Support signing APPX/MSIX Windows packages (Fixes ebourg#81)

Author: ebourg

README.md

@@ -8,9 +8,9 @@ Jsign - Java implementation of Microsoft Authenticode
 
 Jsign is a Java implementation of Microsoft Authenticode that lets you sign
 and timestamp executable files for Windows, Microsoft Installers (MSI), Cabinet
-files (CAB), Catalog files (CAT) and scripts. Jsign is platform independent and
-provides an alternative to native tools like signcode/signtool on Windows or the
-Mono development tools on Unix systems.
+files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX) and scripts.
+Jsign is platform independent and provides an alternative to native tools like
+signcode/signtool on Windows or the Mono development tools on Unix systems.
 
 Jsign comes as an easy-to-use task/plugin for the main build systems (Maven,
 Gradle, Ant). It's especially suitable for signing executable wrappers and
@@ -20,7 +20,7 @@ Jsign can also be used programmatically or standalone as a command line tool.
 Jsign is free to use and licensed under the [Apache License version 2.0](https://www.apache.org/licenses/LICENSE-2.0).
 
 ## Features
-* Platform independent signing of Windows executables, DLLs, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT) and scripts (PowerShell, VBScript, JScript, WSF)
+* Platform independent signing of Windows executables, DLLs, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX) and scripts (PowerShell, VBScript, JScript, WSF)
 * Timestamping with retries and fallback on alternative servers (RFC 3161 and Authenticode protocols supported)
 * Supports multiple signatures per file, for all file types
 * Extracts and embeds detached signatures to support [reproducible builds](https://reproducible-builds.org/docs/embedded-signatures/)
@@ -40,6 +40,9 @@ See https://ebourg.github.io/jsign for more information.
 
 ## Changes
 
+#### Version 5.1 (in development)
+* APPX/MSIX package signing has been implemented (thanks to Maciej Panek for the help)
+
 #### Version 5.0 (2023-06-06)
 
 * The AWS KMS signing service has been integrated (with contributions from Vincent Malmedy)

docs/index.html

@@ -4,7 +4,7 @@
   <head>
     <meta charset='utf-8' />
     <meta http-equiv="X-UA-Compatible" content="chrome=1" />
-    <meta name="description" content="Jsign : Pure Java implementation of Microsoft Authenticode for signing Windows executable files, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT) and scripts (PowerShell, VBScript, JScript, WSF)" />
+    <meta name="description" content="Jsign : Pure Java implementation of Microsoft Authenticode for signing Windows executable files, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX) and scripts (PowerShell, VBScript, JScript, WSF)" />
     <meta name="google-site-verification" content="p912kgAnTBOzVbswrU43k3FXUbPnxLHdeW6xsVcq1uU" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 
@@ -37,8 +37,8 @@ <h2 id="project_tagline">Java implementation of Microsoft Authenticode <br class
 
 <p>Jsign is a Java implementation of Microsoft Authenticode that lets you sign
 and timestamp executable files for Windows, Microsoft Installers (MSI), Cabinet files (CAB),
-Catalog files (CAT) and scripts (PowerShell, VBScript, JScript, WSF). Jsign is platform
-independent and provides an alternative to native tools like <em>signcode/signtool</em>
+Catalog files (CAT), Windows packages (APPX/MSIX) and scripts (PowerShell, VBScript, JScript, WSF).
+Jsign is platform independent and provides an alternative to native tools like <em>signcode/signtool</em>
 on Windows or the Mono development tools on Unix systems.</p>
 
 <p>Jsign comes as an easy to use task/plugin for the main build systems (Maven,
@@ -56,7 +56,7 @@ <h2 id="project_tagline">Java implementation of Microsoft Authenticode <br class
 <h3>Features</h3>
 
 <ul>
-  <li>Platform independent signing of Windows executables, DLLs, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT) and scripts (PowerShell, VBScript, JScript, WSF)</li>
+  <li>Platform independent signing of Windows executables, DLLs, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX) and scripts (PowerShell, VBScript, JScript, WSF)</li>
   <li>Timestamping with retries and fallback on alternative servers (RFC 3161 and Authenticode protocols supported)</li>
   <li>Supports multiple signatures per file, for all file types</li>
   <li>Extracts and embeds detached signatures to support <a href="https://reproducible-builds.org/docs/embedded-signatures/">reproducible builds</a></li>
@@ -132,7 +132,8 @@ <h4 class="mobile-only">Attributes</h4>
       <td class="attribute">file</td>
       <td class="description">
           The file to be signed. The supported files are Windows executables (EXE), DLLs, Microsoft Installers (MSI),
-          Cabinet files (CAB), Catalog files (CAT) and scripts (PowerShell, VBScript, JScript, WSF)</td>
+          Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX) and scripts
+          (PowerShell, VBScript, JScript, WSF)</td>
       <td class="required">Yes, unless a fileset is specified.</td>
     </tr>
     <tr>
@@ -213,8 +214,11 @@ <h4 class="mobile-only">Attributes</h4>
     </tr>
     <tr>
       <td class="attribute">alg</td>
-      <td class="description">The digest algorithm (SHA-1, SHA-256, SHA-384 or SHA-512)</td>
-      <td class="required">No; defaults to SHA-256</td>
+      <td class="description">
+        The digest algorithm (SHA-1, SHA-256, SHA-384 or SHA-512). For some formats such as APPX/MSIX packages
+        the algorithm is automatically detected and setting this parameter has no effect.
+      </td>
+      <td class="required">No; defaults to SHA-256 or a format specific value</td>
     </tr>
     <tr>
       <td class="attribute">tsaurl</td>
@@ -437,7 +441,8 @@ <h3>Command Line Tool</h3>
 <pre>
   usage: jsign [OPTIONS] [FILE]...
   Sign and timestamp Windows executable files, Microsoft Installers (MSI), Cabinet
-  files (CAB), Catalog files (CAT) or scripts (PowerShell, VBScript, JScript, WSF).
+  files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX) or scripts
+  (PowerShell, VBScript, JScript, WSF).
 
   -s,--keystore &lt;FILE>       The keystore file, the SunPKCS11 configuration file or
                              the cloud keystore name

jsign-cli/src/main/java/net/jsign/JsignCLI.java

@@ -139,7 +139,7 @@ private void setOption(String key, SignerHelper helper, CommandLine cmd) {
     }
 
     private void printHelp() {
-        String header = "Sign and timestamp Windows executable files, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT) or scripts (PowerShell, VBScript, JScript, WSF).\n\n";
+        String header = "Sign and timestamp Windows executable files, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX) or scripts (PowerShell, VBScript, JScript, WSF).\n\n";
         String footer ="\n" +
                 "Examples:\n\n" +
                 "   Signing with a PKCS#12 keystore and timestamping:\n\n" +

jsign-core/src/main/java/net/jsign/AuthenticodeSigner.java

@@ -367,9 +367,14 @@ public void sign(Signable file) throws Exception {
      * @throws Exception if an error occurs
      */
     protected CMSSignedData createSignedData(Signable file) throws Exception {
+        DigestAlgorithm digestAlgorithm = file.getRequiredDigestAlgorithm();
+        if (digestAlgorithm == null) {
+            digestAlgorithm = this.digestAlgorithm;
+        }
+
         // compute the signature
         ContentInfo contentInfo = file.createContentInfo(digestAlgorithm);
-        AuthenticodeSignedDataGenerator generator = createSignedDataGenerator();
+        AuthenticodeSignedDataGenerator generator = createSignedDataGenerator(digestAlgorithm);
         CMSSignedData sigData = generator.generate(contentInfo.getContentType(), contentInfo.getContent());
 
         // verify the signature
@@ -396,7 +401,7 @@ protected CMSSignedData createSignedData(Signable file) throws Exception {
         return sigData;
     }
 
-    private AuthenticodeSignedDataGenerator createSignedDataGenerator() throws CMSException, OperatorCreationException, CertificateEncodingException {
+    private AuthenticodeSignedDataGenerator createSignedDataGenerator(DigestAlgorithm digestAlgorithm) throws CMSException, OperatorCreationException, CertificateEncodingException {
         // create content signer
         final String sigAlg;
         if (signatureAlgorithm != null) {

jsign-core/src/main/java/net/jsign/Signable.java

@@ -31,6 +31,7 @@
 import net.jsign.cat.CatalogFile;
 import net.jsign.mscab.MSCabinetFile;
 import net.jsign.msi.MSIFile;
+import net.jsign.appx.APPXFile;
 import net.jsign.pe.PEFile;
 import net.jsign.script.JScript;
 import net.jsign.script.PowerShellScript;
@@ -45,6 +46,17 @@
  */
 public interface Signable extends Closeable {
 
+    /**
+     * Returns the digests algorithm required for the signature.
+     * Some formats such as APPX/MSIX require a specific digest algorithm defined in the file metadata.
+     *
+     * @return the digest algorithm required for the signature, or null to use the default algorithm
+     * @since 5.1
+     */
+    default DigestAlgorithm getRequiredDigestAlgorithm() throws IOException {
+        return null;
+    }
+
     /**
      * Creates the ContentInfo structure to be signed.
      *
@@ -152,6 +164,12 @@ static Signable of(File file, Charset encoding) throws IOException {
         } else if (file.getName().endsWith(".wsf")) {
             return new WindowsScript(file, encoding);
 
+        } else if (file.getName().endsWith(".msix")
+                || file.getName().endsWith(".msixbundle")
+                || file.getName().endsWith(".appx")
+                || file.getName().endsWith(".appxbundle")) {
+            return new APPXFile(file);
+
         } else {
             throw new UnsupportedOperationException("Unsupported file: " + file);
         }