search

mtrojnar / osslsigncode

OpenSSL based Authenticode signing for PE/MSI/Java CAB files
Other
729 stars 124 forks source link

Failed to verify signature even though its valid #371

Closed 0x0ACB closed 4 months ago

0x0ACB commented 4 months ago

I added a signature with the attach-signature command

.\osslsigncode.exe attach-signature -in .\gw2cc_launcher.exe -sigin .\gw2cc_launcher_signed.der -out .\gw2cc_launcher_signed.exe

Inspecting the signed.exe with Windows shows that everything is alright. But the console output from running the command indicates an issue when verifying the signature:

PE checksum   : 01534FB5

Signature Index: 0  (Primary Signature)

Message digest algorithm  : SHA256
Current message digest    : C1FF3B85C7A9D891C5236C4718F63A1735CEE80E9681CA1B057245FFCC621C1C
Calculated message digest : C1FF3B85C7A9D891C5236C4718F63A1735CEE80E9681CA1B057245FFCC621C1C

Page hash algorithm  : SHA256
Page hash            : 00000000C86D1E6D4C58A5FF57ED5AC249555B0EE9461EC7A3E0051024987CEE ...
Calculated page hash : 00000000C86D1E6D4C58A5FF57ED5AC249555B0EE9461EC7A3E0051024987CEE ...

Signer's certificate:
        ------------------
        Signer #0:
                Subject: /businessCategory=Private Organization/serialNumber=HRA 16144/jurisdictionC=DE/jurisdictionST=Nordrhein-Westfalen/jurisdictionL=Bielefeld/C=DE/ST=Nordrhein-Westfalen/L=Schlo\xC3\x9F Holte-Stukenbrock/street=Erikaweg 7/O=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG/CN=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG
                Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 EV CodeSigning CA 2020
                Serial : 38B34627EDF30D288484DBBA
                Certificate expiration date:
                        notBefore : Mar  4 16:42:20 2024 GMT
                        notAfter : Mar  5 16:42:20 2027 GMT

Message digest algorithm: SHA256

Authenticated attributes:
        Signing time: Mar  5 08:21:56 2024 GMT
        Microsoft Individual Code Signing purpose
        Message digest: 41D9D671C9AE04897274FE5A93689C8292C878D178B92B44E49C31AA0B8517AD

Countersignatures:
        Timestamp time: Mar  5 08:21:58 2024 GMT

CAfile: (null)

Timestamp is not available

Failed to add store lookup file
94090000:error:1700006B:CMS routines:cms_get_enveloped_type:content type not enveloped data:crypto\cms\cms_env.c:41:
Signature verification: failed

Number of verified signatures: 1
Signature mismatch
Failed

grafik grafik

Not really sure where the signature verification fails in osslsigncode. Even when I specify the GlobalSign root cert via -CAfile verification fails-

mtrojnar commented 4 months ago

CAfile: (null)

Yes, Windows uses an implicit list of trusted certificates, and osslsigncode needs to to specify your trusted certificates manually.

0x0ACB commented 4 months ago

As indicated at the end of my post, even if I specify the CA file it fails to verify This is using the globalsign root certificate as indicated by the cert chain.

.\osslsigncode.exe attach-signature -in .\gw2cc_launcher.exe -sigin .\gw2cc_launcher.der.signed -out .\gw2cc_launcher_signed.exe -CAfile CA.pem
PE checksum   : 01534FB5

Signature Index: 0  (Primary Signature)

Message digest algorithm  : SHA256
Current message digest    : C1FF3B85C7A9D891C5236C4718F63A1735CEE80E9681CA1B057245FFCC621C1C
Calculated message digest : C1FF3B85C7A9D891C5236C4718F63A1735CEE80E9681CA1B057245FFCC621C1C

Page hash algorithm  : SHA256
Page hash            : 00000000C86D1E6D4C58A5FF57ED5AC249555B0EE9461EC7A3E0051024987CEE ...
Calculated page hash : 00000000C86D1E6D4C58A5FF57ED5AC249555B0EE9461EC7A3E0051024987CEE ...

Signer's certificate:
        ------------------
        Signer #0:
                Subject: /businessCategory=Private Organization/serialNumber=HRA 16144/jurisdictionC=DE/jurisdictionST=Nordrhein-Westfalen/jurisdictionL=Bielefeld/C=DE/ST=Nordrhein-Westfalen/L=Schlo\xC3\x9F Holte-Stukenbrock/street=Erikaweg 7/O=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG/CN=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG
                Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 EV CodeSigning CA 2020
                Serial : 38B34627EDF30D288484DBBA
                Certificate expiration date:
                        notBefore : Mar  4 16:42:20 2024 GMT
                        notAfter : Mar  5 16:42:20 2027 GMT

Message digest algorithm: SHA256

Authenticated attributes:
        Signing time: Mar  5 08:21:56 2024 GMT
        Microsoft Individual Code Signing purpose
        Message digest: 41D9D671C9AE04897274FE5A93689C8292C878D178B92B44E49C31AA0B8517AD

Countersignatures:
        Timestamp time: Mar  5 08:21:58 2024 GMT

CAfile: CA.pem

Timestamp is not available

Signing certificate chain verified using:
        ------------------
        Signer #0:
                Subject: /businessCategory=Private Organization/serialNumber=HRA 16144/jurisdictionC=DE/jurisdictionST=Nordrhein-Westfalen/jurisdictionL=Bielefeld/C=DE/ST=Nordrhein-Westfalen/L=Schlo\xC3\x9F Holte-Stukenbrock/street=Erikaweg 7/O=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG/CN=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG
                Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 EV CodeSigning CA 2020
                Serial : 38B34627EDF30D288484DBBA
                Certificate expiration date:
                        notBefore : Mar  4 16:42:20 2024 GMT
                        notAfter : Mar  5 16:42:20 2027 GMT

        Error: unable to get local issuer certificate

PKCS7_verify error

Failed signing certificate chain retrieved from the signature:
        ------------------
        Signer #0:
                Subject: /businessCategory=Private Organization/serialNumber=HRA 16144/jurisdictionC=DE/jurisdictionST=Nordrhein-Westfalen/jurisdictionL=Bielefeld/C=DE/ST=Nordrhein-Westfalen/L=Schlo\xC3\x9F Holte-Stukenbrock/street=Erikaweg 7/O=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG/CN=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG
                Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 EV CodeSigning CA 2020
                Serial : 38B34627EDF30D288484DBBA
                Certificate expiration date:
                        notBefore : Mar  4 16:42:20 2024 GMT
                        notAfter : Mar  5 16:42:20 2027 GMT

D8960000:error:1700006B:CMS routines:cms_get_enveloped_type:content type not enveloped data:crypto\cms\cms_env.c:41:
D8960000:error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto\pkcs7\pk7_smime.c:295:Verify error: unable to get local issuer certificate
Signature verification: failed

Number of verified signatures: 1
Signature mismatch
Failed
mtrojnar commented 4 months ago

Apparently, the /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 EV CodeSigning CA 2020 certificate was not found in your CA.pem.

hippie68 commented 2 months ago

Is it because of the expiration date starting at Mar 4 2024 and the issue dating from Mar 5 2024? The certificate is too new and therefore not appearing in the used file? Can you suggest a file that is most complete and up to date, or a way to obtain such a file, to feed osslsigncode with? I already tried cURL's "mk-ca-bundle.pl" to build a ca-bundle.cert file from Mozilla's beta channel, but even that does not seem to be up to date enough to keep up with new Mar 2024 certificates.

mtrojnar commented 2 months ago

I guess there should be a way to download all valid code signing certificates from Microsoft.

mtrojnar commented 2 months ago

I guess there should be a way to download all valid code signing certificates from Microsoft.

I did it: https://raw.githubusercontent.com/mtrojnar/osslsigncode/master/code_signing_ca.pem with the following script: https://github.com/mtrojnar/osslsigncode/blob/master/get_code_signing_ca.py See https://learn.microsoft.com/en-us/security/trusted-root/participants-list for Microsoft's documentation.