Add sha256 hash to NuGet symbols
🎊 Context
In the efforts to support the symbol server capability for the NuGet package registry symbol packages, we are now ready to serve the debugging files .pdb
to the consuming debuggers such as Visual Studio. How do those debuggers consume the symbol debugging files?
Aside from all the debugger configuration details, what does matter here is the request the debugger sends to the symbol server. The request doesn't have authentication credentials, however, it includes the needed parameters that we can use to make sure the request is legitimate.
The debugger request has this form: <symbol_server_url>/:file_name/:signature/:file_name
By using the :file_name
and :signature
params, we can serve the right .pdb
file. The signature can be considered as a kind of authentication token since it cannot be known unless the debugger has the executable of the Nuget package .dll
. The signature is hashed inside this executable .dll
and in the debugging file .pdb
.
In NuGet Repository, we index the .pdb
files by storing their names and signatures. So we can receive the request from the debugger, and then look into the packages_nuget_symbols file to find the matching record using the :file_name
and :signature
.
However, this is not good enough for security purposes. The .pdb
file might have the matching filename
and signature
, but what if the file itself was tampered with or changed in any harmful way? In this case, the debugger will download a malicious file and we will serve it as well. A lose-lose situation.
To solve this threat and make sure the debugger pulls the intended correct file, the request will include a header named Symbolchecksum
. This header holds the sha256
hash of the requested file. This hash is stored in the executable .dll
. So the server is responsible for matching this sha256
hash with the requested .pdb
file.
🔥 Solution
Calculate the sha256
hash of the .pdb
file and store this hash in the database.