From 2a3195d99f42e9b4f70e5719525db046a327aeb7 Mon Sep 17 00:00:00 2001
From: Mike Maietta <mmaietta@users.noreply.github.com>
Date: Fri, 25 Oct 2024 08:48:11 -0700
Subject: [PATCH] fix(win): add rfc3161 timestamp entry with default values for
 azure signing (#8627)

---
 .changeset/gold-parents-complain.md           |  5 +++++
 packages/app-builder-lib/scheme.json          | 20 ++++++++++++++++++-
 .../src/codeSign/windowsSignAzureManager.ts   | 10 +++++++---
 .../app-builder-lib/src/options/winOptions.ts | 18 ++++++++++++++++-
 4 files changed, 48 insertions(+), 5 deletions(-)
 create mode 100644 .changeset/gold-parents-complain.md

diff --git a/.changeset/gold-parents-complain.md b/.changeset/gold-parents-complain.md
new file mode 100644
index 00000000000..8bf40bc7813
--- /dev/null
+++ b/.changeset/gold-parents-complain.md
@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: add rfc3161 timestamp entry as default for azure signing to resolve Windows Defender alert
diff --git a/packages/app-builder-lib/scheme.json b/packages/app-builder-lib/scheme.json
index 6c70de56c35..a1599a67bf8 100644
--- a/packages/app-builder-lib/scheme.json
+++ b/packages/app-builder-lib/scheme.json
@@ -6093,7 +6093,10 @@
     },
     "WindowsAzureSigningConfiguration": {
       "additionalProperties": {
-        "type": "string"
+        "type": [
+          "null",
+          "string"
+        ]
       },
       "properties": {
         "certificateProfileName": {
@@ -6107,6 +6110,21 @@
         "endpoint": {
           "description": "The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the\nregion your Trusted Signing Account and Certificate Profile you are specifying were created\nin during the setup of these resources.\n\nTranslates to field: Endpoint\n\nRequires one of environment variable configurations for authenticating to Microsoft Entra ID per [Microsoft's documentation](https://learn.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet#definition)",
           "type": "string"
+        },
+        "fileDigest": {
+          "default": "SHA256",
+          "description": "The File Digest for signing each file. Translates to field: FileDigest",
+          "type": "string"
+        },
+        "timestampDigest": {
+          "default": "SHA256",
+          "description": "The Timestamp Digest. Translates to field: TimestampDigest",
+          "type": "string"
+        },
+        "timestampRfc3161": {
+          "default": "http://timestamp.acs.microsoft.com",
+          "description": "The Timestamp rfc3161 server. Translates to field: TimestampRfc3161",
+          "type": "string"
         }
       },
       "required": [
diff --git a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts
index 0cbc49e257e..c68d4a36ea6 100644
--- a/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts
+++ b/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts
@@ -79,16 +79,20 @@ export class WindowsSignAzureManager {
     const vm = await this.packager.vm.value
     const ps = await getPSCmd(vm)
 
-    const { endpoint, certificateProfileName, codeSigningAccountName, ...extraSigningArgs }: WindowsAzureSigningConfiguration = options.options.azureSignOptions!
+    const { endpoint, certificateProfileName, codeSigningAccountName, fileDigest, timestampRfc3161, timestampDigest, ...extraSigningArgs }: WindowsAzureSigningConfiguration =
+      options.options.azureSignOptions!
     const params = {
-      FileDigest: "SHA256",
-      ...extraSigningArgs, // allows overriding FileDigest if provided in config
+      ...extraSigningArgs,
       Endpoint: endpoint,
       CertificateProfileName: certificateProfileName,
       CodeSigningAccountName: codeSigningAccountName,
+      TimestampRfc3161: timestampRfc3161 || "http://timestamp.acs.microsoft.com",
+      TimestampDigest: timestampDigest || "SHA256",
+      FileDigest: fileDigest || "SHA256",
       Files: `"${options.path}"`,
     }
     const paramsString = Object.entries(params)
+      .filter(([_, value]) => value != null)
       .reduce((res, [field, value]) => {
         return [...res, `-${field}`, value]
       }, [] as string[])
diff --git a/packages/app-builder-lib/src/options/winOptions.ts b/packages/app-builder-lib/src/options/winOptions.ts
index 15db48c5a9c..f116f7ba3e6 100644
--- a/packages/app-builder-lib/src/options/winOptions.ts
+++ b/packages/app-builder-lib/src/options/winOptions.ts
@@ -207,8 +207,24 @@ export interface WindowsAzureSigningConfiguration {
    * The Code Signing Signing Account name. Translates to field: CodeSigningAccountName
    */
   readonly codeSigningAccountName: string
+  /**
+   * The File Digest for signing each file. Translates to field: FileDigest
+   * @default SHA256
+   */
+  readonly fileDigest?: string
+  /**
+   * The Timestamp rfc3161 server. Translates to field: TimestampRfc3161
+   * @default http://timestamp.acs.microsoft.com
+   */
+  readonly timestampRfc3161?: string
+  /**
+   * The Timestamp Digest. Translates to field: TimestampDigest
+   * @default SHA256
+   */
+  readonly timestampDigest?: string
   /**
    * Allow other CLI parameters (verbatim case-sensitive) to `Invoke-TrustedSigning`
+   * Note: Key-Value pairs with `undefined`/`null` value are filtered out of the command.
    */
-  [k: string]: string
+  [k: string]: string | undefined | null
 }