Skip to content

Update package inspector to generate SHA-512 along with SHA-1 #2324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 2, 2025
Merged

Update package inspector to generate SHA-512 along with SHA-1 #2324

merged 3 commits into from
Jul 2, 2025

Conversation

p3dr0rv
Copy link
Collaborator

@p3dr0rv p3dr0rv commented Jul 1, 2025
edited
Loading

Additionally, I suppress a CodeQL regarding the use of SHA-1, why because we are still using sha1 in the redirect urls and we cannot force apps to update the signature.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 1, 2025

❌ Work item link check failed. Description does not contain AB#{ID}.

Click here to Learn more.

@p3dr0rv p3dr0rv added No-Changelog This change does not update the changelog. skip AB ID validation labels Jul 1, 2025
@p3dr0rv p3dr0rv marked this pull request as ready for review July 1, 2025 18:02
@Copilot Copilot AI review requested due to automatic review settings July 1, 2025 18:02
@p3dr0rv p3dr0rv requested a review from a team as a code owner July 1, 2025 18:02
Copilot
Copilot AI reviewed Jul 1, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the package inspector by adding SHA-512 hash generation alongside the existing SHA-1 output and suppresses a CodeQL SM05136 warning in MSAL.

  • Renamed packageSigningSha to signingCertificateHashes and included SHA-512 calculation in MainActivity.
  • Annotated legacy SHA-1 usage with a CodeQL suppression in PublicClientApplicationConfiguration.
  • Updated message composition to display both hash values.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
package-inspector/src/main/java/com/microsoft/inspector/MainActivity.java Renamed variable, added SHA-512 digest, updated message assignment.
msal/src/main/java/com/microsoft/identity/client/PublicClientApplicationConfiguration.java Added CodeQL suppression comment for SHA-1 instantiation.
Comments suppressed due to low confidence (2)

package-inspector/src/main/java/com/microsoft/inspector/MainActivity.java:148

  • The comment "This is only for test purposes, not used in production" is misleading; update it to reflect that SHA-1 is retained for legacy support in production.
                        final MessageDigest digestSha1 = MessageDigest.getInstance("SHA"); // CodeQL [SM05136] This is only for test purposes, not used in production.

package-inspector/src/main/java/com/microsoft/inspector/MainActivity.java:156

  • Consider adding or updating unit tests to verify both SHA-1 and SHA-512 hash generation to ensure the new SHA-512 logic is covered.
                        signingCertificateHashes = "SHA-1: " + packageSigningSha1 + "\nSHA-512: " + packageSigningSha512;

@p3dr0rv p3dr0rv merged commit c869650 into dev Jul 2, 2025
20 of 21 checks passed
@p3dr0rv p3dr0rv deleted the pedroro/pacakge-inspector-getsha512 branch July 2, 2025 21:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@fadidurah fadidurah fadidurah approved these changes

@melissaahn melissaahn melissaahn approved these changes

Assignees
No one assigned
Labels
msal No-Changelog This change does not update the changelog. package-inspector skip AB ID validation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@p3dr0rv @fadidurah @melissaahn