winget package signing issue

[strager]

https://github.com/microsoft/winget-pkgs/pull/123771

Some logs from their CI server:

2023-10-25 18:32:10.155 [CORE] Starting RequestAddPackageAsync operation #0: https://c.quick-lint-js.com/releases/2.17.0/windows/quick-lint-js.msix 2023-10-25 18:32:10.158 [CORE] Begin waiting for operation #0 2023-10-25 18:32:10.158 [CORE] Begin blocking for operation #0 2023-10-25 18:32:12.351 [CORE] Deployment operation #0: error 0x800B0101: Opening the package from location quick-lint-js.msix failed. 2023-10-25 18:32:12.351 [FAIL] D:\a_work\1\s\external\pkg\src\AppInstallerCommonCore\Deployment.cpp(161)\WindowsPackageManager.dll!00007FFBEC479A45: (caller: 00007FFBEC403515) Exception(1) tid(2204) 800B0101 A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

[strager]

Verification failed for twitch.tv/saibotu:

On my machine I get a different certificate path:

Possibly related: Bad Certum cert: https://old.reddit.com/r/sysadmin/comments/16g1y88/heads_up_sslcom_expired_cert_under_certum_fix/

[strager]

Broken (expired):

• twitch.tv/saibotu (Windows 11 22H2 (10.0.22621.2428))
• twitch.tv/Butters_40 (Windows 10 Pro 22H2 19045.3570)
• twitch.tv/chakypc (10.0.19045.3570)
• twitch.tv/k1ng440 (20H2 19042.867)

Working (unexpired):

• me (Version 22H2 (OS Build 19045.3208))
• twitch.tv/x_Egoist (Version 22H2 (OS Build 19045.3448))
• twitch.tv/FonkeLime (Win11 22H2 - Version 10.0.22621.2428)

[strager]

Likely related: https://www.ssl.com/blogs/ssl-com-legacy-cross-signed-root-certificate-expiring-on-september-11-2023/

[strager]

It magically fixed itself for both k1ng440 and saibotu. 🤷‍♀️ Message from saibotu:

tested it on a pretty much clean vm: when you check the cert the first time it is invalid but it starts downloading some stuff in the background. When you check again after that it shows as valid.

I think I know how to fix it, though. We need to sign without Certum in the chain. (I think this means we need to update the SSL.com root CA too.)

[strager]

saibotu: i assume i tries to get the missing (certum) root first and then fails verification. when you remove the cross-signed root it would probably grab the SSL.com self-signed root first

I like this hypothesis.

[strager]

Fixed in quick-lint-js version 2.18.0 due to Git commit ff9668a1c3722e561ab0bd7136994c45c0656826.