Recently I had the joy of busting open the cryptographic documentation to figure out how to sign a file, and verify that signature.
There are a lot of documentations for .NET Framework - but it's pretty damn sparse for working in UWP, and I assume .NET Core.

This is serving as my external brain on how to sign and verify for UWP.


We're just signing a file to be able to prove it came from ourselves. Some on-prem and cloud based communication verification.

The Signing Code

byte[] certificateBytes = File.ReadAllBytes(pathToCertificate));

X509Certificate2 x509Certificate = new X509Certificate2(certificateBytes, certificatePassword);

RSA rsaPrivateKey = x509Cert.GetRSAPrivateKey();

byte[] signatureData = rsaPrivateKey.SignData(byteArrayToSign, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

Pretty straigt forward. It's just finding the order of doing things when it's not documented that becomes a PIA.

The Verify Code

IBuffer certBytes = await FileIO.ReadBufferAsync(await StorageFile.GetFileFromApplicationUriAsync(_certificateLocationUri));

X509Certificate2 publicKeyCert = new X509Certificate2(certBytes.ToArray());
AsymmetricKeyAlgorithmProvider asymmetricKeyAlgorithmProvider = AsymmetricKeyAlgorithmProvider.OpenAlgorithm(AsymmetricAlgorithmNames.RsaSignPkcs1Sha256);

CryptographicKey cryptoKey asymmetricKeyAlgorithmProvider.ImportPublicKey(publicKeyCert.PublicKey.EncodedKeyValue.RawData.AsBuffer(), CryptographicPublicKeyBlobType.Pkcs1RsaPublicKey);

bool verified = CryptographicEngine.VerifySignature(cryptoKey, byteArrayOfSigned, signatureData);

The byteArrayOfSigned is the same data as byteArrayToSign and the signatureData is the same data in signing and verifying.


Again - This is all really simple - unless you don't know how to do it. Then it's a giant pain.
I managed to figure it out by a few "shot in the dark" attempts.

That's all for this quick shot.