Skip to content

User feedback: PEM support, CLI standardization, and transparency service refactor#160

Merged
elantiguamsft merged 8 commits intomainfrom
users/jstatia/user_feedback
Feb 14, 2026
Merged

User feedback: PEM support, CLI standardization, and transparency service refactor#160
elantiguamsft merged 8 commits intomainfrom
users/jstatia/user_feedback

Conversation

@JeromySt
Copy link
Member

@JeromySt JeromySt commented Feb 10, 2026

Summary

This PR addresses user feedback across several areas:

CLI Option Standardization

  • Standardize all CLI options to use -- prefix (e.g., --Payload, --SignatureFile, --IntHeaderPairs)
  • Accept / and - prefixes for backward compatibility (converted to --)
  • Update all documentation to use -- format consistently

PEM Certificate Support (Linux/Unix)

  • Add --PemCertificate option to specify PEM certificate file
  • Add --PemKey option to specify separate PEM private key file
  • Support RSA and ECDSA keys in PKCS#1, PKCS#8, or encrypted PKCS#8 format
  • Support PEM certificate chains (multiple certificates in one file)
  • Add --PemKeyPassword and --PemKeyPasswordEnvironmentVariable options for encrypted PEM keys
  • Add password prompt support for interactive environments

Transparency Service Refactor

  • Replace ITransparencyService interface with TransparencyService abstract base class
  • Simplifies implementation requirements while preserving extensibility

Plugin Build Simplification

  • Remove redundant PreparePluginsForPublish and legacy BuildAndDeployPlugins targets
  • Consolidate plugin discovery into reusable ItemGroup

Tests

  • Add PEM signing tests (RSA, ECDSA, encrypted key, chain validation)
  • Add encrypted PEM key password tests (correct, missing, wrong password)
  • All existing tests continue to pass (1055 passed, 0 failed)

Commits

  1. Standardize CLI options to double-dash format and simplify plugin build targets
  2. Add PEM certificate support for Linux/Unix environments
  3. Add tests for encrypted PEM private key support
  4. PEM password via env/prompt; keep PFX --pw
  5. Replace ITransparencyService with TransparencyService base class

@Jstatia
Standardize CLI options to double-dash format and simplify plugin bui…
f2f4e5e 
…ld targets

- Standardize all CLI options to use -- prefix (e.g., --p, --sf, --iph)
- Accept / and - prefixes for backward compatibility (converted to --)
- Fix SignWithMissingAndInvalidCommandLineHeaders test (option normalization bug)
- Update all documentation to use -- format consistently
- Simplify plugin build targets: remove redundant PreparePluginsForPublish and legacy BuildAndDeployPlugins
- Consolidate plugin discovery into reusable ItemGroup
- Update help text to accurately describe option format
@Jstatia
Add PEM certificate support for Linux/Unix environments
a04fd9e 
- Add --pem/--PemCertificate option to specify PEM certificate file
- Add --key/--PemKey option to specify separate PEM private key file
- Support RSA and ECDSA keys in PKCS#1, PKCS#8, or encrypted PKCS#8 format
- Support PEM certificate chains (multiple certificates in one file)
- Reuse --pw/--Password for encrypted PEM private keys
- Add 6 new tests for PEM functionality
- Update documentation with PEM examples for Linux/Unix users
@Jstatia
Add tests for encrypted PEM private key support
2cbe199 
- Add test for signing with encrypted PEM private key and correct password
- Add test for failure when no password provided for encrypted key
- Add test for failure when wrong password provided for encrypted key
- Add CreateEncryptedPemKeyFile helper method for test setup
@Jstatia
PEM password via env/prompt; keep PFX --pw
f6eb939
@Jstatia
Replace ITransparencyService with TransparencyService base class
b4594ff
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 10, 2026
View reviewed changes
actions-user and others added 2 commits February 10, 2026 18:18
@actions-user
Update changelog for release
0e98809
@Jstatia
Address code scanning findings from PR review
5a8a8b1 
- Remove unused argWithoutColon variable in CoseCommand.cs
- Replace generic catch clauses with specific IOException catches
- Remove redundant ToString() calls on Guid
- Use Path.Join instead of Path.Combine to avoid silent argument dropping
- Use 'using' declaration for X509Certificate2 disposal in test
elantiguamsft
elantiguamsft reviewed Feb 12, 2026
View reviewed changes
@Jstatia
Address PR feedback: determine key algorithm from cert OID, fix CVE-2…
1430250 
…026-21218, fix redundant ToString

- Refactor LoadCertificateWithPrivateKey to use certificate.PublicKey.Oid.Value
  to determine RSA vs ECDSA instead of trial-and-error exception handling
- Extract ImportPemKey helper to eliminate duplicated encrypted/unencrypted logic
- Update System.Security.Cryptography.Cose from 10.0.0 to 10.0.3 (CVE-2026-21218)
- Fix redundant ToString() calls in MainTests.cs
@elantiguamsft elantiguamsft merged commit 62cdc73 into main Feb 14, 2026
11 checks passed
@elantiguamsft elantiguamsft deleted the users/jstatia/user_feedback branch February 14, 2026 00:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NN2000X NN2000X NN2000X approved these changes

@elantiguamsft elantiguamsft elantiguamsft approved these changes

Assignees

@JeromySt JeromySt

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@JeromySt @NN2000X @elantiguamsft @Jstatia @actions-user