code: add cert export option to sign code command

Add option to export the certificate used to sign code to all `code`
commands, using the Exporter.

Author: mjcheetham

src/Sign.Cli/CodeCommand.cs

@@ -31,6 +31,7 @@ internal sealed class CodeCommand : Command
         internal Option<HashAlgorithmName> TimestampDigestOption { get; } = new(["--timestamp-digest", "-td"], HashAlgorithmParser.ParseHashAlgorithmName, description: Resources.TimestampDigestOptionDescription);
         internal Option<Uri?> TimestampUrlOption { get; } = new(["--timestamp-url", "-t"], ParseUrl, description: Resources.TimestampUrlOptionDescription);
         internal Option<LogLevel> VerbosityOption { get; } = new(["--verbosity", "-v"], () => LogLevel.Warning, Resources.VerbosityOptionDescription);
+        internal Option<string> CertificateExportOption { get; } = new(["--certificate-export-path", "-co"], Resources.CertificateExportOptionDescription);
 
         internal CodeCommand()
             : base("code", Resources.CodeCommandDescription)
@@ -56,9 +57,11 @@ internal CodeCommand()
             AddGlobalOption(TimestampDigestOption);
             AddGlobalOption(MaxConcurrencyOption);
             AddGlobalOption(VerbosityOption);
+            AddGlobalOption(CertificateExportOption);
         }
 
-        internal async Task HandleAsync(InvocationContext context, IServiceProviderFactory serviceProviderFactory, ISignatureProvider signatureProvider, string fileArgument)
+        internal async Task HandleAsync(InvocationContext context, IServiceProviderFactory serviceProviderFactory,
+            ISignatureProvider signatureProvider, string fileArgument)
         {
             // Some of the options have a default value and that is why we can safely use
             // the null-forgiving operator (!) to simplify the code.
@@ -74,6 +77,7 @@ internal async Task HandleAsync(InvocationContext context, IServiceProviderFacto
             LogLevel verbosity = context.ParseResult.GetValueForOption(VerbosityOption);
             string? output = context.ParseResult.GetValueForOption(OutputOption);
             int maxConcurrency = context.ParseResult.GetValueForOption(MaxConcurrencyOption);
+            string? certificateExportPath = context.ParseResult.GetValueForOption(CertificateExportOption);
 
             // Make sure this is rooted
             if (!Path.IsPathRooted(baseDirectory.FullName))
@@ -184,7 +188,8 @@ internal async Task HandleAsync(InvocationContext context, IServiceProviderFacto
                 timestampUrl,
                 maxConcurrency,
                 fileHashAlgorithmName,
-                timestampHashAlgorithmName);
+                timestampHashAlgorithmName,
+                certificateExportPath);
         }
 
         private static string ExpandFilePath(DirectoryInfo baseDirectory, string file)

src/Sign.Cli/Resources.Designer.cs

@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <root>
   <!-- 
     Microsoft ResX Schema 
@@ -123,6 +123,9 @@
   <data name="BaseDirectoryOptionDescription" xml:space="preserve">
     <value>Base directory for files.  Overrides the current working directory.</value>
   </data>
+  <data name="CertificateExportOptionDescription" xml:space="preserve">
+      <value>Path to export certificate.</value>
+  </data>
   <data name="CertificateStoreCommandDescription" xml:space="preserve">
     <value>Use Windows Certificate Store or a local certificate file.</value>
   </data>

src/Sign.Cli/Resources.resx

@@ -20,6 +20,7 @@ Task<int> SignAsync(
             Uri timestampUrl,
             int maxConcurrency,
             HashAlgorithmName fileHashAlgorithm,
-            HashAlgorithmName timestampHashAlgorithm);
+            HashAlgorithmName timestampHashAlgorithm,
+            string? certificateExportPath);
     }
-}
+}

src/Sign.Core/ISigner.cs

@@ -39,7 +39,8 @@ public async Task<int> SignAsync(
             Uri timestampUrl,
             int maxConcurrency,
             HashAlgorithmName fileHashAlgorithm,
-            HashAlgorithmName timestampHashAlgorithm)
+            HashAlgorithmName timestampHashAlgorithm,
+            string? certificateExportPath)
         {
             IAggregatingDataFormatSigner signer = _serviceProvider.GetRequiredService<IAggregatingDataFormatSigner>();
             IDirectoryService directoryService = _serviceProvider.GetRequiredService<IDirectoryService>();
@@ -76,6 +77,12 @@ public async Task<int> SignAsync(
             {
                 using (X509Certificate2 certificate = await certificateProvider.GetCertificateAsync())
                 {
+                    if (!string.IsNullOrWhiteSpace(certificateExportPath))
+                    {
+                        IExporter exporter = _serviceProvider.GetRequiredService<IExporter>();
+                        await exporter.ExportAsync(certificateExportPath);
+                    }
+
                     ICertificateVerifier certificateVerifier = _serviceProvider.GetRequiredService<ICertificateVerifier>();
 
                     certificateVerifier.Verify(certificate);
@@ -186,4 +193,4 @@ private static string ExpandFilePath(DirectoryInfo baseDirectory, string file)
             return file;
         }
     }
-}
+}

src/Sign.Core/Signer.cs

@@ -21,6 +21,7 @@ internal sealed class SignerSpy : ISigner
         internal int? MaxConcurrency { get; private set; }
         internal HashAlgorithmName? FileHashAlgorithm { get; private set; }
         internal HashAlgorithmName? TimestampHashAlgorithm { get; private set; }
+        internal string? CertificateExportPath { get; private set; }
         internal int ExitCode { get; }
 
         internal SignerSpy()
@@ -40,7 +41,8 @@ public Task<int> SignAsync(
             Uri timestampUrl,
             int maxConcurrency,
             HashAlgorithmName fileHashAlgorithm,
-            HashAlgorithmName timestampHashAlgorithm)
+            HashAlgorithmName timestampHashAlgorithm,
+            string? certificateExportPath)
         {
             InputFiles = inputFiles;
             OutputFile = outputFile;
@@ -54,8 +56,9 @@ public Task<int> SignAsync(
             MaxConcurrency = maxConcurrency;
             FileHashAlgorithm = fileHashAlgorithm;
             TimestampHashAlgorithm = timestampHashAlgorithm;
+            CertificateExportPath = certificateExportPath;
 
             return Task.FromResult(ExitCode);
         }
     }
-}
+}

test/Sign.Cli.Test/TestInfrastructure/SignerSpy.cs

@@ -260,7 +260,8 @@ private async Task SignAsync(TemporaryDirectory temporaryDirectory, IReadOnlyLis
                 _certificatesFixture.TimestampServiceUrl,
                 maxConcurrency: 4,
                 HashAlgorithmName.SHA256,
-                HashAlgorithmName.SHA256);
+                HashAlgorithmName.SHA256,
+                null);
 
             Assert.Equal(ExitCode.Success, exitCode);
 
@@ -624,4 +625,4 @@ private static void RegisterSipsFromIniFile()
             Kernel32.LoadLibraryW($@"{baseDirectory}\mssign32.dll");
         }
     }
-}
+}