Description
openedon Jan 24, 2018
Background
The PE file (.dll, .exe) currently stores a GUID and a 4B timestamp, which comprise PDB ID, in the debug directory that uniquely identify the content of the Portable PDB. PDB ID is calculated using SHA1 hash in deterministic builds and as random time-based bits in non-deterministic build.
PDB ID allows the debugger to find the right PDB for given PE file. PDB ID is however not good enough for security purposes, when we need to detect whether the PDB content was tempered with. To allow such check we need to use stronger hash. The hash algorithm also needs to be configurable so that it can be upgraded to even stronger one in future.
Proposal
When emitting Portable PDB the compiler uses a given crypto algorithm (SHA-256 by default) to calculate hash of the PDB content. It stores the algorithm id and the full hash to a new debug directory entry. In deterministic build it uses 20B of the hash to calculate PDB ID.
TODO:
- Portable PDB
- Windows PDB
We also need to add an off-switch for Windows PDBs since some tools do not recognize the new PDB Checksum debug directory entry and report an error.