Closed patatetom closed 7 months ago
hi,
I've just tested the same thing under ubuntu 22.04 lts and osslsigncode
works as expected after adding the certificates to the system.
the problem would be more on the side of archlinux or openssl which is not at the same version level :
osslsigncode --version
osslsigncode 2.7, using:
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Please send bug-reports to Michal.Trojnara@stunnel.org
regards, lacsaP.
osslsigncode
considers the following list of CA files:
"/etc/ssl/certs/ca-certificates.crt",
"/etc/pki/tls/certs/ca-bundle.crt",
"/usr/share/ssl/certs/ca-bundle.crt",
"/usr/local/share/certs/ca-root-nss.crt",
"/etc/ssl/cert.pem"
It searches through this list until it finds the first valid CA file.
In your archlinux system, it uses /etc/ssl/certs/ca-certificates.crt
.
Additionally, the command:
# trust anchor test/MicrosoftRootCertificateAuthority2011.crt.pem && update-ca-trust
stores this certificate in the /etc/ssl/cert.pem
file.
In this case use the -CAfile
option.
hi,
after a few more tries, I think there's a little problem somewhere else...
# ll /etc/ssl/cert.pem
lrwxrwxrwx 1 root root 46 5 sept. 2022 /etc/ssl/cert.pem -> ../ca-certificates/extracted/tls-ca-bundle.pem
# ll /etc/ssl/certs/ca-certificates.crt
lrwxrwxrwx 1 root root 49 5 sept. 2022 /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem
## osslsigncode says/uses "CAfile: /etc/ssl/certs/ca-certificates.crt"
# cp /etc/ssl/certs/ca-certificates.crt /tmp/system.crt
# osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/MicrosoftRootCertificateAuthority2011.crt.pem
…
CAfile: test/MicrosoftRootCertificateAuthority2011.crt.pem
…
Number of verified signatures: 1
✅ Succeeded
## add certificate to system store with archlinux tools
# trust anchor test/MicrosoftRootCertificateAuthority2011.crt.pem && update-ca-trust
# osslsigncode verify -ignore-timestamp -in test/msedge.exe
…
CAfile: /etc/ssl/certs/ca-certificates.crt
…
Number of verified signatures: 1
❌ Failed
## add certificate to system store manually
# cat test/MicrosoftRootCertificateAuthority2011.crt.pem /tmp/system.crt > /etc/ssl/certs/ca-certificates.crt
# osslsigncode verify -ignore-timestamp -in test/msedge.exe
…
CAfile: /etc/ssl/certs/ca-certificates.crt
…
Number of verified signatures: 1
❌ Failed
## just certificate to system store (manually)
# cat test/MicrosoftRootCertificateAuthority2011.crt.pem > /etc/ssl/certs/ca-certificates.crt
# ll /etc/ssl/certs/ca-certificates.crt
lrwxrwxrwx 1 root root 49 5 sept. 2022 /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem
# cat !$
cat /etc/ssl/certs/ca-certificates.crt
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMp
TWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEw
MzIyMjIwNTI4WhcNMzYwMzIyMjIxMzA0WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5IDIwMTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCygEGqNThNE3IyaCJNuLLx/9VSvGzH9dJKjDbu0cJcfoyKrq8TKG/Ac+M6
ztAlqFo6be+ouFmrEyNozQwph9FvgFyPRH9dkAFSWKxRxV8qh9zc2AodwQO5e7BW
6KPeZGHCnvjzfLnsDbVU/ky2ZU+I8JxImQxCCwl8MVkXeQZ4KI2JOkwDJb5xalwL
54RgpJki49KvhKSn+9GY7Qyp3pSJ4Q6g3MDOmT3qCFK7VnnkH4S6Hri0xElcTzFL
h93dBWcmmYDgcRGjuKVB4qRTufcyKYMME782XgSzS0NHL2vikR7TmE/dQgfI6B0S
/Jmpaz6SfsjWaTr8ZL22CZ3K/QwLopt3YEsDlKQwaRLWQi3BQUzK3Kr9j1uDRprZ
/LHR47PJf0h6zSTwQY9cdNCssBAgBkm3xy0hyFfj0IbzA2j70M5xwYmZSmQBbP3s
MJHPQTySx+W6hh1hhMdfgzlirrSSL0fzC/hV66AfWdC7dJse0Hbm8ukG1xDo+mTe
acY1logC8Ea4PyeZb8txiSk190gWAjWP1Xl8TQLPX+uKg09FcYj5qQ1OcunCnAfP
SRtOBA5jUYxe2ADBVSy2xuDCZU7JNDn1nLPEfuhhbhNfFcRf2X7tHc7uROzLLoax
7Dj2cO2rXBPB2Q8Nx4CyVe0096yb5MPa50c8prWPMd/FS6/r8QIDAQABo1EwTzAL
BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUci06AjGQQ7kU
BU7h6qfHMdEjiTQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggIB
AH9yzw+3xRXbm8BJyiZb/p4T5tPw0tuXX/JLP02zrhmu7deXoKzvqTqjwkGw5biR
nhOBJAPmCf0/V0A5ISRW0RAvS0CpNoZLtFNXmvvxfomPEf4YbFGq6O0JlbXlccmh
6Yd1phV/yX43VF50k8XDZ8wNT2uoFwxtCJJ+i92Bqi1wIcM9BhS7vyRep4TXPw8h
Ir1LAAbblxzYXtTFC1yHblCk6MM4pPvLLMWSZpuFXst6bJN8gClYW1e1QGm6CHmm
ZGIVnYeWRbVmIyADixxzoNOieTPgUFmG2y/lAiXqcyqfABTINseSO+lOAOzYVgm5
M0kS0lQLAausR7aRKX1MtHWAUgHoyoL2n8ysnI8X6i8msKtyrAv+nlEex0NVZ09R
s1fWtuzuUrc66U7h14GIvE+OdbtLqPA1qibUZ2dJsnBMO5PcHd94kIZysjik0dyS
TclY6ysSXNQ7roxrsIPlAT/4CTL2kzU0Iq/dNw13CYArzUgA8YyZGUcFAenRv9FO
0OYoQzeZpApKCNmacXPSqs0xE2N2oTdvkjgefRI8ZjLny23h/FKJ3crWZgWalmG+
oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQ
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----
# osslsigncode verify -ignore-timestamp -in test/msedge.exe
…
CAfile: /etc/ssl/certs/ca-certificates.crt
…
Number of verified signatures: 1
✅ Succeeded
regards, lacsaP.
@patatetom How do you think osslsigncode should address this issue?
@mtrojnar I don't know, maybe it's linked to the (lib)openssl version (3.2.0 for Archlinux and 3.0.2 for Ubuntu)... I'll do a few more tests after lunch.
the problem arises from the presence of several certificates in the CAfile used (as in the system store /etc/ssl/certs/ca-certificates.crt
) :
# osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/MicrosoftRootCertificateAuthority2011.crt.pem
…
Number of verified signatures: 1
✅ Succeeded
# (
echo "# MicrosoftRootCertificateAuthority2011"
cat test/MicrosoftRootCertificateAuthority2011.crt.pem
) > test/test.pem
# cat test/test.pem
# MicrosoftRootCertificateAuthority2011
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
…
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----
# osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem
…
Number of verified signatures: 1
✅ Succeeded
# (
echo "# MicrosoftRootCertificateAuthority2011"
cat test/MicrosoftRootCertificateAuthority2011.crt.pem
echo "# MicrosoftRootCertificateAuthority2010"
cat test/MicrosoftRootCertificateAuthority2010.crt.pem
) > test/test.pem
# cat test/test.pem
# MicrosoftRootCertificateAuthority2011
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
…
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----
# MicrosoftRootCertificateAuthority2010
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQKMw6Jb+6RKxEmptYa0M5qjANBgkqhkiG9w0BAQsFADCB
…
ZIKRBBLgq28ey1AFYbRA/1mGcdHVM2l8qXOKONdkDPFp
-----END CERTIFICATE-----
# osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem
…
Number of verified signatures: 1
❌ Failed
hi,
I only use
osslsigncode
to check binaries signed by Microsoft.I got the right certificates from the internet and converted them to PEM format so that I could use them with
osslsigncode
.when I do this manually,
osslsigncode
terminates successfully :however, when I install the certificates on my system (archlinux),
osslsigncode
terminates with an error :the certificates seem to be correctly installed on the system side :
osslsigncode
is 2.7 :where could the problem come from ?
regards, lacsaP.