Feature Request: Scan assemblies in VSIX/MSI packages

[brettfo]

The Microsoft/visualfsharp repo uses this tool in our official build to ensure assemblies were signed appropriately. It would be beneficial if this tool could also peek inside VSIX (zip archive) and MSI packages (COM structured storage?) to ensure our installers were created with the signed versions of binaries.

[michaelcfanning]

This is a reasonable request. We have avoided adding decompression to the tool so far in the spirit of ensuring that we remain focused on doing the best job possible with a narrow charter, inspecting portable executables.

If we add decompression, there is a large body of complexity that comes along with it. This includes figuring out how to decompress/stream binaries in order to analyze them. Naïve approaches like expanding to disk are slow, can fill the disk, create file paths that are too long, etc.

Obviously, there are many archive producers out there and they don't always emit various formats in a consistent way. Some producers emit nulls in the middle of streams which are handled in different ways by different decompression technologies. Generally, the .NET libraries do a decent job in this regard but I have seen failures.

I'm glad to keep discussing this topic. I can look around to see what the state of the world is as far as supporting libraries for the scenario. Maybe things have improved since last look.

[Evmaus-MS]

Changing Title from "Feature Request: Scan assemblies in VSIX/MSI packages" to "Feature Request: Scan assemblies in installers/packages".

This also should cover .zip flavor archives, like .nupkg and .cspkg

[mattleibow]

I was just about to ask where my auto-nupkg scanning is :)