search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
250 stars 107 forks source link

What is "checksum" vs. "checksum (computed)"? #77

Closed netmackan closed 4 years ago

netmackan commented 4 years ago

Hi Emmanuel,

I noticed that Jsign does not update the checksum after the certificate table is written and found a possible bug in PEFile.updateChecksum() that it does not position the buffer to write. I can make a pull request for that but I first have a question so that I can check if it is working:

Question: When printing the info from a PE file it can be seen that checksum (i.e. the value from the checksum field) and the "checksum (computed)" is different. Are they not supposed to be the same or are them somehow in different format/encoding?

Checksum:                           0x234242b
Checksum (computed):        0x1234d

The reason I ask is that if I fix the potential issue with the checksum not being updated I want to know what value should be written and I do not understand why the computed checksum is different (even if the file has not changed) and if I can use that...

Cheers, Markus

ebourg commented 4 years ago

The computed checksum is the expected value of the checksum field if it was correct. AFAIK the checksum field is never used to ensure the integrity of the executable, so its value doesn't really matter.

netmackan commented 4 years ago

Thanks for confirming that.

I also noticed that the checksum field is not covered by the signature so it is not a problem for signature verification if it is not updated.

However, it seems that some applications actually do check the checksum field and refuses to run if it is incorrect. I haven't fully confirmed this is the case yet but it would explain an issue that we see.

I was thinking that perhaps you know or don't know the status of the checksum calculation code? My thinking is that if it is not needed for the signature verification then maybe it is not tested as much and there could be some issue there?

Cheers,

ebourg commented 4 years ago

However, it seems that some applications actually do check the checksum field and refuses to run if it is incorrect. I haven't fully confirmed this is the case yet but it would explain an issue that we see.

If there are applications checking this field then I agree it's important to ensure it's right.

I was thinking that perhaps you know or don't know the status of the checksum calculation code? My thinking is that if it is not needed for the signature verification then maybe it is not tested as much and there could be some issue there?

There might be corner cases not properly handled, I haven't tested this sufficiently to garantee it's perfect.

netmackan commented 4 years ago

I found that the checksum calculation only works if the file size is less than 64 KB. I will submit a pull request for fixing the checksum calculation and also so it works with larger files.