Closed turalf closed 1 year ago
That's probably because Jsign doesn't remove the existing extended signature, it only replaces the non-extended signature.
@turalf The extended signature is now better handled, you can add a signature without replacing it when there is an extended signature entry in the MSI file. Replacing the signature also works, but I've found some edge cases where the new signature is still invalid.
When
--replace
signing an.msi
file that has an extended signature, the verification of the file fails. To reproduce:osslsigncode
?). Or use a file that already has an extended signature.jsign
and--replace
flag to remove the current signature and add fresh one.signtool
in Windows). Verification fails.Expected behavior: If
jsign
does not support extended signatures, probably it is better to reject the signing request even with--replace
flag passed in. If that flag is not provided,jsign
properly rejects with that messagejsign: The file has an extended signature which isn't supported by Jsign, it can't be signed without replacing the existing signature
However, if
jsign
is supposed to support replacing the extended signatures as well, I guess that is a legitimate bug.