Skip to content

Fix .NET and mage compatibility in KMS CNG Provider#71

Open
hlshen wants to merge 3 commits into
GoogleCloudPlatform:masterfrom
hlshen:fix-dotnet-compat
Open

Fix .NET and mage compatibility in KMS CNG Provider#71
hlshen wants to merge 3 commits into
GoogleCloudPlatform:masterfrom
hlshen:fix-dotnet-compat

Conversation

@hlshen

@hlshen hlshen commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This change resolves compatibility issues between the Google Cloud KMS CNG provider and tools running on the .NET runtime (such as dotnet/sign / Sign CLI) as well as the Windows SDK tool mage.exe.

Background & Context
During the migration of our VSIX (VS Code extension) signing pipeline to the 64-bit dotnet/sign tool, we encountered blocking failures. The .NET implementation of dotnet/sign failed to interface with the KMS CNG provider (kmscng.dll).

Deep dive investigation revealed two distinct root causes in the CNG provider that blocked .NET tools:

Missing Key Length Properties: The provider did not expose the key length, which .NET strictly requires.
Strict Flag Validation: The provider rejected the NCRYPT_PERSIST_ONLY_FLAG flag, which .NET and mage commonly pass.
This PR addresses both issues with minimal, low-risk changes.

fixes #69

tdbhacks pushed a commit that referenced this pull request Jun 17, 2026
@hlshen @tdbhacks
Ignore NCRYPT_PERSIST_ONLY_FLAG and store PublicKeyLength.
fcddf64 
This unblocks .NET and mage compatibility in CNG provider.

Original PR:
#71

Bug: b/507187574
Bug: b/522970646
Change-Id: Ia29a30525d14860a38ed0a43b688bfc354f182b7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Incompatible with mage

1 participant

@hlshen