search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
250 stars 107 forks source link

Failure to replace an extended signature #143

Closed turalf closed 1 year ago

turalf commented 1 year ago

When --replace signing an .msi file that has an extended signature, the verification of the file fails. To reproduce:

  1. Get the file signed with an extended signature (maybe osslsigncode?). Or use a file that already has an extended signature. 
    osslsigncode sign -h sha256 -pkcs12 <keyfile> -pass <password> -in <infile> -out <outfile>
  2. Use jsign and --replace flag to remove the current signature and add fresh one. 
    jsign --replace <path to the file>
  3. Verify (I used signtool in Windows). Verification fails. 
    signtool verify /v /pa <path to the file>

Expected behavior: If jsign does not support extended signatures, probably it is better to reject the signing request even with --replace flag passed in. If that flag is not provided, jsign properly rejects with that message

jsign: The file has an extended signature which isn't supported by Jsign, it can't be signed without replacing the existing signature

However, if jsign is supposed to support replacing the extended signatures as well, I guess that is a legitimate bug.

ebourg commented 1 year ago

That's probably because Jsign doesn't remove the existing extended signature, it only replaces the non-extended signature.

ebourg commented 1 year ago

@turalf The extended signature is now better handled, you can add a signature without replacing it when there is an extended signature entry in the MSI file. Replacing the signature also works, but I've found some edge cases where the new signature is still invalid.