search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
250 stars 107 forks source link

--replace option not working for msix installer #196

Open jasonvooo opened 4 months ago

jasonvooo commented 4 months ago

Thanks for releasing 6.0 with msix installer!

I am running into an issue with using the --replace option when using jsign to sign a msix package. I am under the impression that when using this flag it should replace the existing signature and replace it with the new signature however when running it results in an artefact that has no signature present.

ebourg commented 4 months ago

I'm not aware of an issue with the replacement of MSIX signatures. This case is covered by a unit test in APPXSignerTest.

If you change the extension of the signed file to .zip and open the archive, do you see an AppxSignature.p7x entry?

jasonvooo commented 4 months ago

When exporting as a zip I see the AppxSignature.p7x file but when opening the file through explorer properties you cannot see the digital signature.

Before and after running jsign with --replace image

image

ebourg commented 4 months ago

Could you send the two files, before and after replacing the signature, to ebourg@apache.org please? I'd like to inspect them.

ebourg commented 4 months ago

I've been able to reproduce this behavior, the missing 'Digital Signatures' tab happens when the primary signature of the package is made with a certificate whose CN doesn't match the publisher name in the app manifest. signtool usually returns an error code 0x8007000B when verifying such files.

I'll modify Jsign to check the CN before signing MSIX packages.