Comments (7)
mtrojnar
commented on June 20, 2024
What is "the command" you tried to run? Does "the command" include the "-ignore-cdp" parameter?
from osslsigncode.
NtWriteCode
commented on June 20, 2024
Sorry. let me begin with that I'm using a self-compiled linux version. From branch 2.8
By "the command" I mean the one referred in my linked ticket, which is in my case:
./osslsigncode verify -in ccsetup583_x86_be.msi -CAfile MicRooCerAut_2010-06-23.pem -TSA-CAfile MicRooCerAut_2010-06-23.pem
Output:
[root@0377df3c559f test]# ./osslsigncode verify -in ccsetup583_x86_be.msi -CAfile MicRooCerAut_2010-06-23.pem -TSA-CAfile MicRooCerAut_2010-06-23.pem
Signature Index: 0 (Primary Signature)
Message digest algorithm : SHA1
Current MsiDigitalSignatureEx : 1090A9CBEE41C5ED405DBEFD223FE6238DC6139A
Calculated MsiDigitalSignatureEx : 1090A9CBEE41C5ED405DBEFD223FE6238DC6139A
Current DigitalSignature : 45C912241EA9FFC7CC3D7C9037CC59596DAFC603
Calculated DigitalSignature : 45C912241EA9FFC7CC3D7C9037CC59596DAFC603
Calculated message digest : 7DC79078272BBC759D5295B748D8E93B86E8555D
Signer's certificate:
------------------
Signer #0:
Subject: /C=GB/L=London/O=Piriform Software Ltd/OU=RE 901/CN=Piriform Software Ltd
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Serial : 02FA994D660DE659EE9037ECB437D766
Certificate expiration date:
notBefore : Oct 14 00:00:00 2019 GMT
notAfter : Oct 18 12:00:00 2022 GMT
Message digest algorithm: SHA1
Authenticated attributes:
Microsoft Individual Code Signing purpose
Message digest: B43CD306C611FBFB2188182D18CFF045AE38B79C
URL description: http://www.avast.com
Countersignatures:
Timestamp time: Jul 16 14:13:58 2021 GMT
Signing time: Jul 16 14:13:58 2021 GMT
Hash Algorithm: sha256
Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
Serial: 0D424AE0BE3A88FF604021CE1400F0DD
CAfile: MicRooCerAut_2010-06-23.pem
TSA's certificates file: MicRooCerAut_2010-06-23.pem
Timestamp verified using:
------------------
Signer #1:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0AA125D6D6321B7E41E405DA3697C215
Certificate expiration date:
notBefore : Jan 7 12:00:00 2016 GMT
notAfter : Jan 7 12:00:00 2031 GMT
Error: unable to get local issuer certificate
CMS_verify error
Failed timestamp certificate chain retrieved from the signature:
------------------
Signer #0:
Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Timestamp 2021
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
Serial : 0D424AE0BE3A88FF604021CE1400F0DD
Certificate expiration date:
notBefore : Jan 1 00:00:00 2021 GMT
notAfter : Jan 6 00:00:00 2031 GMT
------------------
Signer #1:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0409181B5FD5BB66755343B56F955008
Certificate expiration date:
notBefore : Oct 22 12:00:00 2013 GMT
notAfter : Oct 22 12:00:00 2028 GMT
------------------
Signer #2:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0AA125D6D6321B7E41E405DA3697C215
Certificate expiration date:
notBefore : Jan 7 12:00:00 2016 GMT
notAfter : Jan 7 12:00:00 2031 GMT
------------------
Signer #3:
Subject: /C=GB/L=London/O=Piriform Software Ltd/OU=RE 901/CN=Piriform Software Ltd
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Serial : 02FA994D660DE659EE9037ECB437D766
Certificate expiration date:
notBefore : Oct 14 00:00:00 2019 GMT
notAfter : Oct 18 12:00:00 2022 GMT
139634911209536:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:crypto/cms/cms_smime.c:253:Verify error:unable to get local issuer certificate
Timestamp Server Signature verification: failed
Signing certificate chain verified using:
------------------
Signer #1:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0409181B5FD5BB66755343B56F955008
Certificate expiration date:
notBefore : Oct 22 12:00:00 2013 GMT
notAfter : Oct 22 12:00:00 2028 GMT
Error: unable to get local issuer certificate
PKCS7_verify error
Failed signing certificate chain retrieved from the signature:
------------------
Signer #0:
Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Timestamp 2021
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
Serial : 0D424AE0BE3A88FF604021CE1400F0DD
Certificate expiration date:
notBefore : Jan 1 00:00:00 2021 GMT
notAfter : Jan 6 00:00:00 2031 GMT
------------------
Signer #1:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0409181B5FD5BB66755343B56F955008
Certificate expiration date:
notBefore : Oct 22 12:00:00 2013 GMT
notAfter : Oct 22 12:00:00 2028 GMT
------------------
Signer #2:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0AA125D6D6321B7E41E405DA3697C215
Certificate expiration date:
notBefore : Jan 7 12:00:00 2016 GMT
notAfter : Jan 7 12:00:00 2031 GMT
------------------
Signer #3:
Subject: /C=GB/L=London/O=Piriform Software Ltd/OU=RE 901/CN=Piriform Software Ltd
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
Serial : 02FA994D660DE659EE9037ECB437D766
Certificate expiration date:
notBefore : Oct 14 00:00:00 2019 GMT
notAfter : Oct 18 12:00:00 2022 GMT
139634911209536:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:285:Verify error:unable to get local issuer certificate
Signature verification: failed
Number of verified signatures: 1
Failed
I also tried to call it as:
./osslsigncode verify -in ccsetup583_x86_be.msi -ignore-cdp -CAfile MicRooCerAut_2010-06-23.pem -TSA-CAfile MicRooCerAut_2010-06-23.pem
and
./osslsigncode verify -in ccsetup583_x86_be.msi -ignore-cdp -ignore-timestamp -CAfile MicRooCerAut_2010-06-23.pem -TSA-CAfile MicRooCerAut_2010-06-23.pem
and
./osslsigncode verify -in ccsetup583_x86_be.msi -ignore-cdp -ignore-timestamp -CAfile MicRooCerAut_2010-06-23.pem
Both gave the same output. Am I missing something? For the test file I use a signed MSI from here: https://support.ccleaner.com/s/article/business-edition-msi-installers?language=en_US
from osslsigncode.
NtWriteCode
commented on June 20, 2024
Also note that in my example I know I'm not even using CRLs, but I'm a bit confused between all these certs and what to use for what and in what format it's allowed :) Of course I'm googling around and trying to find out more and more about the topic in the meanwhile.
(Just throwing the things I'm not perfectly understading here, maybe if you have some energy, you can better explain it:
- _So, I need a CAfile, which describes what is trusted and what not. Is it always enough to define the 2010-06-23 CAFile only? :O There are at least 2 similar certs on the MS page I was linked in the other ticket. It was said I need the Microsoft Root Certificate Authority 2010, but what about the 2011 file? _
- Also I kinda don't understand anything regarding the timestamp server thingie, how and why is that needed?
- I saw I can also provide a CRL-->revoked certs list, but I'm a bin unsure where to get it from, which is always up to date. I saw that there's a dedicated column on the MS website, but I'm not sure if that's up to date, it says 2010-ish, which is pretty weird.
But of course I don't want to bother you and waste your time by teaching basic stuffs to random people, so feel free to omit answering these questions if you feel like)
Thank you very much in advance :)
from osslsigncode.
mtrojnar
commented on June 20, 2024
Timestamp verified using:
------------------
Signer #1:
Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Serial : 0AA125D6D6321B7E41E405DA3697C215
Certificate expiration date:
notBefore : Jan 7 12:00:00 2016 GMT
notAfter : Jan 7 12:00:00 2031 GMT
Error: unable to get local issuer certificate
CMS_verify error
Does your MicRooCerAut_2010-06-23.pem file contain the DigiCert Assured ID Root CA certificate? Consider using the new -TSA-CAfile option to configure the CAs trusted for timestamp verification.
from osslsigncode.
NtWriteCode
commented on June 20, 2024
Most probably I'm doing something stupid, but what I've been doing to the steps in the previousy mentioned ticket, quoting:
Download CA certificate file Microsoft Root Certificate Authority 2010 from [PKI Repository - Microsoft PKI Services](https://www.microsoft.com/pkiops/docs/repository.htm)
Convert it from DER to PEM format:
openssl x509 -inform DER -in MicRooCerAut_2010-06-23.crt -outform PEM -out MicRooCerAut_2010-06-23.pem
So the content of the PEM is just the following:
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQKMw6Jb+6RKxEmptYa0M5qjANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMp
TWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMTAw
NjIzMjE1NzI0WhcNMzUwNjIzMjIwNDAxWjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5IDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC5CJ4o5OTsBk5QaLNBxXvrrraOr4G6IkQfZTRpTL5wQBfyFnvief2G7Q05
9BuorZKQHss9do9a2bWREC48BY2KbSRU5x/tVq2DtFCcFaUXdIhZIPwIxYR202jU
byh4zly481CQRP/jY1++oZoslhUE1gf+HoQh4EIxEcQoNpTPUKRinsnWq3EAslsM
5pbUCiSW9f/G1bcb18u3IWKvEtyhXTfjGvsaRpjAm8DnYx8qCJMCfh5qjvKfGInk
IoWisYRXQP/1DthvnO3iRTEBzRfpf7CBReOqIUAmoXKqp088AQV+7oNYsV4GY5li
kXiCtw2TDCRqtBvbJ+xflQQ/k0ow9ZcYs6f5GaeTMx0ByNsiUlzXJclG+aL7h1lD
vptisY0thkQaRqx4YX4wCfquicRBKiJmA5E5RZzHiwyoyg0v+1LqDPdjMyOd/rAf
rWfWp1ADxgRwY7UssYZaQ7f7rvluKW4hIUEmBozJw+6wwoWTobmF2eYybEtMP9Zd
o+W1nXfDnMBVt3QA47g4q4OXUOGaQiQdxsCjMNEaWshSNPdz8ccYHzOteuzLQWDz
I5QgwkhFrFxRxi6AwuJ3Fb2Fh+02nZaR7gC1o3Dsn+ONgGiDdrqvXXBSIhbiZvu6
s8XC9z4vd6bK3sGmxkhMwzdRI9Mn17hOcJbwoUR2r3jPmuFmEwIDAQABo1EwTzAL
BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU1fZWy4/oolxi
aNE9lJBb186aGMQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggIB
AKylloy/u66m9tdxh0MxVoj9HDJxWzW31PCR8q834hTx8wImBT4WFH8UurhP+4my
sufUCcxtuVs7ZGVwZrfysVrfGgLz9VG4Z215879We+SEuSsem0CcJjT5RxiYadgc
17bRv49hwmfEte9gQ44QGzZJ5CDKrafBsSdlCfjN9Vsq0IQz8+8f8vWcC1iTN6B1
oN5y3mx1KmYi9YwGMFafQLkwqkB3FYLXi+zA07K9g8V3DB6urxlToE15cZ8PrzDO
Z/nWLMwiQXoH8pdCGM5ZeRBV3m8Q5Ljag2ZAFgloI1uXLiaaArtXjMW4umliMoCJ
nqH9wJJ8eyszGYQqY8UAaGL6n0eNmXpFOqfp7e5pQrXzgZtHVhB7/HA2hBhz6u/5
l02eMyPdJgu6Krc/RNyDJ/+9YVkrEbfKT9vFiwwcMa4y+Pi5Qvd/3GGadrFaBOER
PWZFtxhxvskkhdbz1LpBNF0SLSW5jaYTSG1LsAd9mZMJYYF0VyaKq2nj5NnHiMwk
2OxSJFwevJEU4pbe6wrant1fs1vb1ILsxiBQhyVAOvvH7s3+M+Vuw4QJVQMlOcDp
NV1lMaj2v6AJzSnHszYyLtyV84PBWs+LjfbqsyH4pO0eMQ62TBGrYAukEiMiF6M2
ZIKRBBLgq28ey1AFYbRA/1mGcdHVM2l8qXOKONdkDPFp
-----END CERTIFICATE-----
I'm more than sure this does not contain embedded other certs, thus I must be doing something wrong. Just tried to use some online decode tool, but that also just confirmed it's "just" the root CA of Microsoft.
Does this mean I have to somehow gather all the potential root CAs and download from somewhere in order to be able to verify them all?
from osslsigncode.
mtrojnar
commented on June 20, 2024
from osslsigncode.
mtrojnar
commented on June 20, 2024
Before opening issues in a GitHub repository to report a problem, please make sure you have consulted books and internet resources to grasp the basics. This practice helps keep the repository dedicated to solving actual issues.
from osslsigncode.
Related Issues (20)
- using on windows with nitrokey HSM2 HOT 11
- Signing an .appx file corrupts the .appx HOT 5
- syntax error near unexpected token `newline' HOT 1
- osslsigncode cmd generates different executables each time HOT 7
- Failed to verify signature even though its valid HOT 6
- SIGSEGV with 2.8 if "consistency of a private key" check fails HOT 2
- Documentation issue HOT 3
- Write errors to stderr instead of stdout
- GAP: When signing a Appx, signtool creates AppxMetadata\CodeIntegrity.cat, osslsigncode doesn't HOT 6
- Hangs in macOS Sonoma 14.0 with latest libs HOT 1
- [Behavior]: osslsigncode adds timestamp even without passing a timestamp server URL HOT 2
- [Feature Request] Ignore CRL HOT 3
- v2.8 regression: SIGSEGV in BIO_free HOT 2
- v2.8 SIGSEGV in check_key_fork HOT 2
- Hang when using OpenSSL 3.3.0 HOT 8
- Verify Signed 'cab' Files HOT 1
- Signing with Inno Setup HOT 2
- Segmentation Fault after DNS resolution failure of Timestamp server HOT 1
- "Warning: MsiDigitalSignatureEx stream doesn't exist" harmless? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osslsigncode.