search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
250 stars 107 forks source link

msix generates invalid signatures #165

Closed lievenm closed 12 months ago

lievenm commented 12 months ago

Hi,

I tried to sign an msix file with the new support and on windows it refused the signatures. I verified with the forked osslsigncode referenced in the issue and that agreed:

./osslsigncode verify FileZi* Use -catalog option Hash method is SHA256 Checking Block Map hashes: Message digest algorithm : SHA256 Current message digest : 88D8BEF9D88FAAC996BD5F49CB40FEDBD664947AF26FC6C8EE629B53A6A3282E Calculated message digest : 88D8BEF9D88FAAC996BD5F49CB40FEDBD664947AF26FC6C8EE629B53A6A3282E

Checking Content Types hashes: Message digest algorithm : SHA256 Current message digest : 030EC72357EBBBF3B69134AF677187A92FA1D97F259A7509D75F9E5DE218C58A Calculated message digest : 030EC72357EBBBF3B69134AF677187A92FA1D97F259A7509D75F9E5DE218C58A

Checking Data hashes: Message digest algorithm : SHA256 Current message digest : E5A555C19066B5D04F61B6C8C9C13569D448CCC18A30DAA7047D5F1E9A28AB5C Calculated message digest : 6B20C0FFF37EB73FB3FC4D1CBE1943B14116B067FFE875395C0CCC8C2A04B0D7 MISMATCH!!!

Signature hash verification failed Checking Block Map hashes: Message digest algorithm : SHA256 Current message digest : 88D8BEF9D88FAAC996BD5F49CB40FEDBD664947AF26FC6C8EE629B53A6A3282E Calculated message digest : 88D8BEF9D88FAAC996BD5F49CB40FEDBD664947AF26FC6C8EE629B53A6A3282E

Checking Content Types hashes: Message digest algorithm : SHA256 Current message digest : 030EC72357EBBBF3B69134AF677187A92FA1D97F259A7509D75F9E5DE218C58A Calculated message digest : 030EC72357EBBBF3B69134AF677187A92FA1D97F259A7509D75F9E5DE218C58A

Checking Data hashes: Message digest algorithm : SHA256 Current message digest : E5A555C19066B5D04F61B6C8C9C13569D448CCC18A30DAA7047D5F1E9A28AB5C Calculated message digest : 6B20C0FFF37EB73FB3FC4D1CBE1943B14116B067FFE875395C0CCC8C2A04B0D7 MISMATCH!!!

Signature hash verification failed Number of verified signatures: 2 Failed

ebourg commented 12 months ago

Thank you for the feedback. Is the signature valid if the file is only signed once?

lievenm commented 12 months ago

I think this is the version I only signed once. After the first signature, windows refused to open it.

ebourg commented 12 months ago

Do you think you could send the signed file to ebourg@apache.org so I can analyze it?

lievenm commented 12 months ago

Emmanuel Bourg @.***> writes:

Do you think you could send the signed file to @.*** so I can analyze it?

I will send you a new one I made. You were right the other one was double signed but this one isn't and has the same problem.

Thanks for looking into this.

-- Laat hulle almal sterf. Ek is tevrede om die wêreld te sien brand en die vallende konings te spot. Ek en my aasdier sal loop op die as van die verwoeste aarde.

ebourg commented 12 months ago

Are you sure the package is valid? Even with the signature removed it fails to install

lievenm commented 12 months ago

If I try to install it refuses because of the signatures. I will check with the packager.

ebourg commented 12 months ago

I've spotted one issue leading to an invalid data hash: the entries have to be hashed in the order they appear in the central directory. This order may be different from the actual order in the file. Jsign ignored the central directory order and simply hashed from the start of the file to the start of the central directory. I've fixed that by sorting the central directory when signing. Now osslsigncode computes the same hash, but the package is still corrupted :(

ebourg commented 12 months ago

Actually the error is normal, since the CN of the test certificate doesn't match the publisher of the package.

I've pushed the fix, could you give it a try?

lievenm commented 12 months ago

osslsigncode now sees the signature. For some reason signtool or sigcheck don't see the signature. We may be hitting a known bug where msix packaging has issues if your certificate CN contains non ascii characters. I'll try with a different certificate later this week.

ebourg commented 12 months ago

If so then signing with signtool should fail, and signing with osslsigncode should also make the package uninstallable.

lripoche commented 6 months ago

Hey,

I had a similar issue while signing an msix file. In my case the location (L=) of the certificate and the location in the AppxManifest.xml were different, causing jsign to fail silently.

It could be worth to add a warning message :)

I may open a PR if I find time.

ebourg commented 6 months ago

@lripoche Thank you for reporting this issue. Do you have an example? I'd like to reproduce it.

lripoche commented 4 months ago

Unfortunately, I won't be able to share with you the packaging repo because it contains proprietary code.

First, I had to copy all the certificate fields in the AppxManifest.xml. Then I had a character issue, a quotation mark in the S field was technically a single quote. I found out by printing the Unicode of each character in the file.

I think you can reproduce this by signing any MSIX with a certificate located in Provence-Alpes-Côte d’Azur with the single comma quotation mark replaced by a single quotation mark.

Right unicode: 0050 0072 006F 0076 0065 006E 0063 0065 002D 0041 006C 0070 0065 0073 002D 0043 00F4 0074 0065 0020 0064 2019 0041 007A 0075 0072 Wrong unicode: 0050 0072 006F 0076 0065 006E 0063 0065 002D 0041 006C 0070 0065 0073 002D 0043 00F4 0074 0065 0020 0064 0027 0041 007A 0075 0072

ebourg commented 4 months ago

@lripoche The code on the master branch now checks if the publisher in the manifest matches the subject of the signing certificate. I guess the issue with the quotation mark you mentioned should now be caught when signing.