I have a .NET click-once
application which, I found out the hard way (user could not install), checks the checksums of its configuration files against checksums in the .exe.manifest
as calculated at build-time.
My user could not install, the error message indicated a bad hash. Indeed, the files had been modified.
While debugging the issue, it would have been nice to be able to replicate the checksums on various versions of the configuration files to quickly resolve the issue by publishing the correct one. I'm a Linux user primarily, so I wanted to do it at a Bash prompt. I could not accomplish this.
In the .exe manifest, note the <dsig:DigestValue>
tag:
<file name="config\appsettings\Production.config" size="665">
<hash>
<dsig:Transforms>
<dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>2cwIVAHHyOUgxBtwewfNgPU2YuQ=</dsig:DigestValue>
</hash>
</file>
Here was my thought process at the Linux prompt.
#> sha1sum config/appsettings/Development.config.deploy
a2c7bf5b7232c1c1aafbf8203a97c0b791179718
Nope, I need base64 obviously, duh:
#> sha1sum config/appsettings/Development.config.deploy | cut -f1 -d\ | xxd -r -p | base64
ose/W3IywcGq+/ggOpfAt5EXlxg=
These obviously don't match, so I'm missing something.
Looking for info about the following:
- What other magic is used in these hashes
- Related to 1, the manifest mentions a "Transform Algorithm". What is that and if that is the missing piece, how is it done? - EDIT: the XML input to the hash is transformed by this algorithm before being passed to the hash algorithm, however in this case the
Identity
transform is specified, so I still expect the raw SHA1 on the file should be sufficient to produce the checksum. .deploy
suffix? As far as I can tell, the.config
at build time and the.config.deploy
published to the server are textually identical. If I'm wrong about this, that would be good information.- How would all of this be incorporated using Linux tools?