What is the replacement for X509Certificate.CreateFromSignedFile?

[bgrainger]

The following code works under .NET 8 (on Windows) and prints CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US:

var cert = X509Certificate.CreateFromSignedFile(@"C:\Windows\explorer.exe");
Console.WriteLine(cert.Issuer);

Under .NET 9, compiling that code gives the warning:

warning SYSLIB0057: 'X509Certificate.CreateFromSignedFile(string)' is obsolete: 'Loading certificate data through the constructor or Import is obsolete. Use X509CertificateLoader instead to load certificates.' (https://aka.ms/dotnet-warnings/SYSLIB0057)

Firstly, I don't completely understand the warning, because I'm not using a constructor or Import. I'm using a specific factory method already.

I've read #91763, dotnet/docs#41662, and https://learn.microsoft.com/en-us/dotnet/fundamentals/syslib-diagnostics/syslib0057#workaround but I haven't seen a replacement given for this specific method.

X509Certificate2.GetCertContentType(@"C:\Windows\explorer.exe") returns Authenticode.

What is the right, non-obsolete way to check an Authenticode signature in .NET 9?

[bgrainger]

Is the answer to install Microsoft.Security.Extensions and do the following?

using var stream = File.OpenRead(@"C:\Windows\explorer.exe");
var signatureInfo = FileSignatureInfo.GetFromFileStream(stream);
Console.WriteLine(signatureInfo.SigningCertificate.Issuer);

That is, has this functionality moved out of core .NET in .NET 9 and now needs to be supplied by a NuGet package?

[bgrainger]

If this is the recommended answer, then the [Obsolete] message and the docs linked in the OP could be updated to make this much clearer.

[bartonjs]

That package is not the recommended answer, because I don't know where it comes from. It might be fine, I just couldn't establish confidence in its maintenance with 2 minutes of looking.

The recommended answer, if you're wanting to extract the Authenticode signer, is to combine GetCertContentType and the ctor and suppress the warning. The reason CreateFromSignedFile is included in the obsoletion is that it doesn't only load Authenticode, it's always been a poorly named vanity wrapper around the "do everything" constructor (it's just implemented as return new X509Certificate2(path))

private static X509Certificate2 LoadAuthenticode(string path)
{
    if (X509Certificate2.GetCertContentType(path) == X509ContentType.Authenticode)
    {
#pragma warning disable SYSLIB0057
        return new X509Certificate2(path);
#pragma warning restore SYSLIB0057
    }

    throw new CryptographicException();
}

[whiskhub]

But obsoleted methods will get removed at some point, right?
Shouldn’t a X509CertificateLoader.LoadAuthenticode() method be added to the framework?

[bartonjs]

But obsoleted methods will get removed at some point, right?

Not generally. We might hollow out the method (make it throw PlatformNotSupportedException), but generally not "remove". And until we drop support for .NET Framework assemblies using "faith call", or libraries using .NET Standard, we have to expect that people will still be calling these methods as "I'm on an older framework version"... so we won't be hollowing them out.

The reason the methods are obsolete is that more than 95% of callers have a better method to call now.

Shouldn’t a X509CertificateLoader.LoadAuthenticode() method be added to the framework?

Extracting the Authenticode signer cert has turned out to be surprisingly popular, for a feature I didn't know was part of the framework until I owned the code and had to maintain it.

It was part of the original proposal (#91763 (comment), top post, last edit before October 10th 2023):

 // Whatever new X509Certificate2("some.exe") does.
// I think it extracts the SignedCms and then is the same as the next set.
[SupportedOS(Windows)]
public static partial X509Certificate2 LoadAuthenticodeSigner(byte[] data);
[SupportedOS(Windows)]
public static partial X509Certificate2 LoadAuthenticodeSigner(ReadOnlySpan<byte> data);
[SupportedOS(Windows)]
public static partial X509Certificate2 LoadAuthenticodeSigner(string path);

When it underwent API Review, we cut all of the things that only worked on one OS (which was always Windows). But perhaps we'll have to reconsider this one for .NET 11.

[chrarnoldus]

until we drop support for .NET Framework assemblies using "faith call", or libraries using .NET Standard

Is this expected to happen eventually or is it just a hypothetical?

[bartonjs]

There is no active plan that I know of to drop support for either of those things; I was just saying that in this case it would be a pre-req. So... "hypothetical".