Binskim BA2004 Issue with .NET 8.0

[snehara99]

Hi we are part of the Microsoft Azure Sphere team. We are getting a 'BA2004: EnableSecureSourceCodeHashing' error when updating a project to .NET 8.0 from .NET Standard 2.0. We added the <ChecksumAlgorithm>SHA256</ChecksumAlgorithm> property to our .csproj file, but the error persists.

I used the ildasm tool to inspect the hash algorithm in the manifest of the dll producing the error and saw the following:

.hash algorithm 0x00008004

'0x00008004' corresponds to the ‘SHA-1’ algorithm which is why I think Binskim is producing the warning. Based on this github issue, this hash algorithm that Binskim is identifying from the dll manifest is separate from the one we are setting with checksum and this one from the manifest is actually meant to be ‘SHA-1’ based on the ECMA-335 spec they link in the issue:

The hash algorithm that checksum specifies is written to the PDB. We were wondering if Binskim could account for this and not produce an error since the rational is provided in the ECMA-335 spec.

[AllDwarf]

https://github.com/stakx/ecma-335/blob/master/docs/ii.6.2.1.1-hash-algorithm.md Just to explicitly show here the ECMA paragraph.

I will update the thread once we well debug it on the BinSkim side. Thanks