SHA1 primary check fails if there are multiple primary signatures, which shouldn't happen in the first place.

vcsjones · vcsjones · commit b02e470bb08f · 2016-06-08T11:35:04.000-04:00
diff --git a/AuthenticodeLint/Rules/10000-Sha1PrimarySignatureRule.cs b/AuthenticodeLint/Rules/10000-Sha1PrimarySignatureRule.cs
@@ -13,12 +13,16 @@ public class Sha1PrimarySignatureRule : IAuthenticodeSignatureRule
 
         public RuleResult Validate(IReadOnlyList<ISignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
         {
-            var primary = graph.SingleOrDefault();
-            //There are zero signatures.
-            if (primary == null)
+            if (graph.Count == 0)
             {
                 return RuleResult.Fail;
             }
+            if (graph.Count > 1)
+            {
+                verboseWriter.LogMessage("Multiple primary signatures exist.");
+                return RuleResult.Fail;
+            }
+            var primary = graph[0];
             if (primary.DigestAlgorithm.Value != KnownOids.SHA1)
             {
                 verboseWriter.LogSignatureMessage(primary, $"Expected {nameof(KnownOids.SHA1)} digest algorithm but is {primary.DigestAlgorithm.FriendlyName}.");
diff --git a/AuthenticodeLintTests/Rules/Sha1PrimarySignatureRuleTests.cs b/AuthenticodeLintTests/Rules/Sha1PrimarySignatureRuleTests.cs
@@ -46,5 +46,25 @@ public void ShouldPassOnSha1Algorithm()
             Assert.Equal(RuleResult.Pass, result);
             Assert.Empty(logger.Messages);
         }
+
+
+        [Fact]
+        public void ShouldFailOnMultiplePrimarySignatures()
+        {
+            var signature1 = new FakeSignature
+            {
+                DigestAlgorithm = new Oid(KnownOids.SHA1)
+            };
+            var signature2 = new FakeSignature
+            {
+                DigestAlgorithm = new Oid(KnownOids.SHA256)
+            };
+            var check = new Sha1PrimarySignatureRule();
+            var logger = new MemorySignatureLogger();
+            var result = check.Validate(new List<ISignature> { signature1, signature2 }, logger, Configuration);
+            Assert.Equal(RuleResult.Fail, result);
+            Assert.Contains("Multiple primary signatures exist.", logger.Messages);
+
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -13,12 +13,16 @@ public class Sha1PrimarySignatureRule : IAuthenticodeSignatureRule`
`13`	`13`
`14`	`14`	`public RuleResult Validate(IReadOnlyList<ISignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)`
`15`	`15`	`{`
`16`		`- var primary = graph.SingleOrDefault();`
`17`		`- //There are zero signatures.`
`18`		`- if (primary == null)`
	`16`	`+ if (graph.Count == 0)`
`19`	`17`	`{`
`20`	`18`	`return RuleResult.Fail;`
`21`	`19`	`}`
	`20`	`+ if (graph.Count > 1)`
	`21`	`+ {`
	`22`	`+ verboseWriter.LogMessage("Multiple primary signatures exist.");`
	`23`	`+ return RuleResult.Fail;`
	`24`	`+ }`
	`25`	`+ var primary = graph[0];`
`22`	`26`	`if (primary.DigestAlgorithm.Value != KnownOids.SHA1)`
`23`	`27`	`{`
`24`	`28`	`verboseWriter.LogSignatureMessage(primary, $"Expected {nameof(KnownOids.SHA1)} digest algorithm but is {primary.DigestAlgorithm.FriendlyName}.");`