test_pe_cert_trust fails after 2024-07-28

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net

https://www.clamav.net/

GNU General Public License v2.0

4.32k stars 700 forks source link

test_pe_cert_trust fails after 2024-07-28 #1300

Closed bmwiedemann closed 2 months ago

bmwiedemann commented 3 months ago

While working on reproducible builds for openSUSE (sponsored by the NLnet NGI0 fund), I found that our clamav 1.3.1 package fails a test after 2024-07-28.

How to reproduce the problem

run the tests with the clock set to 2024-07-29, e.g. on openSUSE I do

osc checkout openSUSE:Factory/clamav && cd $_
osc build --vm-type=kvm --noservice --clean --build-opt=--vm-custom-opt="-rtc base=2024-07-29T00:00:00" standard

Attachments

FAILED clamscan/assorted_test.py::TC::test_pe_cert_trust - AssertionError: as...

Background: As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future. The usual offset is +16 years, because that is how long I expect some software will be used in some places. This showed up failing tests in our package build. See https://reproducible-builds.org/ for why this matters.

Kangie commented 3 months ago

Let's see.

self.step_name('Test that clam can trust an EXE based on an authenticode certificate check.')

Your test output is truncated, but looking at the test I assume we're failing to validate the certificate because it's not valid in 15 years.

The test.exe that this function evaluates is checked into the repo here: https://github.com/Cisco-Talos/clamav/blob/main/unit_tests/input/pe_allmatch/test.exe

I suspect that getting a signed bin that's valid for 15 years is likely to be more trouble than you excluding this test for reproducible builds :)

@micahsnyder is there any context that you can share around this?

n.b. I'm sure that you will uncover many legitimate bugs through this process, and please don't let me discourage you, but I feel like any users still running current versions of ClamAV in 15+ years have bigger problems than this given the lack of signature updates (etc).

bmwiedemann commented 3 months ago

The certificate likely expires in 3 weeks, so something needs to be done about it soon anyway.

In other projects, we use a CA/certs that expire in 1000y. Or does it have to be signed by some official authority? Maybe there is a way to use a custom test-CA for that test? Or a way to use a custom "current" date?

Kangie commented 3 months ago

The certificate likely expires in 3 weeks, so something needs to be done about it soon anyway.

Oops, I did miss that!

micahsnyder commented 3 months ago

I think I found the -days openssl options responsible for the short-lived cert: https://github.com/Cisco-Talos/clamav/blob/main/unit_tests/input/pe_allmatch/test-exe-src/build.py#L122-L139

I also managed to track down the code which generated the signatures used in our tests. I'll see if I can modify this and then generate a new test executable and associated signatures so that the certificate won't expire so quickly.

micahsnyder commented 3 months ago

@bmwiedemann @Kangie I have a fix for this. Can you take a look and tell me if you think it makes sense?