`190`
`191`	`191`	`/// <summary>`
`192`		`- /// Download the Microsoft and Azure Linux public keys and import them into the keyring.`
	`192`	`+ /// Download the Microsoft, Azure Linux, and .NET release public keys and import them into the keyring.`
`193`	`193`	`/// </summary>`
`194`	`194`	`public static void DownloadAndConfigurePublicKeys(string tempDir)`
`195`	`195`	`{`
`@@ -198,7 +198,8 @@ public static void DownloadAndConfigurePublicKeys(string tempDir)`
`198`	`198`	`"https://packages.microsoft.com/keys/microsoft.asc", // Microsoft public key`
`199`	`199`	`"https://packages.microsoft.com/keys/microsoft-2025.asc", // Microsoft public key for distributions that do not allow SHA1`
`200`	`200`	`"https://packages.microsoft.com/keys/microsoft-rolling.asc", // Non-SHA1 Microsoft public keys for non-Azure Linux distributions`
`201`		`- "https://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/azurelinux-repos/MICROSOFT-RPM-GPG-KEY" // Azure linux public key`
	`201`	`+ "https://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/azurelinux-repos/MICROSOFT-RPM-GPG-KEY", // Azure linux public key`
	`202`	`+ "https://dot.net/release-key-2023", // .NET release public key`
`202`	`203`	`};`
`203`	`204`	`foreach (string keyUrl in keyUrls)`
`204`	`205`	`{`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`
`10`	`10`	`namespace Microsoft.SignCheck.Verification`
`11`	`11`	`{`
`12`		`- public class DebVerifier : LinuxPackageVerifier`
	`12`	`+ public class DebVerifier : PgpVerifier`
`13`	`13`	`{`
`14`	`14`	`public DebVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options) : base(log, exclusions, options, ".deb") { }`
`15`	`15`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`
`12`	`12`	`namespace Microsoft.SignCheck.Verification`
`13`	`13`	`{`
`14`		`- public class RpmVerifier : LinuxPackageVerifier`
	`14`	`+ public class RpmVerifier : PgpVerifier`
`15`	`15`	`{`
`16`	`16`	`public RpmVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options) : base(log, exclusions, options, ".rpm") { }`
`17`	`17`
Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@ public SignatureVerificationManager(Exclusions exclusions, Log log, SignatureVer`
`116`	`116`	`AddFileVerifier(new NupkgVerifier(log, exclusions, options));`
`117`	`117`	`AddFileVerifier(new PortableExecutableVerifier(log, exclusions, options, ".dll"));`
`118`	`118`	`AddFileVerifier(new XmlVerifier(log, exclusions, options));`
`119`		`- AddFileVerifier(new ZipVerifier(log, exclusions, options));`
	`119`	`+ AddFileVerifier(new ZipVerifier(log, exclusions, options, supportsDetachedSignature: true));`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`/// <summary>`
Original file line number	Diff line number	Diff line change
`@@ -10,19 +10,16 @@`
`10`	`10`
`11`	`11`	`namespace Microsoft.SignCheck.Verification`
`12`	`12`	`{`
`13`		`- public class TarVerifier : ArchiveVerifier`
	`13`	`+ public class TarVerifier : PgpVerifier`
`14`	`14`	`{`
`15`		`- public TarVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options, string fileExtension) : base(log, exclusions, options, fileExtension)`
	`15`	`+ public TarVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options, string fileExtension) : base(log, exclusions, options, fileExtension, supportsDetachedSignature: true)`
`16`	`16`	`{`
`17`	`17`	`if (fileExtension != ".tar" && fileExtension != ".gz" && fileExtension != ".tgz")`
`18`	`18`	`{`
`19`		`- throw new ArgumentException("fileExtension must be .tar or .gz");`
	`19`	`+ throw new ArgumentException("fileExtension must be .tar, .gz, or .tgz");`
`20`	`20`	`}`
`21`	`21`	`}`
`22`	`22`
`23`		`- public override SignatureVerificationResult VerifySignature(string path, string parent, string virtualPath)`
`24`		`- => VerifyUnsupportedFileType(path, parent, virtualPath);`
`25`		`-`
`26`	`23`	`protected override IEnumerable<ArchiveEntry> ReadArchiveEntries(string archivePath)`
`27`	`24`	`{`
`28`	`25`	`using (var fileStream = File.Open(archivePath, FileMode.Open))`
Original file line number	Diff line number	Diff line change
`@@ -8,15 +8,9 @@`
`8`	`8`
`9`	`9`	`namespace Microsoft.SignCheck.Verification`
`10`	`10`	`{`
`11`		`- public class ZipVerifier : ArchiveVerifier`
	`11`	`+ public class ZipVerifier : PgpVerifier`
`12`	`12`	`{`
`13`		`- public ZipVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options, string fileExtension = ".zip") : base(log, exclusions, options, fileExtension)`
`14`		`- {`
`15`		`-`
`16`		`- }`
`17`		`-`
`18`		`- public override SignatureVerificationResult VerifySignature(string path, string parent, string virtualPath)`
`19`		`- => VerifyUnsupportedFileType(path, parent, virtualPath);`
	`13`	`+ public ZipVerifier(Log log, Exclusions exclusions, SignatureVerificationOptions options, string fileExtension = ".zip", bool supportsDetachedSignature = false) : base(log, exclusions, options, fileExtension, supportsDetachedSignature) { }`
`20`	`14`
`21`	`15`	`protected override IEnumerable<ArchiveEntry> ReadArchiveEntries(string archivePath)`
`22`	`16`	`{`