Comments (6)
How should we test it to see the error?
from osslsigncode.
Hi @mtrojnar,
Here are the steps that I took to compare the Microsoft signtool versus osslsigncode signing of an Appx.
System environment
OS: Windows 10
Compiler: Microsoft Visual Studio Community Edition 2017
NodeJS 12.18.4
Apache Cordova 11.0.0 (last version that officially supported UWP Windows apps)
Create and build cordova hello world project with a native plugin
Assuming Command Prompt (cmd.exe) on C:\
C:\cordova create test
cd test
cordova plugins add cordova-sqlite-evmax-build-free
cordova platforms add windows
cordova build --release --arch=x64 --verbose -- --packageCertificateKeyFile="C:\test\platforms\windows\CordovaApp_TemporaryKey.pfx" --packageThumbprint="1234"
Create an unsigned Appx (bypassing MSBuild signing task)
cd platforms\windows
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\MakeAppx.exe" pack /l /h sha256 /f build\windows\bld\package.map.txt /o /p C:\test_unsigned.appx
Here is a copy of the unsigned Appx for your convenience:
test_unsigned.zip
Sign with MS signtool
make a copy for signing
copy test_unsigned.appx test-signtool-signed.appx
Sign
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe" sign /fd sha256 /f C:\test\platforms\windows\CordovaApp_TemporaryKey.pfx test-signtool-signed.appx
Result: Has CodeIntegrity.cat file
test-signtool-signed.appx contains new folder AppxMetadata with file CodeIntegrity.cat
Sign with osslsigncode
osslsigncode.exe sign -in test_unsigned.appx -out test-osslsigncode-signed.appx -pkcs12 C:\test\platforms\windows\CordovaApp_TemporaryKey.pfx
Result: No CodeIntegrity.cat file
test-osslsigncode-signed.appx does not contain AppxMetadata\CodeIntegrity.cat
Notes on CodeIntegrity.cat
On Windows (crashes on wine) we can use the tool MakeCat to create an unsigned security catalog file based on a cdf file:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\makecat.exe example.cdf
`---BEGIN example.cdf ---
[CatalogHeader]
Name=MyCodeIntegrity.cat
ResultDir=.
PublicVersion=0x1
EncodingType=0x00010001
CATATTR1=0x10010001:OSAttr:2:6.1
[CatalogFiles]
File1_Hash=.\test.txt
-- END example.cdf ---`
The file format is not documented. Possibly running many permutations of makecat could reveal the structure. The cdf format can contain many parameters, hitting the combination that signtool uses might be a challenge. However, the cat file supposedly only contains sha256 hashes of the files in the Appx.
We can use certutil -dump CodeIntegrity.cat
to get the contents in human readable form. Also double clicking the cat file on Windows will show a properties dialog.
Interestingly the CodeIntegrity.cat file seems only to be created when the Appx contains additional (.dll) files in the root folder. (That is why I added the native cordova plugin to create the project).
from osslsigncode.
I meant: How can I reproduce the error caused by the missing file?
from osslsigncode.
Hi @mtrojnar,
The missing file does not trigger an error and passes the Windows App Certification Kit (WACK) checks.
I haven't tested it on the MS Store as I lack an account to do so. The discrepancy was noticed during a comparison of packages between my Linux Wine Appx build and a Windows build, leading me to report it as a missing functionality relative to signtool. It appears the file is optional, maybe this will change in future?
Given that I am ok to close this for now.
from osslsigncode.
It's not a trivial functionality to implement. If it ain't broke, don't fix it.
from osslsigncode.
Agreed.
from osslsigncode.
Related Issues (20)
- using on windows with nitrokey HSM2 HOT 11
- Signing an .appx file corrupts the .appx HOT 5
- syntax error near unexpected token `newline' HOT 1
- osslsigncode cmd generates different executables each time HOT 7
- Failed to verify signature even though its valid HOT 6
- Verifying digital signature in offline environment HOT 7
- SIGSEGV with 2.8 if "consistency of a private key" check fails HOT 2
- Documentation issue HOT 3
- Write errors to stderr instead of stdout
- Hangs in macOS Sonoma 14.0 with latest libs HOT 1
- [Behavior]: osslsigncode adds timestamp even without passing a timestamp server URL HOT 2
- [Feature Request] Ignore CRL HOT 3
- v2.8 regression: SIGSEGV in BIO_free HOT 2
- v2.8 SIGSEGV in check_key_fork HOT 2
- Hang when using OpenSSL 3.3.0 HOT 8
- Verify Signed 'cab' Files HOT 1
- Signing with Inno Setup HOT 2
- Segmentation Fault after DNS resolution failure of Timestamp server HOT 1
- "Warning: MsiDigitalSignatureEx stream doesn't exist" harmless? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osslsigncode.