search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
250 stars 107 forks source link

Signature not recognized when using SHA-512 #55

Closed netmackan closed 5 years ago

netmackan commented 5 years ago

Way to reproduce:

  1. Sign EXE with digest algorithm SHA-512 and no program name or program URL
  2. Check digital signature details in Windows (7 for example) Expected: Signature verified correctly. Actual: "No signature was present in the subject." error message when looking at the details for the signature in the list.

Note that redoing the same steps but with SHA-256 or SHA-384 the signature is accepted. Edit: Initially I thought the issue was missing program name and/or URL but it later turned out to not be the only issue.

ebourg commented 4 years ago

For the record, not including the SPC_SP_OPUS_INFO structure has no impact on the validation of the SHA-512 signatures (tested on Windows 10). But for some obscure reason the <<<Obsolete>>> string in SpcLink derails the validation of the SHA-512 signatures only.

ebourg commented 4 years ago

I've just figured out why the SHA-512 signatures are invalid with the <<<Obsolete>>> string, more details in #66.