MSI signature is reported as invalid in Windows 10

[mlundblad]

In an updated version of Windows 10, MSI files signed by JSign are reported as invalid. I used the CLI with the following command:

$ jsign -s --storepass -a file.msi

Also tried with -d and different digest algorithms (SHA1 and SHA-256).

[ebourg]

Do you mean that the signature is invalid, or the file gets corrupted and can no longer be installed? What is your version of Windows 10?

[mlundblad]

The signature comes up as invalid (and the CA certificate is installed in the system truststore, and it used to work before). The installer can still be run, so the file is not corrupted. It's Windows 10 Enterprise 2015 LTSB, version 10.0 (Build 10240)

[ebourg]

Could you try the same command but targeting a .exe file instead? Is the signature also invalid?

[mlundblad]

Yes, signing an .exe file still seems to work as normal (I tried signing with digest algorithms SHA-1 and SHA-256, the SHA-1 one is not recognized as signed, but I think this is due to Windows 10 stopped accepting SHA-1 as a digest algorithm. With SHA-256 the signature shows up as valid).

[mlundblad]

MSI-files.zip I attached a ZIP file with some samples: sample-unsigned.msi is an unsigned MSI then there is signed versions of this file with digest algorithms SHA-1 and SHA-256 signed by a certificate issued directly from a root CA (-root.msi) and ones signed by a certificate issued by a sub CA (-sub.msi) The CA certificates are also included in the ZIP file along with a keystore containing the certs (alias code00001 is the one signed by the root, and code00003 signed by the sub, this is the sample keystore distributed with SignServer, store password is "foo123"

[ebourg]

I retried signing the sample file with Jsign 5.0 and the signature is still invalid.

But there may be an issue with the MSI file actually, because signtool fails to sign it:

C:\dev\jsign>signtool sign /v /fd sha256 /f jsign-core\src\test\resources\keystores\keystore.p12 /p password sample-unsigned.msi
The following certificate was selected:
    Issued to: Jsign Code Signing Test Certificate 2022 (RSA)
    Issued by: Jsign Code Signing CA 2022
    Expires:   Mon Nov 10 20:15:33 2042
    SHA1 hash: 6FD90E92283AF2B39C26DDCEA31B14958F9A1BCF

Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146885630/0x80092002)

osslsigncode signs it but reports an error and the signature is invalid as well:

C:\dev\jsign>osslsigncode sign -spc jsign-core\src\test\resources\keystores\jsign-test-certificate-full-chain.spc -key jsign-core\src\test\resources\keystores\privatekey.pkcs1.pem -pass password -in sample-unsigned.msi -out sample-signed.msi
Unable to load provider: legacy
Warning: Legacy mode disabled
Failed to read stream data
Failed to read stream data
Succeeded

[ebourg]

It looks like the sample file contains two empty entries (@_StringData and @_Tables) that are causing the issue. If removed signtool accepts to sign the file, and osslsigncode no longer prints a warning.

If you try again signing a valid MSI file with Jsign 5.0 the signature should be valid.

[ebourg]

If I take the minimal.msi file used by the tests and add an empty entry, signtool accepts to sign it. So there is something else related to these entries that is causing the issue.

[ebourg]

@mlundblad Do you remember how your sample file was generated?