Fix self-signing private key lost

Aeliux · Aeliux · commit 65c018f84cae · 2025-04-11T11:05:15.000+03:30
diff --git a/src/EasySign.Cli/Properties/launchSettings.json b/src/EasySign.Cli/Properties/launchSettings.json
@@ -13,7 +13,7 @@
     },
     "Sign": {
       "commandName": "Project",
-      "commandLineArgs": "sign ."
+      "commandLineArgs": "sign . -s"
     }
   }
 }
diff --git a/src/EasySign.CommandLine/BundleWorker.cs b/src/EasySign.CommandLine/BundleWorker.cs
@@ -18,7 +18,42 @@ public abstract partial class CommandProvider<T>
         /// Initializes the bundle.
         /// </summary>
         /// <param name="bundlePath">Path of the bundle.</param>
-        public abstract void InitializeBundle(string bundlePath);
+        protected abstract void InitializeBundle(string bundlePath);
+
+        /// <summary>
+        /// Loads the bundle from file and handles load errors.
+        /// </summary>
+        /// <param name="readOnly">
+        /// A value indicating whether to load the bundle in read-only mode.
+        /// </param>
+        protected bool LoadBundle(bool readOnly = true)
+        {
+            if (Bundle == null)
+            {
+                throw new ApplicationException("Bundle is not initialized");
+            }
+
+            try
+            {
+                Bundle.LoadFromFile(readOnly);
+
+                if (!string.IsNullOrEmpty(Bundle.Manifest.UpdatedBy) && Bundle.Manifest.UpdatedBy != Bundle.GetType().FullName)
+                {
+                    Logger.LogWarning("Bundle was created by a different application");
+                    AnsiConsole.MarkupLine($"[{Color.Orange1}]Warning:[/] Bundle was created by a different application");
+                }
+
+                return true;
+            }
+            catch (Exception ex)
+            {
+                Logger.LogError(ex, "Failed to load bundle from file: {BundlePath}", Bundle.BundlePath);
+                AnsiConsole.MarkupLine($"[{Color.Red}]Failed to load bundle from file: {Bundle.BundlePath}[/]");
+                AnsiConsole.MarkupLine($"[{Color.Red}]Error:[/] {ex.GetType().Name}: {ex.Message}");
+            }
+
+            return false;
+        }
 
         /// <summary>
         /// Runs the add command.
@@ -45,7 +80,8 @@ protected virtual void RunAdd(StatusContext statusContext, bool replace, bool co
             {
                 Logger.LogDebug("A bundle file exists, loading bundle");
                 statusContext.Status("[yellow]Loading Bundle[/]");
-                Bundle.LoadFromFile(false);
+                
+                if (!LoadBundle(false)) return;
             }
 
             statusContext.Status("[yellow]Adding Files[/]");
@@ -151,7 +187,7 @@ protected virtual void RunSign(StatusContext statusContext, X509Certificate2Coll
 
             Logger.LogDebug("Loading bundle");
             statusContext.Status("[yellow]Loading Bundle[/]");
-            Bundle.LoadFromFile(false);
+            if (!LoadBundle(false)) return;
 
             int divider = 0;
             int signs = 0;
@@ -194,7 +230,7 @@ protected virtual void RunSign(StatusContext statusContext, X509Certificate2Coll
                 if (prvKey == null)
                 {
                     Logger.LogError("Failed to acquire RSA private key for {cert}", cert);
-                    AnsiConsole.MarkupLine($"[{Color.Green}] Failed to Acquire RSA Private Key[/]");
+                    AnsiConsole.MarkupLine($"[{Color.Red}] Failed to Acquire RSA Private Key[/]");
                     continue;
                 }
 
@@ -246,7 +282,7 @@ protected virtual void RunVerify(StatusContext statusContext)
 
             Logger.LogDebug("Loading bundle");
             statusContext.Status("[yellow]Loading Bundle[/]");
-            Bundle.LoadFromFile();
+            if (!LoadBundle()) return;
 
             Logger.LogInformation("Starting certificate and signature verification");
             statusContext.Status("[yellow]Verification Phase 1: Certificates and signatures[/]");
@@ -414,7 +450,7 @@ protected bool VerifyCertificate(X509Certificate2 certificate)
 
                 Logger.LogInformation("Certificate verification with self-signing root CA for {cert}: {result}", certificate, selfSignVerification);
                 
-                if (!selfSignVerification)
+                if (selfSignVerification)
                 {
                     AnsiConsole.MarkupLine($"[{Color.Green}] Certificate Verification with Self-Signing Root CA Successful[/]");
                     return true;
diff --git a/src/EasySign.CommandLine/CertificateUtilities.cs b/src/EasySign.CommandLine/CertificateUtilities.cs
@@ -122,6 +122,8 @@ public static X509Certificate2Collection GetCertificates(string pfxFilePath, str
                     store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
 
                     collection = store.Certificates;
+
+                    store.Close();
                 }
                 catch
                 {
@@ -201,9 +203,9 @@ public static X509Certificate2 CreateSelfSignedCACertificate(string subjectName)
 
                 // Export and re-import to mark the key as exportable (if needed for further signing).
 #if NET9_0_OR_GREATER
-                var cert = X509CertificateLoader.LoadPkcs12(rootCert.Export(X509ContentType.Pfx), null);
+                var cert = X509CertificateLoader.LoadPkcs12(rootCert.Export(X509ContentType.Pfx), null, X509KeyStorageFlags.EphemeralKeySet | X509KeyStorageFlags.Exportable);
 #else
-                var cert = new X509Certificate2(rootCert.Export(X509ContentType.Pfx));
+                var cert = new X509Certificate2(rootCert.Export(X509ContentType.Pfx), "", X509KeyStorageFlags.EphemeralKeySet | X509KeyStorageFlags.Exportable);
 #endif
 
                 return cert;
@@ -220,6 +222,8 @@ public static X509Certificate2 IssueCertificate(string subjectName, X509Certific
         {
             using (RSA rsa = RSA.Create(2048))
             {
+                _ = rsa.ExportRSAPrivateKey(); // Ensure the RSA key is created.
+
                 // Build the certificate request for the issued certificate.
                 var req = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
 
@@ -255,14 +259,7 @@ public static X509Certificate2 IssueCertificate(string subjectName, X509Certific
                     var issuedCert = req.Create(caCert, DateTimeOffset.UtcNow.AddDays(-1),
                                                   DateTimeOffset.UtcNow.AddYears(2), serialNumber);
 
-                    // Export and re-import to ensure the certificate includes the private key.
-#if NET9_0_OR_GREATER
-                    var cert = X509CertificateLoader.LoadPkcs12(issuedCert.Export(X509ContentType.Pfx), null);
-#else
-                    var cert = new X509Certificate2(issuedCert.Export(X509ContentType.Pfx));
-#endif
-
-                    return cert;
+                    return issuedCert.CopyWithPrivateKey(rsa);
                 }
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@`
`13`	`13`	`},`
`14`	`14`	`"Sign": {`
`15`	`15`	`"commandName": "Project",`
`16`		`- "commandLineArgs": "sign ."`
	`16`	`+ "commandLineArgs": "sign . -s"`
`17`	`17`	`}`
`18`	`18`	`}`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,8 @@ public static X509Certificate2Collection GetCertificates(string pfxFilePath, str`
`122`	`122`	`store.Open(OpenFlags.ReadOnly \| OpenFlags.OpenExistingOnly);`
`123`	`123`
`124`	`124`	`collection = store.Certificates;`
	`125`	`+`
	`126`	`+ store.Close();`
`125`	`127`	`}`
`126`	`128`	`catch`
`127`	`129`	`{`
`@@ -201,9 +203,9 @@ public static X509Certificate2 CreateSelfSignedCACertificate(string subjectName)`
`201`	`203`
`202`	`204`	`// Export and re-import to mark the key as exportable (if needed for further signing).`
`203`	`205`	`#if NET9_0_OR_GREATER`
`204`		`- var cert = X509CertificateLoader.LoadPkcs12(rootCert.Export(X509ContentType.Pfx), null);`
	`206`	`+ var cert = X509CertificateLoader.LoadPkcs12(rootCert.Export(X509ContentType.Pfx), null, X509KeyStorageFlags.EphemeralKeySet \| X509KeyStorageFlags.Exportable);`
`205`	`207`	`#else`
`206`		`- var cert = new X509Certificate2(rootCert.Export(X509ContentType.Pfx));`
	`208`	`+ var cert = new X509Certificate2(rootCert.Export(X509ContentType.Pfx), "", X509KeyStorageFlags.EphemeralKeySet \| X509KeyStorageFlags.Exportable);`
`207`	`209`	`#endif`
`208`	`210`
`209`	`211`	`return cert;`
`@@ -220,6 +222,8 @@ public static X509Certificate2 IssueCertificate(string subjectName, X509Certific`
`220`	`222`	`{`
`221`	`223`	`using (RSA rsa = RSA.Create(2048))`
`222`	`224`	`{`
	`225`	`+ _ = rsa.ExportRSAPrivateKey(); // Ensure the RSA key is created.`
	`226`	`+`
`223`	`227`	`// Build the certificate request for the issued certificate.`
`224`	`228`	`var req = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);`
`225`	`229`
`@@ -255,14 +259,7 @@ public static X509Certificate2 IssueCertificate(string subjectName, X509Certific`
`255`	`259`	`var issuedCert = req.Create(caCert, DateTimeOffset.UtcNow.AddDays(-1),`
`256`	`260`	`DateTimeOffset.UtcNow.AddYears(2), serialNumber);`
`257`	`261`
`258`		`- // Export and re-import to ensure the certificate includes the private key.`
`259`		`-#if NET9_0_OR_GREATER`
`260`		`- var cert = X509CertificateLoader.LoadPkcs12(issuedCert.Export(X509ContentType.Pfx), null);`
`261`		`-#else`
`262`		`- var cert = new X509Certificate2(issuedCert.Export(X509ContentType.Pfx));`
`263`		`-#endif`
`264`		`-`
`265`		`- return cert;`
	`262`	`+ return issuedCert.CopyWithPrivateKey(rsa);`
`266`	`263`	`}`
`267`	`264`	`}`
`268`	`265`	`}`