MSI Signature verification fails for signatures made with jsign

[Siddharth-Srinivas]

Hi,

I was trying authenticode signatures on different files with jsign but signatures made on .msi files fails to verify successfully. Signatures made on .exe files verify successfully. Tried this with a local keypair and a PKCS11 keypair. Both scenarios it fails.

In the example below I've used osslsigncode to verify the signature. For my confirmation the file was copied to a Windows environment, it fails to verify there too.

I've tried with both the latest source code built from master and also jsign3.1. Fails to verify in both.

Exe Signature:

root@dcd6f73b44b0:~# jsign --storetype JKS --storepass **** --keystore local.jks --replace --alias local smctl.exe
Adding Authenticode signature to smctl.exe
root@dcd6f73b44b0:~# osslsigncode verify -in smctl.exe
Current PE checksum   : 008CDCA5
Calculated PE checksum: 008C852C     MISMATCH!!!!

Message digest algorithm  : SHA256
Current message digest    : F1EAA7F3FCBFCF7243854519CAA8E92B43DBB883DF396FC06455B5D752615157
Calculated message digest : F1EAA7F3FCBFCF7243854519CAA8E92B43DBB883DF396FC06455B5D752615157

Signature verification: ok

Number of signers: 1
        Signer #0:
                Subject: /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
                Issuer : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
                Serial : 2CBF3460

Number of certificates: 1
        Cert #0:
                Subject: /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
                Issuer : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
                Serial : 2CBF3460

Succeeded

MSI Signature:

root@dcd6f73b44b0:~# jsign --keystore local.jks --storepass **** --storetype JKS --replace --alias local smtools-windows-x64.msi
Adding Authenticode signature to smtools-windows-x64.msi

root@dcd6f73b44b0:~# osslsigncode verify -in smtools-windows-x64.msi
Message digest algorithm         : SHA256
Calculated DigitalSignature      : 1E1FEB43B7893BD5BD85915FD50C91F347F728FF15115378BED045A562B27180    MISMATCH!!! FILE HAS D39BE20339E37DA29227BB33FBC483CAE1550A62EC68B5375056A455081F9252

Signature verification: ok

Number of signers: 1
        Signer #0:
                Subject : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
                Issuer  : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid

Number of certificates: 1
        Cert #0:
                Subject : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
                Issuer  : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid

Failed

[ebourg]

Thank you for the report, would it be possible to download the msi file to investigate this issue? You can send a link privately to ebourg@apache.org if you want.

[Siddharth-Srinivas]

The MSI example I had shared on the ticket is an internal tool and I’m unable to share it. I can replicate the issue with golang installer provided at the link below:

https://go.dev/dl/go1.15.2.windows-amd64.msi

root@dcd6f73b44b0:~# jsign --storetype JKS --storepass changeit --keystore local.jks --replace --alias local go1.15.2.windows-amd64.msi
Adding Authenticode signature to go1.15.2.windows-amd64.msi

root@dcd6f73b44b0:~# osslsigncode verify -in go1.15.2.windows-amd64.msi
Message digest algorithm         : SHA256
Calculated DigitalSignature      : 20E6D9192B0A70C5D5987EA364C387DA68B35432E09B3711DD141516040EAE59    MISMATCH!!! FILE HAS 650C0EE4205250256AF96EAC095711880D45954A4DDEAE07063EFB299A53486D

Signature verification: ok

Number of signers: 1
        Signer #0:
                Subject : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
                Issuer  : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid

Number of certificates: 1
        Cert #0:
                Subject : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
                Issuer  : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid

Failed

root@dcd6f73b44b0:~# apt-cache policy jsign
jsign:
  Installed: 3.1
  Candidate: 3.1
  Version table:
 *** 3.1 100
        100 /var/lib/dpkg/status

[michaelst]

It appears it could be related to using the --replace option, the signature is valid if we sign a previously unsigned msi

[ebourg]

@Siddharth-Srinivas Several issues related to MSI files have been fixed, could you try again with the latest version of Jsign from git please?

[Siddharth-Srinivas]

I've verified this now, and the issue seems to have been resolved. Its no longer failing. I've pasted the output below for reference:

Signing:

 mvn exec:java -Dexec.mainClass="net.jsign.JsignCLI" -Dexec.args="--storetype JKS --storepass changeit --keystore mystore.jks --replace --alias my-key go1.15.2.windows-amd64.m
si"
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------< net.jsign:jsign-cli >-------------------------
[INFO] Building Jsign - Authenticode signing in Java (Command Line Tool) 5.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- exec-maven-plugin:3.1.0:java (default-cli) @ jsign-cli ---
ERROR StatusLogger Log4j2 could not find a logging implementation. Please add log4j-core to the classpath. Using SimpleLogger to log to the console...
^@
Adding Authenticode signature to go1.15.2.windows-amd64.msi
^@

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:53 min
[INFO] Finished at: 2023-06-07T12:03:24+05:30
[INFO] ------------------------------------------------------------------------

Verification:

osslsigncode verify -in go1.15.2.windows-amd64.msi
Message digest algorithm         : SHA256
Calculated DigitalSignature      : 20E6D9192B0A70C5D5987EA364C387DA68B35432E09B3711DD141516040EAE59

Signature verification: ok

Number of signers: 1
        Signer #0:
                Subject : /C=IN/ST=sid\x00/L=sid/O=sid/OU=sid/CN=sid
                Issuer  : /C=IN/ST=sid\x00/L=sid/O=sid/OU=sid/CN=sid

Number of certificates: 1
        Cert #0:
                Subject : /C=IN/ST=sid\x00/L=sid/O=sid/OU=sid/CN=sid
                Issuer  : /C=IN/ST=sid\x00/L=sid/O=sid/OU=sid/CN=sid

Succeeded

[ebourg]

Great! Thank you for checking.