GAP: When signing a Appx, signtool creates AppxMetadata\CodeIntegrity.cat, osslsigncode doesn't about osslsigncode HOT 6 CLOSED

How should we test it to see the error?

from osslsigncode.

Hi @mtrojnar,

Here are the steps that I took to compare the Microsoft signtool versus osslsigncode signing of an Appx.

System environment

OS: Windows 10
Compiler: Microsoft Visual Studio Community Edition 2017
NodeJS 12.18.4
Apache Cordova 11.0.0 (last version that officially supported UWP Windows apps)

Create and build cordova hello world project with a native plugin

Assuming Command Prompt (cmd.exe) on C:\

C:\cordova create test
cd test
cordova plugins add cordova-sqlite-evmax-build-free
cordova platforms add windows

cordova build --release --arch=x64 --verbose -- --packageCertificateKeyFile="C:\test\platforms\windows\CordovaApp_TemporaryKey.pfx" --packageThumbprint="1234"

Create an unsigned Appx (bypassing MSBuild signing task)

cd platforms\windows
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\MakeAppx.exe" pack /l /h sha256 /f build\windows\bld\package.map.txt /o /p C:\test_unsigned.appx

Here is a copy of the unsigned Appx for your convenience:
test_unsigned.zip

Sign with MS signtool

make a copy for signing
copy test_unsigned.appx test-signtool-signed.appx

Sign
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe" sign /fd sha256 /f C:\test\platforms\windows\CordovaApp_TemporaryKey.pfx test-signtool-signed.appx

Result: Has CodeIntegrity.cat file

test-signtool-signed.appx contains new folder AppxMetadata with file CodeIntegrity.cat

Sign with osslsigncode

osslsigncode.exe sign -in test_unsigned.appx -out test-osslsigncode-signed.appx -pkcs12 C:\test\platforms\windows\CordovaApp_TemporaryKey.pfx

Result: No CodeIntegrity.cat file

test-osslsigncode-signed.appx does not contain AppxMetadata\CodeIntegrity.cat

Notes on CodeIntegrity.cat

On Windows (crashes on wine) we can use the tool MakeCat to create an unsigned security catalog file based on a cdf file:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\makecat.exe example.cdf

`---BEGIN example.cdf ---
[CatalogHeader]
Name=MyCodeIntegrity.cat
ResultDir=.
PublicVersion=0x1
EncodingType=0x00010001
CATATTR1=0x10010001:OSAttr:2:6.1

[CatalogFiles]
File1_Hash=.\test.txt
-- END example.cdf ---`

The file format is not documented. Possibly running many permutations of makecat could reveal the structure. The cdf format can contain many parameters, hitting the combination that signtool uses might be a challenge. However, the cat file supposedly only contains sha256 hashes of the files in the Appx.

We can use certutil -dump CodeIntegrity.cat to get the contents in human readable form. Also double clicking the cat file on Windows will show a properties dialog.

Interestingly the CodeIntegrity.cat file seems only to be created when the Appx contains additional (.dll) files in the root folder. (That is why I added the native cordova plugin to create the project).

from osslsigncode.

I meant: How can I reproduce the error caused by the missing file?

from osslsigncode.

Hi @mtrojnar,

The missing file does not trigger an error and passes the Windows App Certification Kit (WACK) checks.

I haven't tested it on the MS Store as I lack an account to do so. The discrepancy was noticed during a comparison of packages between my Linux Wine Appx build and a Windows build, leading me to report it as a missing functionality relative to signtool. It appears the file is optional, maybe this will change in future?

Given that I am ok to close this for now.

from osslsigncode.

It's not a trivial functionality to implement. If it ain't broke, don't fix it.

from osslsigncode.

Agreed.

from osslsigncode.