SignTool error when /fd parameter is not provided

[derekchristensen]

Prerequisites

• I have written a descriptive issue title
• I have searched issues to ensure it has not already been reported

Cake runner

Cake Frosting

Cake version

4

Operating system

Windows

Operating system architecture

64-Bit

CI Server

GitHub Actions

What are you seeing?

In newer versions of signtool.exe (as of Windows SDK 10.0.20348.0), the digest algorithm parameter (/fd) is required when running the sign command. Currently, the logic in SignToolSignRunner only adds the /fd parameter if DigestAlgorithm is set to Sha256. Now, when the parameter is ommitted signtool.exe generates the error:

 No file digest algorithm specified. Please specify the digest algorithm with the /fd flag. Using /fd SHA256 is recommended and more secure than SHA1. Calling signtool with /fd sha1 is equivalent to the previous behavior. In order to select the hash algorithm used in the signing certificate's signature, use the /fd certHash option.

Which causes the tool to fail.

This also means that explicitly setting the DigestAlgorithm to Sha1 in the settings, still does not resolve the issue.

The docs for signtool.exe have been updated to reflect that the /fd parameter is now required:

Note: An error is generated if the /fd switch is not provided while signing.

https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe#sign-command-options

What is expected?

SignToolSignRunner should always emit the /fd parameter since the parameter is now required.

Steps to Reproduce

Attempt to sign and file without setting the DigestAlgorithm:

[TaskName("Sign")]
public sealed class SignTask : FrostingTask<BuildContext>
{
	public override void Run(BuildContext context)
	{
		var file = new FilePath("SampleApp.exe");
		context.Sign(file, new SignToolSignSettings
		{
			TimeStampUri = new Uri("http://timestamp.digicert.com"),
			CertThumbprint = "<certificate_thumbprint>"
		});
	}
}

Output log

.\build.ps1 --target Sign --verbosity Diagnostic
NuGet Config not specified. Will use NuGet default mechanism for resolving it.
Registering task: Sign
Registering task: Hello
Registering task: World
Registering task: Default

========================================
Sign
========================================
Executing task: Sign
Could not resolve path for tool "signtool.exe" using these directories: <trimmed>
Executing: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x64/signtool.exe" SIGN /t "http://timestamp.digicert.com/" /sha1 "<certificate_thumbprint>" "C:/Tools/dev/cake/SignToolError/build/SampleApp.exe"
SignTool Error: No file digest algorithm specified. Please specify the digest algorithm with the /fd flag. Using /fd SHA256 is recommended and more secure than SHA1. Calling signtool with /fd sha1 is equivalent to the previous behavior. In order to select the hash algorithm used in the signing certificate's signature, use the /fd certHash option.
An error occurred when executing task 'Sign'.
Completed in 00:00:00.0968934
Error: Cake.Core.CakeException: SignTool SIGN: Process returned an error (exit code 1).
   at Cake.Core.Tooling.Tool`1.ProcessExitCode(Int32 exitCode)
   at Cake.Core.Tooling.Tool`1.Run(TSettings settings, ProcessArgumentBuilder arguments, ProcessSettings processSettings, Action`1 postAction)
   at Cake.Core.Tooling.Tool`1.Run(TSettings settings, ProcessArgumentBuilder arguments)
   at Cake.Common.Tools.SignTool.SignToolSignRunner.Run(IEnumerable`1 assemblyPaths, SignToolSignSettings settings)
   at Cake.Common.Tools.SignTool.SignToolSignAliases.Sign(ICakeContext context, IEnumerable`1 assemblies, SignToolSignSettings settings)
   at Cake.Common.Tools.SignTool.SignToolSignAliases.Sign(ICakeContext context, FilePath assembly, SignToolSignSettings settings)
   at SignTask.Run(BuildContext context) in C:\Tools\dev\cake\SignToolError\build\Program.cs:line 36
   at Cake.Frosting.FrostingTask`1.Cake.Frosting.IFrostingTask.RunAsync(ICakeContext context)
   at Cake.Core.CakeTask.Execute(ICakeContext context)