olszomal
commented
1 year ago @chris-allan Could you please take a look at PR #278 and confirm that it works as intended?
Closed chris-allan closed 1 year ago
olszomal
commented
1 year ago @chris-allan Could you please take a look at PR #278 and confirm that it works as intended?
chris-allan
commented
1 year ago Looks good to me. I'll comment here since I'm honestly not equipped to review any of the OpenSSL related code changes in #278.
Build environment:
$ git rev-parse HEAD
8854cada70456102df32a1c5d51b46809e66d63f
$ build/osslsigncode --version
osslsigncode 2.6, using:
OpenSSL 1.1.1f 31 Mar 2020 (Library: OpenSSL 1.1.1f 31 Mar 2020)
libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Please send bug-reports to Michal.Trojnara@stunnel.org
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focalVerification:
PS C:\Program Files (x86)\Windows Kits\10\App Certification Kit> .\signtool.exe verify /pa /all /v H:\NGFF-Converter-1.1.5.msi
Verifying: H:\NGFF-Converter-1.1.5.msi
Signature Index: 0 (Primary Signature)
Hash of file (sha384): D4E9959FD2C9D2D42B03FDEA6994652ACFBAA22BB1706223D8E4B36C613726577C37F9B9CA1CD056DFAF869BB0F30A1F
Signing Certificate Chain:
Issued to: DigiCert Global Root G3
Issued by: DigiCert Global Root G3
Expires: Fri Jan 15 13:00:00 2038
SHA1 hash: 7E04DE896A3E666D00E687D33FFAD93BE83D349E
Issued to: DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
Issued by: DigiCert Global Root G3
Expires: Tue Apr 29 00:59:59 2036
SHA1 hash: 8F5C0C8E414AF89DBFF272125E28D417EE5FF559
Issued to: Glencoe Software, Inc.
Issued by: DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
Expires: Sat Nov 04 00:59:59 2023
SHA1 hash: A51A27055039EFBAEE436A599BC0035DD6AD8AA6
The signature is timestamped: Fri Jun 30 09:54:11 2023
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Mon Nov 10 01:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert Trusted Root G4
Issued by: DigiCert Assured ID Root CA
Expires: Mon Nov 10 00:59:59 2031
SHA1 hash: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6
Issued to: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Issued by: DigiCert Trusted Root G4
Expires: Mon Mar 23 00:59:59 2037
SHA1 hash: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F
Issued to: DigiCert Timestamp 2022 - 2
Issued by: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Expires: Tue Nov 22 00:59:59 2033
SHA1 hash: F387224D8633829235A994BCBD8F96E9FE1C7C73
Successfully verified: H:\NGFF-Converter-1.1.5.msi
Number of signatures successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Firstly, I'd just like to thank everyone who has contributed to this valuable tool over the years.
Recently, we needed to change our EV code signing workflow to include timestamping and at the same time tried to upgrade to the latest (2.6) release. Unfortunately, MSIs signed with this version seem to no longer verify with
signtool.exe. We are using a private key in Google's HSM, a DigiCert certificate, and are performing the signing on Ubuntu 20.04 with our own builds ofosslsigncode.Our version 2.5 command line arguments are:
This MSI can be downloaded here:
Verification succeeds:
For 2.6, our command line arguments are:
This MSI can be downloaded here:
Verification fails:
The error is of course, not very helpful. Does anyone have ideas on where I could start debugging or know offhand why this is happening?
Thanks!