I am not sure if we should add this now and take a dependency on WixToolset.Dtf.Compression.Cab. Wondering if we should first take a good look at how AggregatingSigner is implemented. It feels like we are now putting too many things in a single place and I wonder if it's a good thing to add this now?

It also looks like that library requires an Open Source Maintenance Fee for: opening or commenting on issues, participating in discussions and downloading releases.

I agree AggregateSigner and ContainerProvider needs some cleanup. But, IMHO, that’s orthogonal to adding this feature.

Also, Microsoft has paid the maintainer’s fee, so maybe you’re already good? 🤷‍♂️

I believe my MSI PR also adds the WixToolset.Dtf.Compression.Cab dependency transitively, so maybe along with that feature it’s justified.

Without CAB and MSI support, this tool really doesn’t live up to its stated design of nested signing.

/cc @robmen in case you have any response to the OSMF FUD

dotnet already takes dependencies on the WiX Toolset and Microsoft does pay the Open Source Maintenance Fee (thank you).

There is no need to call my comment FUD. I only stated what I found on the readme page of that dependency and that this should be some something that should be looked at.

There is no need to call my comment FUD.

My apologies, I forget there's a lot more negative connotations that come with labeling something as FUD nowadays. I just meant it purely in the sense of uncertainty and possible doubt. I'm definitely not accusing anyone of xenophobia or ignorant reluctance!

@bricelam Trying to test this locally, and my MSI is failing to install once I sign the .cab it uses:

I'm probably doing something wrong? I have both a .msi and a .cab then sign the .cab and try to install it via the .msi. If I manually extract the .cab the files inside are signed. I suspect it's because the hash and size of the files are being modified?

Oh interesting, I bet you're right--we probably need to update the MSI after signing the CABs.

Wait. That bug should already exist today without this change. External CAB files are already being signed--just not their contents.

Wait. That bug should already exist today without this change. External CAB files are already being signed--just not their contents.

That did cross my mind too, but it didn't seem to cause any issues. I suspect it's because the contents change and the layout is no longer what it expects or something

I'll dig into it and see what we can do. Hopefully, I'm just re-assembling the CAB file incorrectly (e.g. with a new nested directory or something) and we don't have to update referencing MSI files just because you recursively sign a CAB file.