Configuration processor auditing improvements

.github/actions/spelling/allow.txt

@@ -357,6 +357,7 @@ testsettingname
 TEXTFORMAT
 TEXTINCLUDE
 threadpool
+TOCTOU
 tpl
 TRACELOGGING
 triaged

.github/actions/spelling/expect.txt

@@ -25,6 +25,7 @@ apfn
 apicontract
 apiset
 appdata
+APPEXECLINK
 appinstallertest
 applic
 appname
@@ -190,6 +191,7 @@ FONTHASH
 FORPARSING
 foundfr
 fsanitize
+Fsctl
 FULLMUTEX
 FULLWIDTH
 fundraiser
@@ -281,6 +283,7 @@ Kaido
 KNOWNFOLDERID
 kool
 ktf
+LASTEXITCODE
 LCID
 learnxinyminutes
 LEBOM
@@ -521,6 +524,7 @@ SETTINGCHANGE
 SETTINGMAPPING
 sfs
 sfsclient
+SGNR
 SHCONTF
 shellapi
 SHGDN
@@ -621,6 +625,7 @@ VERSIONINFO
 vns
 vsconfig
 vstest
+vswhere
 waitable
 wal
 wcex
@@ -648,6 +653,7 @@ wingetutil
 winreg
 winrtact
 winstring
+wintrust
 WMI
 wmmc
 wnd
@@ -663,6 +669,7 @@ wsb
 wsl
 wsv
 wto
+WVT
 wwinmain
 WZDNCRFJ
 xcopy

doc/windows/package-manager/winget/returnCodes.md

@@ -233,3 +233,4 @@ ms.localizationpriority: medium
 | 0x8A15C110 | -1978285814 | WINGET_CONFIG_ERROR_UNIT_SETTING_CONFIG_ROOT | A unit contains a setting that requires the config root. |
 | 0x8A15C111 | -1978285813 | WINGET_CONFIG_ERROR_UNIT_IMPORT_MODULE_ADMIN | Loading the module for the configuration unit failed because it requires administrator privileges to run. |
 | 0x8A15C112 | -1978285812 | WINGET_CONFIG_ERROR_NOT_SUPPORTED_BY_PROCESSOR | Operation is not supported by the configuration processor. |
+| 0x8A15C113 | -1978285811 | WINGET_CONFIG_ERROR_PROCESSOR_HASH_MISMATCH | The DSC processor hash provided does not match hash of the target file. |

src/AppInstallerCLI.sln

@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 17
-VisualStudioVersion = 17.14.36915.13 d17.14
+VisualStudioVersion = 17.14.36915.13
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{C7167F0D-BC9F-4E6E-AFE1-012C56B48DB5}") = "AppInstallerCLIPackage", "AppInstallerCLIPackage\AppInstallerCLIPackage.wapproj", "{6AA3791A-0713-4548-A357-87A323E7AC3A}"
 	ProjectSection(ProjectDependencies) = postProject
@@ -40,7 +40,6 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Project", "Project", "{8D53
 		Get-VcxprojNugetPackageVersions.ps1 = Get-VcxprojNugetPackageVersions.ps1
 		..\README.md = ..\README.md
 		..\doc\ReleaseNotes.md = ..\doc\ReleaseNotes.md
-		..\doc\Settings.md = ..\doc\Settings.md
 		Update-VcxprojNugetPackageVersions.ps1 = Update-VcxprojNugetPackageVersions.ps1
 		..\WinGetInProcCom.nuspec = ..\WinGetInProcCom.nuspec
 		..\WinGetUtil.nuspec = ..\WinGetUtil.nuspec
@@ -242,6 +241,12 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "copilot", "copilot", "{B978
 		..\.github\copilot-instructions.md = ..\.github\copilot-instructions.md
 	EndProjectSection
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "doc", "doc", "{3FF6C881-2548-486E-8D70-7555A90030F5}"
+	ProjectSection(SolutionItems) = preProject
+		..\doc\windows\package-manager\winget\returnCodes.md = ..\doc\windows\package-manager\winget\returnCodes.md
+		..\doc\Settings.md = ..\doc\Settings.md
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|ARM64 = Debug|ARM64
@@ -1114,6 +1119,7 @@ Global
 		{40D7CA7F-EB86-4345-9641-AD27180C559D} = {7C218A3E-9BC8-48FF-B91B-BCACD828C0C9}
 		{5421394F-5619-4E4B-8923-F3FB30D5EFAD} = {7C218A3E-9BC8-48FF-B91B-BCACD828C0C9}
 		{B978E358-D2BE-4FA7-A21A-6661F3744DD7} = {8D53D749-D51C-46F8-A162-9371AAA6C2E7}
+		{3FF6C881-2548-486E-8D70-7555A90030F5} = {8D53D749-D51C-46F8-A162-9371AAA6C2E7}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {B6FDB70C-A751-422C-ACD1-E35419495857}

src/AppInstallerCLICore/Commands/DebugCommand.cpp

@@ -8,6 +8,7 @@
 #include <winrt/Microsoft.Management.Configuration.SetProcessorFactory.h>
 #include "AppInstallerDownloader.h"
 #include "Sixel.h"
+#include <winget/Certificates.h>
 
 using namespace AppInstaller::CLI::Execution;
 
@@ -62,6 +63,7 @@ namespace AppInstaller::CLI
             std::make_unique<DumpErrorResourceCommand>(FullName()),
             std::make_unique<ShowSixelCommand>(FullName()),
             std::make_unique<ProgressCommand>(FullName()),
+            std::make_unique<GetSignerCommand>(FullName()),
         });
     }
 
@@ -365,6 +367,30 @@ namespace AppInstaller::CLI
             context.Reporter.Info() << context.Args.GetArg(WINGET_DEBUG_PROGRESS_POST) << std::endl;
         }
     }
+
+    std::vector<Argument> GetSignerCommand::GetArguments() const
+    {
+        return {
+            Argument{ "file", 'f', Args::Type::Manifest, Resource::String::SourceListUpdatedNever, ArgumentType::Positional },
+        };
+    }
+
+    Resource::LocString GetSignerCommand::ShortDescription() const
+    {
+        return Utility::LocIndString("Get signer information"sv);
+    }
+
+    Resource::LocString GetSignerCommand::LongDescription() const
+    {
+        return Utility::LocIndString("Gets the signing information for a given path."sv);
+    }
+
+    void GetSignerCommand::ExecuteInternal(Execution::Context& context) const
+    {
+        std::string subject = Certificates::GetAuthenticodeSubject(context.Args.GetArg(Args::Type::Manifest));
+
+        context.Reporter.Info() << "Subject: " << subject << std::endl;
+    }
 }
 
 #endif

src/AppInstallerCLICore/Commands/DebugCommand.h

@@ -85,6 +85,20 @@ namespace AppInstaller::CLI
     protected:
         void ExecuteInternal(Execution::Context& context) const override;
     };
+
+    // Invokes signing information collection for a path.
+    struct GetSignerCommand final : public Command
+    {
+        GetSignerCommand(std::string_view parent) : Command("get-signer", {}, parent) {}
+
+        std::vector<Argument> GetArguments() const override;
+
+        Resource::LocString ShortDescription() const override;
+        Resource::LocString LongDescription() const override;
+
+    protected:
+        void ExecuteInternal(Execution::Context& context) const override;
+    };
 }
 
 #endif

src/AppInstallerCLICore/ConfigurationDynamicRuntimeFactory.cpp

@@ -341,10 +341,12 @@ namespace AppInstaller::CLI::ConfigurationRemoting
                 {
                     winrt::hstring dscExecutablePathPropertyName = ToHString(PropertyName::DscExecutablePath);
                     std::optional<winrt::hstring> dscExecutablePath = m_dynamicFactory->GetFactoryMapValue(dscExecutablePathPropertyName);
+                    bool usingFoundPath = false;
 
                     if (!dscExecutablePath)
                     {
                         dscExecutablePath = m_dynamicFactory->Lookup(ToHString(PropertyName::FoundDscExecutablePath));
+                        usingFoundPath = true;
                     }
 
                     if (dscExecutablePath->empty())
@@ -355,6 +357,37 @@ namespace AppInstaller::CLI::ConfigurationRemoting
                     }
 
                     json["processorPath"] = Utility::ConvertToUTF8(dscExecutablePath.value());
+
+                    if (usingFoundPath)
+                    {
+                        // FoundDscExecutablePathHash/IsAlias are computed on the remote side alongside FoundDscExecutablePath.
+                        winrt::hstring pathHash = m_dynamicFactory->Lookup(ToHString(PropertyName::FoundDscExecutablePathHash));
+                        if (!pathHash.empty())
+                        {
+                            json["processorPathHash"] = Utility::ConvertToUTF8(pathHash);
+                        }
+
+                        winrt::hstring pathIsAlias = m_dynamicFactory->Lookup(ToHString(PropertyName::FoundDscExecutablePathIsAlias));
+                        if (!pathIsAlias.empty())
+                        {
+                            json["processorPathIsAlias"] = (pathIsAlias == L"True");
+                        }
+                    }
+                    else
+                    {
+                        // DscExecutablePathHash/IsAlias are set locally via the audit block.
+                        auto pathHash = m_dynamicFactory->GetFactoryMapValue(ToHString(PropertyName::DscExecutablePathHash));
+                        if (pathHash)
+                        {
+                            json["processorPathHash"] = Utility::ConvertToUTF8(pathHash.value());
+                        }
+
+                        auto pathIsAlias = m_dynamicFactory->GetFactoryMapValue(ToHString(PropertyName::DscExecutablePathIsAlias));
+                        if (pathIsAlias)
+                        {
+                            json["processorPathIsAlias"] = (pathIsAlias.value() == L"true");
+                        }
+                    }
                 }
 
                 Json::StreamWriterBuilder writerBuilder;

src/AppInstallerCLICore/ConfigurationSetProcessorFactoryRemoting.cpp

@@ -381,8 +381,11 @@ namespace AppInstaller::CLI::ConfigurationRemoting
         case PropertyName::FoundDscExecutablePath: return L"FoundDscExecutablePath";
         case PropertyName::DiagnosticTraceEnabled: return L"DiagnosticTraceEnabled";
         case PropertyName::FindDscStateMachine: return L"FindDscStateMachine";
+        case PropertyName::DscExecutablePathHash: return L"DscExecutablePathHash";
+        case PropertyName::DscExecutablePathIsAlias: return L"DscExecutablePathIsAlias";
+        case PropertyName::FoundDscExecutablePathHash: return L"FoundDscExecutablePathHash";
+        case PropertyName::FoundDscExecutablePathIsAlias: return L"FoundDscExecutablePathIsAlias";
         }
-
         THROW_HR(E_UNEXPECTED);
     }
 }

src/AppInstallerCLICore/Public/ConfigurationSetProcessorFactoryRemoting.h

@@ -44,6 +44,22 @@ namespace AppInstaller::CLI::ConfigurationRemoting
         // We must respond to the value it returns to properly transition states.
         // Read only.
         FindDscStateMachine,
+        // The SHA256 hash of the DscExecutablePath content: file bytes for regular executables, or
+        // raw reparse data buffer bytes for app execution aliases.
+        // Must be set alongside DscExecutablePath when a custom processor path is used.
+        // Read / Write
+        DscExecutablePathHash,
+        // Whether DscExecutablePath refers to an app execution alias
+        // (e.g., a path under %LOCALAPPDATA%\Microsoft\WindowsApps).
+        // Read / Write
+        DscExecutablePathIsAlias,
+        // The SHA256 hash of the FoundDscExecutablePath content.
+        // Computed alongside FoundDscExecutablePath; available after FoundDscExecutablePath is queried.
+        // Read only.
+        FoundDscExecutablePathHash,
+        // Whether FoundDscExecutablePath refers to an app execution alias.
+        // Read only.
+        FoundDscExecutablePathIsAlias,
     };
 
     // Gets the string for a property name.

src/AppInstallerCLICore/Resources.h

@@ -102,6 +102,13 @@ namespace AppInstaller::CLI::Resource
         WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationNoTestRun);
         WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationNotInDesiredState);
         WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationProcessorPath);
+        WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationProcessorPathAudit);
+        WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationProcessorPathAuditHash);
+        WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationProcessorPathAuditIsAlias);
+        WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationProcessorPathAuditPath);
+        WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationProcessorPathAuditSignature);
+        WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationProcessorPathAuditUnsigned);
+        WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationProcessorPathHashVerificationFailed);
         WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationReadingConfigFile);
         WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationSetStateCompleted);
         WINGET_DEFINE_RESOURCE_STRINGID(ConfigurationSetStateInProgress);