Skip to content

Add SubjectAlternativeName property to Get-AuthenticodeSignature#26252

Merged
daxian-dbw merged 23 commits into
masterfrom
copilot/add-subjectalternative-name
Feb 10, 2026
Merged

Add SubjectAlternativeName property to Get-AuthenticodeSignature#26252
daxian-dbw merged 23 commits into
masterfrom
copilot/add-subjectalternative-name

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Oct 20, 2025
edited
Loading

  • Add SubjectAlternativeName property to the Signature class in MshSignature.cs
  • Extract SubjectAlternativeName from the SignerCertificate extensions using X509 APIs
  • Format the SAN extension similar to the PowerShell example code provided
  • Add comprehensive tests to verify the SubjectAlternativeName property
    • Test with certificate containing SAN extension (verifies actual content)
    • Test with certificate without SAN extension (verifies null value)
    • Fixed hanging test by using PSSession with LocalMachine stores
    • Use standard PowerShell pattern for array type checking: ,$result | Should -BeOfType [string[]]
    • Use Should -BeExactly for precise array element validation at specific indices
  • Revert unrelated build infrastructure and documentation changes
  • Remove nullable reference type annotations (file doesn't have nullable enabled)
  • Use named constant for SubjectAlternativeName OID
  • Remove obvious comments
  • Change SubjectAlternativeName to string array with each line as separate element
  • Reverted commit 391245e to restore splitting logic (extension.Format returns string, not string[])
  • Updated to handle all line separator types (\r\n, \n, \r) for cross-platform compatibility
  • Removed redundant null check (GetSubjectAlternativeName already handles null)

Summary

This PR adds a SubjectAlternativeName property to the Signature class returned by Get-AuthenticodeSignature. The implementation:

  1. Core Change: Added a string[] property that extracts the SAN extension (OID 2.5.29.17) from the signer certificate
  2. Helper Method: Implements GetSubjectAlternativeName() that searches for and formats the SAN extension using a named constant, then splits it into individual array elements (one per line) using all common line separators for cross-platform compatibility. Handles null certificates gracefully.
  3. Comprehensive Tests:
    • Test that verifies certificates WITH SAN content show the expected DNS names as array elements
    • Test that verifies certificates WITHOUT SAN content return null
    • Tests use PSSession with LocalMachine stores to avoid hanging issues
    • Tests use standard PowerShell pattern for array type checking with comma operator
    • Tests use Should -BeExactly for precise validation of array element values at specific indices

The implementation follows the C# translation of the PowerShell example code provided in the issue and maintains backward compatibility.

Original prompt

This section details on the original issue you should resolve

<issue_title>Add SubjectAlternativeName to get-authenticode signature</issue_title>
<issue_description>Add SubjectAlternativeName to get-authenticode signature</issue_description>

<agent_instructions>The code should be all done in C#.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@TravisEz13 Code to add subject alternative name ```powershell $dlls =dir $pshome\*.dll -Recurse -File | Get-AuthenticodeSignature $dlls | %{ $sanExt=$_.SignerCertificate.Extensions | Where-Object {$_.Oid.FriendlyName -match "subject alternative name"} $sanStr=$sanExt.Format(1) $_.SignerCertificate|Add-Member -Type NoteProperty -Value $sanStr -Name SubjectAlternativeName } ``` @TravisEz13 This is a suggested enhancement but would be used as a KB. The code should be translated into C#. @TravisEz13 Security WG - Subject Alterative name has important data and this would be worth implementing. @TravisEz13 @IISResetMe, thanks for the suggestion.

I'll try to get this done when time allows</comment_new>

Fixes #14006

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits October 20, 2025 20:07
@TravisEz13
Add SubjectAlternativeName property to Signature class and update bui…
a642604 
…ld documentation

Co-authored-by: TravisEz13 <10873629+TravisEz13@users.noreply.github.com>
@TravisEz13
Add tests for SubjectAlternativeName property
7f2629b 
Co-authored-by: TravisEz13 <10873629+TravisEz13@users.noreply.github.com>
Copilot AI changed the title [WIP] Add SubjectAlternativeName to get-authenticode signature Add SubjectAlternativeName property to Get-AuthenticodeSignature Oct 20, 2025
Copilot AI requested a review from TravisEz13 October 20, 2025 20:14
TravisEz13
TravisEz13 reviewed Oct 20, 2025
View reviewed changes
Comment thread PowerShell.Common.props Outdated
@TravisEz13
Revert unrelated changes to PowerShell.Common.props and docs/building…
05f026f 
…/linux.md

Co-authored-by: TravisEz13 <10873629+TravisEz13@users.noreply.github.com>
Copilot AI requested a review from TravisEz13 October 20, 2025 20:21
TravisEz13
TravisEz13 reviewed Oct 20, 2025
View reviewed changes
Comment thread test/powershell/engine/Security/FileSignature.Tests.ps1
Copilot AI and others added 2 commits October 20, 2025 20:44
@TravisEz13
Enhance SubjectAlternativeName test to verify content
9136af8 
Co-authored-by: TravisEz13 <10873629+TravisEz13@users.noreply.github.com>
@TravisEz13
Add test to verify SubjectAlternativeName is null when cert has no SAN
d883fa8 
Co-authored-by: TravisEz13 <10873629+TravisEz13@users.noreply.github.com>
Copilot AI requested a review from TravisEz13 October 20, 2025 20:46
TravisEz13
TravisEz13 reviewed Oct 20, 2025
View reviewed changes
Comment thread test/powershell/engine/Security/FileSignature.Tests.ps1 Outdated
@TravisEz13
Use CurrentUser certificate store instead of LocalMachine store in tests
1fa77a6 
Co-authored-by: TravisEz13 <10873629+TravisEz13@users.noreply.github.com>
Copilot AI requested a review from TravisEz13 October 20, 2025 20:50
@TravisEz13 TravisEz13 marked this pull request as ready for review October 20, 2025 21:21
Copilot AI review requested due to automatic review settings October 20, 2025 21:21
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a SubjectAlternativeName property to the Signature class returned by Get-AuthenticodeSignature, enabling users to access SAN extension data from signer certificates directly through the cmdlet output.

  • Adds nullable SubjectAlternativeName property to the Signature class with extraction logic for OID 2.5.29.17
  • Implements helper method to search certificate extensions and format SAN data
  • Adds comprehensive test coverage for certificates with and without SAN extensions using CurrentUser certificate stores

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/System.Management.Automation/security/MshSignature.cs Adds SubjectAlternativeName property and extraction logic to Signature class
test/powershell/engine/Security/FileSignature.Tests.ps1 Adds tests verifying SAN property existence and content for certificates with/without SAN extensions

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread test/powershell/engine/Security/FileSignature.Tests.ps1 Outdated
@TravisEz13 TravisEz13 marked this pull request as draft October 20, 2025 21:22
TravisEz13
TravisEz13 reviewed Oct 20, 2025
View reviewed changes
Comment thread test/powershell/engine/Security/FileSignature.Tests.ps1 Outdated
iSazonov
iSazonov reviewed Feb 8, 2026
View reviewed changes
Comment thread test/powershell/engine/Security/FileSignature.Tests.ps1 Outdated
@iSazonov
Fix type assertion to check individual array elements as strings
c6ba5c3 
Co-authored-by: iSazonov <22290914+iSazonov@users.noreply.github.com>
Copilot AI requested a review from iSazonov February 8, 2026 13:39
iSazonov
iSazonov reviewed Feb 9, 2026
View reviewed changes
Comment thread test/powershell/engine/Security/FileSignature.Tests.ps1 Outdated
@iSazonov
Add explicit type check for SubjectAlternativeName as string array
dded0d6 
Co-authored-by: iSazonov <22290914+iSazonov@users.noreply.github.com>
Copilot AI requested a review from iSazonov February 9, 2026 03:54
@iSazonov
Fix type checking to verify individual array elements explicitly
6ba74cb 
Co-authored-by: iSazonov <22290914+iSazonov@users.noreply.github.com>
@iSazonov
Use standard PowerShell pattern for array type checking with comma op…
6596a9f 
…erator

Co-authored-by: iSazonov <22290914+iSazonov@users.noreply.github.com>
iSazonov
iSazonov reviewed Feb 9, 2026
View reviewed changes
Comment thread test/powershell/engine/Security/FileSignature.Tests.ps1 Outdated
Copilot AI requested a review from iSazonov February 9, 2026 04:43
@iSazonov
Use Should -BeExactly for precise array element validation
9e60d5e 
Co-authored-by: iSazonov <22290914+iSazonov@users.noreply.github.com>
@daxian-dbw
Copy link
Copy Markdown
Member

daxian-dbw commented Feb 10, 2026
edited by unfurl-links Bot
Loading

@copilot Open an issue in the repo https://github.com/MicrosoftDocs/PowerShell-Docs to track the documentation of the new propery SubjectAlternativeName added in this PR.

GitHub
The official PowerShell documentation sources. Contribute to MicrosoftDocs/PowerShell-Docs development by creating an account on GitHub.

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Feb 10, 2026
edited by unfurl-links Bot
Loading

@copilot Open an issue in the repo https://github.com/MicrosoftDocs/PowerShell-Docs to track the documentation of the new propery SubjectAlternativeName added in this PR.

email@example.com")
  • Useful for security validation and certificate trust decisions

    • You'll need to create this issue manually in the PowerShell-Docs repository.

    GitHub
    The official PowerShell documentation sources. Contribute to MicrosoftDocs/PowerShell-Docs development by creating an account on GitHub.

    @daxian-dbw daxian-dbw mentioned this pull request Feb 10, 2026
    Closed
    2 tasks
    @daxian-dbw
    Copy link
    Copy Markdown
    Member

    daxian-dbw commented Feb 10, 2026

    Doc issue opened for the new property: MicrosoftDocs/PowerShell-Docs#12745

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

    Reviewers

    Copilot code review Copilot Copilot left review comments

    @iSazonov iSazonov iSazonov approved these changes

    @TravisEz13 TravisEz13 Awaiting requested review from TravisEz13

    @daxian-dbw daxian-dbw Awaiting requested review from daxian-dbw

    Assignees

    @TravisEz13 TravisEz13

    Copilot code review Copilot

    Labels

    Approved-LowRisk Indicate a PR has been approved and can be merged after a quick review of another maintainer. CL-General Indicates that a PR should be marked as a general cmdlet change in the Change Log

    Projects

    None yet

    Milestone

    No milestone

    Development

    Successfully merging this pull request may close these issues.

    Add SubjectAlternativeName to get-authenticode signature

    5 participants

    @daxian-dbw @TravisEz13 @iSazonov