0

I have a .NET click-once application which, I found out the hard way (user could not install), checks the checksums of its configuration files against checksums in the .exe.manifest as calculated at build-time.

My user could not install, the error message indicated a bad hash. Indeed, the files had been modified.

While debugging the issue, it would have been nice to be able to replicate the checksums on various versions of the configuration files to quickly resolve the issue by publishing the correct one. I'm a Linux user primarily, so I wanted to do it at a Bash prompt. I could not accomplish this.

In the .exe manifest, note the <dsig:DigestValue> tag:

  <file name="config\appsettings\Production.config" size="665">
    <hash>
      <dsig:Transforms>
        <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <dsig:DigestValue>2cwIVAHHyOUgxBtwewfNgPU2YuQ=</dsig:DigestValue>
    </hash>
  </file>

Here was my thought process at the Linux prompt.

#> sha1sum config/appsettings/Development.config.deploy
a2c7bf5b7232c1c1aafbf8203a97c0b791179718

Nope, I need base64 obviously, duh:

#> sha1sum config/appsettings/Development.config.deploy | cut -f1 -d\ | xxd -r -p | base64
ose/W3IywcGq+/ggOpfAt5EXlxg=

These obviously don't match, so I'm missing something.

Looking for info about the following:

  1. What other magic is used in these hashes
  2. Related to 1, the manifest mentions a "Transform Algorithm". What is that and if that is the missing piece, how is it done? - EDIT: the XML input to the hash is transformed by this algorithm before being passed to the hash algorithm, however in this case the Identity transform is specified, so I still expect the raw SHA1 on the file should be sufficient to produce the checksum.
  3. .deploy suffix? As far as I can tell, the .config at build time and the .config.deploy published to the server are textually identical. If I'm wrong about this, that would be good information.
  4. How would all of this be incorporated using Linux tools?
Wilbur Whateley
  • 151
  • 1
  • 5
  • The transform algorithm is important here, it would seem. This is how the XML is processed before being hashed; i.e. the output of the transform is the input to the hash algorithm. See https://www.w3.org/TR/xmldsig-core/#sec-Transforms. The manifest specifies the `Identity` hash transform, referencing a Microsoft server. – Wilbur Whateley May 31 '16 at 21:36
  • The Identity should pass the input on without change. So from the way the hash is described in the manifest, we should be able to pass the file unaltered to the SHA1 algorithm and reproduce the base64 string shown. Therefore I am still confused about why I can't replicated it. – Wilbur Whateley May 31 '16 at 21:43

0 Answers0