Everyday, our CI produces a bunch of dll that we need to sign and compare to a reference folder. If they change, we copy the new dll to the reference
For this i use C# to call powershell's Set-AuthenticodeSignature for signing and i compare files with MD5 checksum hashes
My issue is that i don't know how to proceed for this logic.
I can't compare 2 unsigned files because i can only store signed files in my reference.
I can't compare a signed file with an unsigned file because as far as i know, it's not possible
I can't compare 2 signed files because the signing timestamp is different for both files which result in a different hash checksum
I don't know what my approach should be. Should i store MD5 hashes of unsigned file for reference to compare files? Or should i create another reference folder of unsigned files?
Or is there simply a way to actually compare two signed files? I found this post where the person tries to unsign the dll before comparing it: https://security.stackexchange.com/questions/262246/how-do-i-compare-a-signed-exe-file-with-the-unsigned-version-of-the-same-exe-f
Do you have any good ideas on how to proceed for this? My best guess is to store md5 hashes as a second reference but how do i store them efficiently? I tried mirroring the reference folder with txt file "filename.dll.md5" containing the current unsigned hash. But this doesn't seem really efficient to read and write 10k+ txt files for hash checksum
I chose to follow a different strategy by using Alternate Data Stream (ADS)
For each assembly, i store/read the MD5 of the unsigned assembly inside the metadata of the file, which doesn't change the actual checksum of the file
You can use: File.ReadAllText("path/to/assembly.dll:checksum") and File.WriteAllText("path/to/assembly.dll:checksum") to read and write the metadata