Closed markt-asf closed 2 years ago
The non padded file was the NSIS installer?
It was definitely the NSIS uninstaller. It may have been the installer as well but an issue with the Tomcat build script meant that the re-attached signature for the installer was always going to be invalid.
Hmm. My proposed patch may have triggered the file locking issue again.
I'm not even sure the checksum is properly computed when the file isn't padded, the tests don't cover this case.
I'd expected the code to:
PEFile#setSignature()
, currently this is performed by AuthenticodeSigner#sign()
and it doesn't feel at the right place, the signer code should be format agnostic.I'll investigate further, thank you for reporting this.
Ack. I found the other file locking issue and updated the PR to include the hack I am currently using to work around it. I did wonder if refactoring signer.sign() and attach() so they both accepted a Signable instance would help. Regardless, I'm sure my hacks are just that and aren't the best long term solution but hopefully they do at least serve to demonstrate the issue and provide a hint to the right solution.
I've made a couple of changes that should cover the case of a non padded file signed with a detached signature, could you give it a try? I haven't looked at the file locking issue yet.
LGTM. I re-ran my signing the uninstaller test and adding the detached signature results in a valid signature (as far as Windows is concerned) whereas before your change it would result in an invalid signature.
Thank you for checking, I've also merged the locking fix. Time to release now.
I did wonder if refactoring signer.sign() and attach() so they both accepted a Signable instance would help.
I've implemented your suggestion. AuthenticodeSigner.sign()
no longer closes the file, Signable
is now Closeable
, attach/detach work directly on the signable, and a single try-with-resource encompasses the whole sign/attach/detach operation. That's much cleaner!
I spotted this testing repeatable builds with Apache Tomcat. This might not be the right way to fix the issue generally but it does fix the issue I was seeing. In short, when re-attaching the signature the PE file needs to be padded to a multiple of 8 bytes first - just like it is when signing the PE file directly.