Closed Siddharth-Srinivas closed 1 year ago
Thank you for the report, would it be possible to download the msi file to investigate this issue? You can send a link privately to ebourg@apache.org if you want.
The MSI example I had shared on the ticket is an internal tool and I’m unable to share it. I can replicate the issue with golang installer provided at the link below:
https://go.dev/dl/go1.15.2.windows-amd64.msi
root@dcd6f73b44b0:~# jsign --storetype JKS --storepass changeit --keystore local.jks --replace --alias local go1.15.2.windows-amd64.msi
Adding Authenticode signature to go1.15.2.windows-amd64.msi
root@dcd6f73b44b0:~# osslsigncode verify -in go1.15.2.windows-amd64.msi
Message digest algorithm : SHA256
Calculated DigitalSignature : 20E6D9192B0A70C5D5987EA364C387DA68B35432E09B3711DD141516040EAE59 MISMATCH!!! FILE HAS 650C0EE4205250256AF96EAC095711880D45954A4DDEAE07063EFB299A53486D
Signature verification: ok
Number of signers: 1
Signer #0:
Subject : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
Issuer : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
Number of certificates: 1
Cert #0:
Subject : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
Issuer : /C=IN/ST=sid/L=sid/O=sid/OU=sid/CN=sid
Failed
root@dcd6f73b44b0:~# apt-cache policy jsign
jsign:
Installed: 3.1
Candidate: 3.1
Version table:
*** 3.1 100
100 /var/lib/dpkg/status
It appears it could be related to using the --replace option, the signature is valid if we sign a previously unsigned msi
@Siddharth-Srinivas Several issues related to MSI files have been fixed, could you try again with the latest version of Jsign from git please?
I've verified this now, and the issue seems to have been resolved. Its no longer failing. I've pasted the output below for reference:
Signing:
mvn exec:java -Dexec.mainClass="net.jsign.JsignCLI" -Dexec.args="--storetype JKS --storepass changeit --keystore mystore.jks --replace --alias my-key go1.15.2.windows-amd64.m
si"
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------< net.jsign:jsign-cli >-------------------------
[INFO] Building Jsign - Authenticode signing in Java (Command Line Tool) 5.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- exec-maven-plugin:3.1.0:java (default-cli) @ jsign-cli ---
ERROR StatusLogger Log4j2 could not find a logging implementation. Please add log4j-core to the classpath. Using SimpleLogger to log to the console...
^@
Adding Authenticode signature to go1.15.2.windows-amd64.msi
^@
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:53 min
[INFO] Finished at: 2023-06-07T12:03:24+05:30
[INFO] ------------------------------------------------------------------------
Verification:
osslsigncode verify -in go1.15.2.windows-amd64.msi
Message digest algorithm : SHA256
Calculated DigitalSignature : 20E6D9192B0A70C5D5987EA364C387DA68B35432E09B3711DD141516040EAE59
Signature verification: ok
Number of signers: 1
Signer #0:
Subject : /C=IN/ST=sid\x00/L=sid/O=sid/OU=sid/CN=sid
Issuer : /C=IN/ST=sid\x00/L=sid/O=sid/OU=sid/CN=sid
Number of certificates: 1
Cert #0:
Subject : /C=IN/ST=sid\x00/L=sid/O=sid/OU=sid/CN=sid
Issuer : /C=IN/ST=sid\x00/L=sid/O=sid/OU=sid/CN=sid
Succeeded
Great! Thank you for checking.
Hi,
I was trying authenticode signatures on different files with jsign but signatures made on .msi files fails to verify successfully. Signatures made on .exe files verify successfully. Tried this with a local keypair and a PKCS11 keypair. Both scenarios it fails.
In the example below I've used osslsigncode to verify the signature. For my confirmation the file was copied to a Windows environment, it fails to verify there too.
I've tried with both the latest source code built from master and also jsign3.1. Fails to verify in both.
Exe Signature:
MSI Signature: