Closed netmackan closed 1 year ago
What kind of problems were reported? Invalid signatures?
I'm fine with aligning Jsign with signtool, your PR will be welcome.
I do not have the exact details yet but the user saw that the new signatures made some systems fail to run the signed binaries. I guess that could be due to signature verification failure or even failure to parse the signature when the expected parameters where absent, not sure.
I have created PR #140.
It has been reported that the signatures changed between one version and an other and we have tracked this down to be a change introduced in Bouncy Castle version 1.69 (probably) where it stopped including the NULL parameters in SHA2 DigestAlgorithmIdentifier:s in CMSSignedData.
As far as I can tell this change follows RFC 5754 and should be the right thing for CMS in general but I am not sure if it is right for Authenticode (?). At least we have got reports that systems are having problem with this change and also this is a difference as compared to what signtool does which still generates the NULL parameters.
Diff between Jsign and SignTool shows that SignTool still includes this NULL parameters:
What is your opinion on what the right thing would be here, should we switch back to encode the NULL params as that should be safe given it is what signtool produces? If you agree I can submit a PR for that?
Cheers,