Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

What is the replacement for X509Certificate.CreateFromSignedFile? #108740

Answered by bartonjs
bgrainger asked this question in Q&A
Discussion options

The following code works under .NET 8 (on Windows) and prints CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US:

var cert = X509Certificate.CreateFromSignedFile(@"C:\Windows\explorer.exe");
Console.WriteLine(cert.Issuer);

Under .NET 9, compiling that code gives the warning:

warning SYSLIB0057: 'X509Certificate.CreateFromSignedFile(string)' is obsolete: 'Loading certificate data through the constructor or Import is obsolete. Use X509CertificateLoader instead to load certificates.' (https://aka.ms/dotnet-warnings/SYSLIB0057)

Firstly, I don't completely understand the warning, because I'm not using a constructor or Import. I'm using a specific factory method already.

I've read #91763, dotnet/docs#41662, and https://learn.microsoft.com/en-us/dotnet/fundamentals/syslib-diagnostics/syslib0057#workaround but I haven't seen a replacement given for this specific method.

X509Certificate2.GetCertContentType(@"C:\Windows\explorer.exe") returns Authenticode.

What is the right, non-obsolete way to check an Authenticode signature in .NET 9?
You must be logged in to vote

That package is not the recommended answer, because I don't know where it comes from. It might be fine, I just couldn't establish confidence in its maintenance with 2 minutes of looking.

The recommended answer, if you're wanting to extract the Authenticode signer, is to combine GetCertContentType and the ctor and suppress the warning. The reason CreateFromSignedFile is included in the obsoletion is that it doesn't only load Authenticode, it's always been a poorly named vanity wrapper around the "do everything" constructor (it's just implemented as return new X509Certificate2(path))

private static X509Certificate2 LoadAuthenticode(string path)
{
 if (X509Certificate2.GetCertContentType(p...

Replies: 1 comment 8 replies

Comment options

Is the answer to install Microsoft.Security.Extensions and do the following?

using var stream = File.OpenRead(@"C:\Windows\explorer.exe");
var signatureInfo = FileSignatureInfo.GetFromFileStream(stream);
Console.WriteLine(signatureInfo.SigningCertificate.Issuer);

That is, has this functionality moved out of core .NET in .NET 9 and now needs to be supplied by a NuGet package?
You must be logged in to vote
8 replies
Comment options

If this is the recommended answer, then the [Obsolete] message and the docs linked in the OP could be updated to make this much clearer.
Comment options

That package is not the recommended answer, because I don't know where it comes from. It might be fine, I just couldn't establish confidence in its maintenance with 2 minutes of looking.

The recommended answer, if you're wanting to extract the Authenticode signer, is to combine GetCertContentType and the ctor and suppress the warning. The reason CreateFromSignedFile is included in the obsoletion is that it doesn't only load Authenticode, it's always been a poorly named vanity wrapper around the "do everything" constructor (it's just implemented as return new X509Certificate2(path))

private static X509Certificate2 LoadAuthenticode(string path)
{
 if (X509Certificate2.GetCertContentType(path) == X509ContentType.Authenticode)
 {
#pragma warning disable SYSLIB0057
 return new X509Certificate2(path);
#pragma warning restore SYSLIB0057
 }
 throw new CryptographicException();
}
Answer selected by bartonjs
Comment options

But obsoleted methods will get removed at some point, right?
Shouldn’t a X509CertificateLoader.LoadAuthenticode() method be added to the framework?
Comment options

But obsoleted methods will get removed at some point, right?

Not generally. We might hollow out the method (make it throw PlatformNotSupportedException), but generally not "remove". And until we drop support for .NET Framework assemblies using "faith call", or libraries using .NET Standard, we have to expect that people will still be calling these methods as "I'm on an older framework version"... so we won't be hollowing them out.

The reason the methods are obsolete is that more than 95% of callers have a better method to call now.

Shouldn’t a X509CertificateLoader.LoadAuthenticode() method be added to the framework?

Extracting the Authenticode signer cert has turned out to be surprisingly popular, for a feature I didn't know was part of the framework until I owned the code and had to maintain it.

It was part of the original proposal (#91763 (comment), top post, last edit before October 10th 2023):

 // Whatever new X509Certificate2("some.exe") does.
// I think it extracts the SignedCms and then is the same as the next set.
[SupportedOS(Windows)]
public static partial X509Certificate2 LoadAuthenticodeSigner(byte[] data);
[SupportedOS(Windows)]
public static partial X509Certificate2 LoadAuthenticodeSigner(ReadOnlySpan<byte> data);
[SupportedOS(Windows)]
public static partial X509Certificate2 LoadAuthenticodeSigner(string path);

When it underwent API Review, we cut all of the things that only worked on one OS (which was always Windows). But perhaps we'll have to reconsider this one for .NET 11.
Comment options

until we drop support for .NET Framework assemblies using "faith call", or libraries using .NET Standard

Is this expected to happen eventually or is it just a hypothetical?
Comment options

There is no active plan that I know of to drop support for either of those things; I was just saying that in this case it would be a pre-req. So... "hypothetical".
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

AltStyle によって変換されたページ (->オリジナル) /