From f1424575362624c08220f2693106ba9d0c082701 Mon Sep 17 00:00:00 2001
From: Ella Hathaway <ellahathaway@microsoft.com>
Date: Mon, 4 Nov 2024 22:41:25 +0000
Subject: [PATCH 1/5] Sign .deb files

---
 .../tools/Sign.props                          |   1 +
 .../FakeSignTool.cs                           |   5 ++
 .../Resources/test.deb                        | Bin 0 -> 678 bytes
 .../SignToolTests.cs                          |  40 +++++++++-
 .../src/BatchSignUtil.cs                      |  20 +++++
 .../src/Configuration.cs                      |  12 +++
 .../src/FileSignInfo.cs                       |   5 ++
 .../src/RealSignTool.cs                       |   5 ++
 src/Microsoft.DotNet.SignTool/src/SignTool.cs |   1 +
 .../src/SignToolConstants.cs                  |   5 +-
 .../src/ValidationOnlySignTool.cs             |   3 +
 .../src/VerifySignatures.cs                   |  73 ++++++++++++++++++
 12 files changed, 168 insertions(+), 2 deletions(-)
 create mode 100644 src/Microsoft.DotNet.SignTool.Tests/Resources/test.deb

diff --git a/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props b/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
index fa601f085e1..1169cb81e7b 100644
--- a/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
+++ b/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
@@ -50,6 +50,7 @@
       a public key token.
       The certificate can be overriden using the StrongNameSignInfo or the FileSignInfo item group.
     -->
+    <FileExtensionSignInfo Include=".deb" CertificateName="LinuxSign" />
     <FileExtensionSignInfo Include=".jar" CertificateName="MicrosoftJARSHA2" />
     <FileExtensionSignInfo Include=".js;.ps1;.psd1;.psm1;.psc1;.py" CertificateName="Microsoft400" />
     <FileExtensionSignInfo Include=".dll;.exe;.mibc" CertificateName="Microsoft400" />
diff --git a/src/Microsoft.DotNet.SignTool.Tests/FakeSignTool.cs b/src/Microsoft.DotNet.SignTool.Tests/FakeSignTool.cs
index 0e0179b0264..359c28ed057 100644
--- a/src/Microsoft.DotNet.SignTool.Tests/FakeSignTool.cs
+++ b/src/Microsoft.DotNet.SignTool.Tests/FakeSignTool.cs
@@ -60,6 +60,11 @@ private static void SignPEFile(string path)
             }
         }
 
+        public override bool VerifySignedDeb(string filePath)
+        {
+            return true;
+        }
+
         public override bool VerifySignedPowerShellFile(string filePath)
         {
             return true;
diff --git a/src/Microsoft.DotNet.SignTool.Tests/Resources/test.deb b/src/Microsoft.DotNet.SignTool.Tests/Resources/test.deb
new file mode 100644
index 0000000000000000000000000000000000000000..e6f2d8af44a9c525930a05a5e263fd7d21bdfac3
GIT binary patch
literal 678
zcmY$iNi0gvu;WTeP0CEn(@o0EODw8XP*5;5H#RUgH8(XfR8TMg@?oT*fq|KciGl(U
zK|unSk)8opa(-S(QGSkINn(*+dKF>)Mi%C9{qo%$3?RV7{PyB~ufql+Y#-vDYn~G>
z@%`^K@!^5!#03@emmb%>VXErsc>ms(WR9k)P{%)YTb7))v}D;=GI@<&_pDV>*Is<y
zRdagN#LBod*LlbPE<5?EWz`dLA3F{ADHhp>%WLhg{$EkD_^rU4x8djZ>z&sBtpDkk
z^8cOwr<{)cF@Cat*WOF|uTJQ)esi?h`1u&0?nx72{xyd`6$i{adQbATPeu00zR%lU
z9X<DQGUvwZqQZt()rITN2s}EyZfQiQ?B%mIKc>ZBt$bs7_1hlN@;6(JAE*B4+cVSq
zG;7A5821a0PgZpG@0!*xvwYP7*`>1b>w3TB+%3Aq<1VFc9(CSMloRZKB;vsS4}8mF
zgB~+zFfeeXB$gz?0~Q!+gyP1~5^LCA-pzMNLBb*NnH}rZt0%U8;@a0(yxKR*N#*6!
zziVY>OJ3<(-v1<=U|kTFR8}R@l{9Pdd&{-G{Kul!uPuID$6>`0*}=*a8^0~6%WUbt
z>wD{;TbG78UtiVx)qK~6S^rLd?SC2Pwsr2mXGuDLr@xE0jn8`fPw&UZ{iTin_j~<c
z)@P`D_x|kl|ISJ4FIo2gP2bNcd$o3}t$y!2sr~hH);Ujfw|<-`Z^VcQgB#7}tp$(F
H!65(u#&#8K

literal 0
HcmV?d00001

diff --git a/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs b/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs
index 00fffa0dc65..9c24ef7a1e9 100644
--- a/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs
+++ b/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs
@@ -31,6 +31,7 @@ public class SignToolTests : IDisposable
             {".psm1",  new List<SignInfo>{ new SignInfo("PSMCertificate") } },
             {".psc1",   new List<SignInfo>{ new SignInfo("PSCCertificate") } },
             {".dylib", new List<SignInfo>{ new SignInfo("DylibCertificate") } },
+            {".deb", new List<SignInfo>{ new SignInfo("LinuxSign") } },
             {".dll",  new List<SignInfo>{ new SignInfo("Microsoft400") } }, // lgtm [cs/common-default-passwords] Safe, these are certificate names
             {".exe",  new List<SignInfo>{ new SignInfo("Microsoft400") } }, // lgtm [cs/common-default-passwords] Safe, these are certificate names
             {".msi",  new List<SignInfo>{ new SignInfo("Microsoft400") } }, // lgtm [cs/common-default-passwords] Safe, these are certificate names
@@ -51,6 +52,7 @@ public class SignToolTests : IDisposable
             { ".psm1", new List<SignInfo>{ new SignInfo("PSMCertificate", collisionPriorityId: "123") } },
             { ".psc1", new List<SignInfo>{ new SignInfo("PSCCertificate", collisionPriorityId: "123") } },
             { ".dylib", new List<SignInfo>{ new SignInfo("DylibCertificate", collisionPriorityId: "123") } },
+            { ".deb", new List<SignInfo>{ new SignInfo("LinuxSign", collisionPriorityId: "123") } },
             { ".dll", new List<SignInfo>
                 { 
                     new SignInfo("Microsoft400", collisionPriorityId: "123"), // lgtm [cs/common-default-passwords] Safe, these are certificate names
@@ -97,6 +99,10 @@ public class SignToolTests : IDisposable
                 { "CertificateName", "DylibCertificate" },
                 { SignToolConstants.CollisionPriorityId, "123" }
             }),
+            new TaskItem(".deb", new Dictionary<string, string> {
+                { "CertificateName", "LinuxSign" },
+                { SignToolConstants.CollisionPriorityId, "123" }
+            }),
             new TaskItem(".dll", new Dictionary<string, string> {
                 { "CertificateName", "Microsoft400" }, // lgtm [cs/common-default-passwords] Safe, these are certificate names
                 { SignToolConstants.CollisionPriorityId, "123" }
@@ -231,7 +237,9 @@ public class SignToolTests : IDisposable
             ".esd",
 
             ".py",
-            ".pyd"
+            ".pyd",
+
+            ".deb",
         };
 
         public static IEnumerable<object[]> GetSignableExtensions()
@@ -1206,6 +1214,36 @@ public void SignedSymbolsNupkg()
             });
         }
 
+        [Fact]
+        public void CheckDebSigning()
+        {
+            // List of files to be considered for signing
+            var itemsToSign = new ITaskItem[]
+            {
+                new TaskItem(GetResourcePath("test.deb"))
+            };
+
+            // Default signing information
+            var strongNameSignInfo = new Dictionary<string, List<SignInfo>>();
+
+            // Overriding information
+            var fileSignInfo = new Dictionary<ExplicitCertificateKey, string>();
+
+            ValidateFileSignInfos(itemsToSign, strongNameSignInfo, fileSignInfo, s_fileExtensionSignInfo, new[]
+            {
+                "File 'test.deb' Certificate='LinuxSign'"
+            });
+
+            ValidateGeneratedProject(itemsToSign, strongNameSignInfo, fileSignInfo, s_fileExtensionSignInfo, new[]
+            {
+$@"
+<FilesToSign Include=""{Uri.EscapeDataString(Path.Combine(_tmpDir, "test.deb"))}"">
+  <Authenticode>LinuxSign</Authenticode>
+</FilesToSign>
+"
+            });
+        }
+
         [Fact]
         public void CheckPowershellSigning()
         {
diff --git a/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs b/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs
index 65fec4b7c29..1949f7b3c36 100644
--- a/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs
+++ b/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs
@@ -495,6 +495,17 @@ private void VerifyCertificates(TaskLoggingHelper log)
                         log.LogError($"VSIX {fileName} cannot be strong name signed.");
                     }
                 }
+                else if (fileName.IsDeb())
+                {
+                    if (isInvalidEmptyCertificate)
+                    {
+                        log.LogError($"Deb package {fileName} should have a certificate name.");
+                    }
+                    if (!IsLinuxSignCertificate(fileName.SignInfo.Certificate))
+                    {
+                        log.LogError($"Deb package {fileName} must be signed with a LinuxSign certificate.");
+                    }
+                }
                 else if (fileName.IsNupkg())
                 {
                     if(isInvalidEmptyCertificate)
@@ -550,6 +561,13 @@ private void VerifyAfterSign(FileSignInfo file)
                     }
                 }
             }
+            else if (file.IsDeb())
+            {
+                if (!_signTool.VerifySignedDeb(file.FullPath))
+                {
+                    _log.LogError($"Deb package {file.FullPath} is not signed properly.");
+                }
+            }
             else if (file.IsPowerShellScript())
             {
                 if (!_signTool.VerifySignedPowerShellFile(file.FullPath))
@@ -621,5 +639,7 @@ private void VerifyStrongNameSigning()
         }
 
         private static bool IsVsixCertificate(string certificate) => certificate.StartsWith("Vsix", StringComparison.OrdinalIgnoreCase);
+
+        private static bool IsLinuxSignCertificate(string certificate) => certificate.StartsWith("LinuxSign", StringComparison.OrdinalIgnoreCase);
     }
 }
diff --git a/src/Microsoft.DotNet.SignTool/src/Configuration.cs b/src/Microsoft.DotNet.SignTool/src/Configuration.cs
index 7f133f856f2..5b490996c0d 100644
--- a/src/Microsoft.DotNet.SignTool/src/Configuration.cs
+++ b/src/Microsoft.DotNet.SignTool/src/Configuration.cs
@@ -418,6 +418,18 @@ private FileSignInfo ExtractSignInfo(
                     _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is digitally signed.");
                 }
             }
+            else if(FileSignInfo.IsDeb(file.FullPath))
+            {
+                isAlreadySigned = VerifySignatures.VerifySignedDeb(file.FullPath);
+                if (!isAlreadySigned)
+                {
+                    _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is not signed.");
+                }
+                else
+                {
+                    _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is signed.");
+                }
+            }
             else if(FileSignInfo.IsPowerShellScript(file.FullPath))
             {
                 isAlreadySigned = VerifySignatures.VerifySignedPowerShellFile(file.FullPath);
diff --git a/src/Microsoft.DotNet.SignTool/src/FileSignInfo.cs b/src/Microsoft.DotNet.SignTool/src/FileSignInfo.cs
index 5aa0b17c4af..0caf8dff9ce 100644
--- a/src/Microsoft.DotNet.SignTool/src/FileSignInfo.cs
+++ b/src/Microsoft.DotNet.SignTool/src/FileSignInfo.cs
@@ -21,6 +21,9 @@ internal readonly struct FileSignInfo
         // optional file information that allows to disambiguate among multiple files with the same name:
         internal readonly string TargetFramework;
 
+        internal static bool IsDeb(string path)
+            => Path.GetExtension(path) == ".deb";
+
         internal static bool IsPEFile(string path)
             => Path.GetExtension(path) == ".exe" || Path.GetExtension(path) == ".dll";
 
@@ -59,6 +62,8 @@ internal static bool IsPackage(string path)
         internal static bool IsZipContainer(string path)
             => IsPackage(path) || IsMPack(path) || IsZip(path) || IsTarGZip(path);
 
+        internal bool IsDeb() => IsDeb(FileName);
+
         internal bool IsPEFile() => IsPEFile(FileName);
 
         internal bool IsManaged() => ContentUtil.IsManaged(FullPath);
diff --git a/src/Microsoft.DotNet.SignTool/src/RealSignTool.cs b/src/Microsoft.DotNet.SignTool/src/RealSignTool.cs
index a2fd51992a3..b1e3ca6cc44 100644
--- a/src/Microsoft.DotNet.SignTool/src/RealSignTool.cs
+++ b/src/Microsoft.DotNet.SignTool/src/RealSignTool.cs
@@ -129,6 +129,11 @@ public override bool VerifyStrongNameSign(string fileFullPath)
             return process.ExitCode == 0;
         }
 
+        public override bool VerifySignedDeb(string filePath)
+        {
+            return VerifySignatures.VerifySignedDeb(filePath);
+        }
+
         public override bool VerifySignedPowerShellFile(string filePath)
         {
             return VerifySignatures.VerifySignedPowerShellFile(filePath);
diff --git a/src/Microsoft.DotNet.SignTool/src/SignTool.cs b/src/Microsoft.DotNet.SignTool/src/SignTool.cs
index cc7859f3005..8f04e36b7da 100644
--- a/src/Microsoft.DotNet.SignTool/src/SignTool.cs
+++ b/src/Microsoft.DotNet.SignTool/src/SignTool.cs
@@ -32,6 +32,7 @@ internal SignTool(SignToolArgs args, TaskLoggingHelper log)
 
         public abstract bool LocalStrongNameSign(IBuildEngine buildEngine, int round, IEnumerable<FileSignInfo> files);
 
+        public abstract bool VerifySignedDeb(string filePath);
         public abstract bool VerifySignedPEFile(Stream stream);
         public abstract bool VerifySignedPowerShellFile(string filePath);
         public abstract bool VerifySignedNugetFileMarker(string filePath);
diff --git a/src/Microsoft.DotNet.SignTool/src/SignToolConstants.cs b/src/Microsoft.DotNet.SignTool/src/SignToolConstants.cs
index e93522bfb6d..8a55ed8bc28 100644
--- a/src/Microsoft.DotNet.SignTool/src/SignToolConstants.cs
+++ b/src/Microsoft.DotNet.SignTool/src/SignToolConstants.cs
@@ -31,7 +31,8 @@ internal static class SignToolConstants
         public const string MsiEngineExtension = "-engine.exe";
         /// <summary>
         /// List of known signable extensions. Copied, removing duplicates, from here:
-        /// https://microsoft.sharepoint.com/teams/codesigninfo/Wiki/Signable%20Files.aspx
+        /// https://microsoft.sharepoint.com/teams/prss/Codesign/SitePages/Signable%20Files.aspx
+        /// ".deb" is not in the list linked above, but it is a known signable extension.
         /// </summary>
         public static readonly HashSet<string> SignableExtensions = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
         {
@@ -110,6 +111,8 @@ internal static class SignToolConstants
 
             ".py",
             ".pyd",
+
+            ".deb",
         };
 
         /// <summary>
diff --git a/src/Microsoft.DotNet.SignTool/src/ValidationOnlySignTool.cs b/src/Microsoft.DotNet.SignTool/src/ValidationOnlySignTool.cs
index 2124d604e1c..f4043db580b 100644
--- a/src/Microsoft.DotNet.SignTool/src/ValidationOnlySignTool.cs
+++ b/src/Microsoft.DotNet.SignTool/src/ValidationOnlySignTool.cs
@@ -49,6 +49,9 @@ public override void RemovePublicSign(string assemblyPath)
         {
         }
 
+        public override bool VerifySignedDeb(string filePath)
+            => true;
+
         public override bool VerifySignedPEFile(Stream assemblyStream)
             => true;
 
diff --git a/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs b/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs
index c7bc3220eaf..6c8ed229233 100644
--- a/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs
+++ b/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs
@@ -7,7 +7,10 @@
 using System;
 using System.IO;
 using System.IO.Compression;
+using System.Diagnostics;
 using System.Linq;
+using System.Net.Http;
+using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
@@ -16,6 +19,53 @@ namespace Microsoft.DotNet.SignTool
 {
     internal class VerifySignatures
     {
+        internal static bool VerifySignedDeb(string filePath)
+        {
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                // We cannot check the signature of a .deb file on Windows.
+                return true;
+            }
+
+            string tempDir = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
+            Directory.CreateDirectory(tempDir);
+
+            // https://microsoft.sharepoint.com/teams/prss/esrp/info/SitePages/Linux%20GPG%20Signing.aspx
+            try
+            {
+                // Download the Microsoft public key
+                using (HttpClient client = new HttpClient())
+                {
+                    using (Stream stream = client.GetStreamAsync("https://packages.microsoft.com/keys/microsoft.asc").Result)
+                    {
+                        using (FileStream fileStream = File.Create($"{tempDir}/microsoft.asc"))
+                        {
+                            stream.CopyTo(fileStream);
+                        }
+                    }
+                }
+
+                RunCommand($"ar x {filePath} --output {tempDir}");
+                RunCommand($"gpg --import {tempDir}/microsoft.asc");
+                RunCommand($"cat {tempDir}/debian-binary {tempDir}/control.tar.gz {tempDir}/data.tar.gz > {tempDir}/combined-contents");
+                string output = RunCommand($"gpg --verify {tempDir}/_gpgorigin {tempDir}/combined-contents");
+                if (output.Contains("Good signature"))
+                {
+                    return true;
+                }
+                
+                return false;
+            }
+            catch(Exception)
+            {
+                return false;
+            }
+            finally
+            {
+                Directory.Delete(tempDir, true);
+            }
+        }
+
         internal static bool VerifySignedPowerShellFile(string filePath)
         {
             return File.ReadLines(filePath).Any(line => line.IndexOf("# SIG # Begin Signature Block", StringComparison.OrdinalIgnoreCase) >= 0);
@@ -121,5 +171,28 @@ internal static bool IsDigitallySigned(string fullPath)
             }
             return certificate.Verify();
         }
+
+        private static string RunCommand(string command)
+        {
+            var psi = new ProcessStartInfo
+            {
+                FileName = "bash",
+                Arguments = $"-c \"{command}\"",
+                RedirectStandardOutput = true,
+                RedirectStandardError = false,
+                UseShellExecute = false,
+                CreateNoWindow = true
+            };
+
+            using (var process = Process.Start(psi))
+            {
+                process.WaitForExit();
+                if (process.ExitCode != 0)
+                {
+                    throw new Exception($"Command '{command}' failed with exit code {process.ExitCode}");
+                }
+                return process.StandardOutput.ReadToEnd();
+            }
+        }
     }
 }

From 949dafc5e36b5e67834f38469c09e9d1317de040 Mon Sep 17 00:00:00 2001
From: Ella Hathaway <ellahathaway@microsoft.com>
Date: Mon, 4 Nov 2024 23:50:47 +0000
Subject: [PATCH 2/5] Set CollisionPriorityId

---
 src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props b/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
index 1169cb81e7b..aa4c0ff4188 100644
--- a/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
+++ b/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props
@@ -50,7 +50,11 @@
       a public key token.
       The certificate can be overriden using the StrongNameSignInfo or the FileSignInfo item group.
     -->
-    <FileExtensionSignInfo Include=".deb" CertificateName="LinuxSign" />
+    <!--
+      Collision priority ID needed to avoid failures with duplicate FileExtensionSignInfo for ".deb".
+      See https://github.com/dotnet/arcade/pull/15216#discussion_r1828513419
+     -->
+    <FileExtensionSignInfo Include=".deb" CertificateName="LinuxSign" CollisionPriorityId="0" />
     <FileExtensionSignInfo Include=".jar" CertificateName="MicrosoftJARSHA2" />
     <FileExtensionSignInfo Include=".js;.ps1;.psd1;.psm1;.psc1;.py" CertificateName="Microsoft400" />
     <FileExtensionSignInfo Include=".dll;.exe;.mibc" CertificateName="Microsoft400" />

From 05ecf2c13a54d7d0ddb0aef2ba4a62cbbba19462 Mon Sep 17 00:00:00 2001
From: Ella Hathaway <ellahathaway@microsoft.com>
Date: Tue, 5 Nov 2024 23:53:02 +0000
Subject: [PATCH 3/5] Log failing signing validation task

---
 src/Microsoft.DotNet.SignTool.Tests/FakeSignTool.cs       | 2 +-
 src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs        | 8 ++++----
 src/Microsoft.DotNet.SignTool/src/Configuration.cs        | 2 +-
 src/Microsoft.DotNet.SignTool/src/RealSignTool.cs         | 4 ++--
 src/Microsoft.DotNet.SignTool/src/SignTool.cs             | 2 +-
 .../src/ValidationOnlySignTool.cs                         | 2 +-
 src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs     | 7 +++++--
 7 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/src/Microsoft.DotNet.SignTool.Tests/FakeSignTool.cs b/src/Microsoft.DotNet.SignTool.Tests/FakeSignTool.cs
index 359c28ed057..aca1cf628c0 100644
--- a/src/Microsoft.DotNet.SignTool.Tests/FakeSignTool.cs
+++ b/src/Microsoft.DotNet.SignTool.Tests/FakeSignTool.cs
@@ -60,7 +60,7 @@ private static void SignPEFile(string path)
             }
         }
 
-        public override bool VerifySignedDeb(string filePath)
+        public override bool VerifySignedDeb(TaskLoggingHelper log, string filePath)
         {
             return true;
         }
diff --git a/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs b/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs
index 1949f7b3c36..5b591aa8a69 100644
--- a/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs
+++ b/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs
@@ -84,7 +84,7 @@ internal void Go(bool doStrongNameCheck)
             // This is a recursive process since we process nested containers.
             foreach (var file in _batchData.FilesToSign)
             {
-                VerifyAfterSign(file);
+                VerifyAfterSign(_log, file);
             }
 
             if (_log.HasLoggedErrors)
@@ -545,7 +545,7 @@ private void VerifyCertificates(TaskLoggingHelper log)
             }
         }
 
-        private void VerifyAfterSign(FileSignInfo file)
+        private void VerifyAfterSign(TaskLoggingHelper log, FileSignInfo file)
         {
             if (file.IsPEFile())
             {
@@ -563,7 +563,7 @@ private void VerifyAfterSign(FileSignInfo file)
             }
             else if (file.IsDeb())
             {
-                if (!_signTool.VerifySignedDeb(file.FullPath))
+                if (!_signTool.VerifySignedDeb(log, file.FullPath))
                 {
                     _log.LogError($"Deb package {file.FullPath} is not signed properly.");
                 }
@@ -600,7 +600,7 @@ private void VerifyAfterSign(FileSignInfo file)
                         continue;
                     }
 
-                    VerifyAfterSign(zipPart.Value.FileSignInfo);
+                    VerifyAfterSign(_log, zipPart.Value.FileSignInfo);
                 }
 
                 if (!SkipZipContainerSignatureMarkerCheck)
diff --git a/src/Microsoft.DotNet.SignTool/src/Configuration.cs b/src/Microsoft.DotNet.SignTool/src/Configuration.cs
index 5b490996c0d..ef684bc61ec 100644
--- a/src/Microsoft.DotNet.SignTool/src/Configuration.cs
+++ b/src/Microsoft.DotNet.SignTool/src/Configuration.cs
@@ -420,7 +420,7 @@ private FileSignInfo ExtractSignInfo(
             }
             else if(FileSignInfo.IsDeb(file.FullPath))
             {
-                isAlreadySigned = VerifySignatures.VerifySignedDeb(file.FullPath);
+                isAlreadySigned = VerifySignatures.VerifySignedDeb(_log, file.FullPath);
                 if (!isAlreadySigned)
                 {
                     _log.LogMessage(MessageImportance.Low, $"File {file.FullPath} is not signed.");
diff --git a/src/Microsoft.DotNet.SignTool/src/RealSignTool.cs b/src/Microsoft.DotNet.SignTool/src/RealSignTool.cs
index b1e3ca6cc44..27bd7350f66 100644
--- a/src/Microsoft.DotNet.SignTool/src/RealSignTool.cs
+++ b/src/Microsoft.DotNet.SignTool/src/RealSignTool.cs
@@ -129,9 +129,9 @@ public override bool VerifyStrongNameSign(string fileFullPath)
             return process.ExitCode == 0;
         }
 
-        public override bool VerifySignedDeb(string filePath)
+        public override bool VerifySignedDeb(TaskLoggingHelper log, string filePath)
         {
-            return VerifySignatures.VerifySignedDeb(filePath);
+            return VerifySignatures.VerifySignedDeb(log, filePath);
         }
 
         public override bool VerifySignedPowerShellFile(string filePath)
diff --git a/src/Microsoft.DotNet.SignTool/src/SignTool.cs b/src/Microsoft.DotNet.SignTool/src/SignTool.cs
index 8f04e36b7da..9029c9f34da 100644
--- a/src/Microsoft.DotNet.SignTool/src/SignTool.cs
+++ b/src/Microsoft.DotNet.SignTool/src/SignTool.cs
@@ -32,7 +32,7 @@ internal SignTool(SignToolArgs args, TaskLoggingHelper log)
 
         public abstract bool LocalStrongNameSign(IBuildEngine buildEngine, int round, IEnumerable<FileSignInfo> files);
 
-        public abstract bool VerifySignedDeb(string filePath);
+        public abstract bool VerifySignedDeb(TaskLoggingHelper log, string filePath);
         public abstract bool VerifySignedPEFile(Stream stream);
         public abstract bool VerifySignedPowerShellFile(string filePath);
         public abstract bool VerifySignedNugetFileMarker(string filePath);
diff --git a/src/Microsoft.DotNet.SignTool/src/ValidationOnlySignTool.cs b/src/Microsoft.DotNet.SignTool/src/ValidationOnlySignTool.cs
index f4043db580b..b3499ef4635 100644
--- a/src/Microsoft.DotNet.SignTool/src/ValidationOnlySignTool.cs
+++ b/src/Microsoft.DotNet.SignTool/src/ValidationOnlySignTool.cs
@@ -49,7 +49,7 @@ public override void RemovePublicSign(string assemblyPath)
         {
         }
 
-        public override bool VerifySignedDeb(string filePath)
+        public override bool VerifySignedDeb(TaskLoggingHelper log, string filePath)
             => true;
 
         public override bool VerifySignedPEFile(Stream assemblyStream)
diff --git a/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs b/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs
index 6c8ed229233..2774b5d3621 100644
--- a/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs
+++ b/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs
@@ -1,6 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using Microsoft.Build.Framework;
+using Microsoft.Build.Utilities;
 using NuGet.Common;
 using NuGet.Packaging;
 using NuGet.Packaging.Signing;
@@ -19,7 +21,7 @@ namespace Microsoft.DotNet.SignTool
 {
     internal class VerifySignatures
     {
-        internal static bool VerifySignedDeb(string filePath)
+        internal static bool VerifySignedDeb(TaskLoggingHelper log, string filePath)
         {
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
             {
@@ -56,8 +58,9 @@ internal static bool VerifySignedDeb(string filePath)
                 
                 return false;
             }
-            catch(Exception)
+            catch(Exception e)
             {
+                log.LogMessage(MessageImportance.Low, $"Failed to verify signature of {filePath} with the following error: {e.Message}");
                 return false;
             }
             finally

From 3b7a4800a80a53fd9752d4642334644291cf6970 Mon Sep 17 00:00:00 2001
From: Ella Hathaway <ellahathaway@microsoft.com>
Date: Wed, 6 Nov 2024 23:49:30 +0000
Subject: [PATCH 4/5] Testing
 https://github.com/dotnet/source-build/issues/4062

---
 src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs b/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs
index 9c24ef7a1e9..f411941ba1f 100644
--- a/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs
+++ b/src/Microsoft.DotNet.SignTool.Tests/SignToolTests.cs
@@ -373,10 +373,17 @@ private void ValidateFileSignInfos(
             var task = new SignToolTask { BuildEngine = engine };
             var signingInput = new Configuration(_tmpDir, itemsToSign, strongNameSignInfo, fileSignInfo, extensionsSignInfo, dualCertificates, tarToolPath: s_tarToolPath, task.Log).GenerateListOfFiles();
 
-            signingInput.FilesToSign.Select(f => f.ToString()).Should().BeEquivalentTo(expected);
-            signingInput.FilesToCopy.Select(f => $"{f.Key} -> {f.Value}").Should().BeEquivalentTo(expectedCopyFiles ?? Array.Empty<string>());
             engine.LogErrorEvents.Select(w => w.Message).Should().BeEquivalentTo(expectedErrors ?? Array.Empty<string>());
             engine.LogWarningEvents.Select(w => $"{w.Code}: {w.Message}").Should().BeEquivalentTo(expectedWarnings ?? Array.Empty<string>());
+
+            // output log events for debugging
+            foreach (var logEvent in engine.LogMessageEvents)
+            {
+                _output.WriteLine(logEvent.Message);
+            }
+
+            signingInput.FilesToSign.Select(f => f.ToString()).Should().BeEquivalentTo(expected);
+            signingInput.FilesToCopy.Select(f => $"{f.Key} -> {f.Value}").Should().BeEquivalentTo(expectedCopyFiles ?? Array.Empty<string>());
         }
 
         [Fact]

From 0edb8cfe02be4d33ec99e7a8730b54a0b7d50e66 Mon Sep 17 00:00:00 2001
From: Ella Hathaway <ellahathaway@microsoft.com>
Date: Thu, 7 Nov 2024 17:51:27 +0000
Subject: [PATCH 5/5] Try this

---
 src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs    | 7 ++++++-
 src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs | 3 ++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs b/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs
index 5b591aa8a69..b07fb547c0d 100644
--- a/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs
+++ b/src/Microsoft.DotNet.SignTool/src/BatchSignUtil.cs
@@ -9,6 +9,7 @@
 using System.IO;
 using System.IO.Compression;
 using System.Linq;
+using System.Runtime.InteropServices;
 using System.Threading.Tasks;
 using TaskLoggingHelper = Microsoft.Build.Utilities.TaskLoggingHelper;
 
@@ -563,7 +564,11 @@ private void VerifyAfterSign(TaskLoggingHelper log, FileSignInfo file)
             }
             else if (file.IsDeb())
             {
-                if (!_signTool.VerifySignedDeb(log, file.FullPath))
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+                {
+                    _log.LogMessage(MessageImportance.Low, $"Skipping signature verification of {file.FullPath} on Windows.");
+                }
+                else if (!_signTool.VerifySignedDeb(log, file.FullPath))
                 {
                     _log.LogError($"Deb package {file.FullPath} is not signed properly.");
                 }
diff --git a/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs b/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs
index 2774b5d3621..60edbfcbbb7 100644
--- a/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs
+++ b/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs
@@ -26,7 +26,8 @@ internal static bool VerifySignedDeb(TaskLoggingHelper log, string filePath)
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
             {
                 // We cannot check the signature of a .deb file on Windows.
-                return true;
+                log.LogMessage(MessageImportance.Low, $"Skipping signature verification of {filePath} on Windows.");
+                return false;
             }
 
             string tempDir = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());