GithubHelp home page GithubHelp logo

Comments (6)

mtrojnar avatar mtrojnar commented on June 16, 2024

How should we test it to see the error?

from osslsigncode.

st-gr avatar st-gr commented on June 16, 2024

Hi @mtrojnar,

Here are the steps that I took to compare the Microsoft signtool versus osslsigncode signing of an Appx.

System environment

OS: Windows 10
Compiler: Microsoft Visual Studio Community Edition 2017
NodeJS 12.18.4
Apache Cordova 11.0.0 (last version that officially supported UWP Windows apps)

Create and build cordova hello world project with a native plugin

Assuming Command Prompt (cmd.exe) on C:\

C:\cordova create test
cd test
cordova plugins add cordova-sqlite-evmax-build-free
cordova platforms add windows

cordova build --release --arch=x64 --verbose -- --packageCertificateKeyFile="C:\test\platforms\windows\CordovaApp_TemporaryKey.pfx" --packageThumbprint="1234"

Create an unsigned Appx (bypassing MSBuild signing task)

cd platforms\windows
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\MakeAppx.exe" pack /l /h sha256 /f build\windows\bld\package.map.txt /o /p C:\test_unsigned.appx

Here is a copy of the unsigned Appx for your convenience:
test_unsigned.zip

Sign with MS signtool

make a copy for signing
copy test_unsigned.appx test-signtool-signed.appx

Sign
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe" sign /fd sha256 /f C:\test\platforms\windows\CordovaApp_TemporaryKey.pfx test-signtool-signed.appx

Result: Has CodeIntegrity.cat file

test-signtool-signed.appx contains new folder AppxMetadata with file CodeIntegrity.cat
image

Sign with osslsigncode

osslsigncode.exe sign -in test_unsigned.appx -out test-osslsigncode-signed.appx -pkcs12 C:\test\platforms\windows\CordovaApp_TemporaryKey.pfx

Result: No CodeIntegrity.cat file

test-osslsigncode-signed.appx does not contain AppxMetadata\CodeIntegrity.cat

Notes on CodeIntegrity.cat

On Windows (crashes on wine) we can use the tool MakeCat to create an unsigned security catalog file based on a cdf file:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\makecat.exe example.cdf

`---BEGIN example.cdf ---
[CatalogHeader]
Name=MyCodeIntegrity.cat
ResultDir=.
PublicVersion=0x1
EncodingType=0x00010001
CATATTR1=0x10010001:OSAttr:2:6.1

[CatalogFiles]
File1_Hash=.\test.txt
-- END example.cdf ---`

The file format is not documented. Possibly running many permutations of makecat could reveal the structure. The cdf format can contain many parameters, hitting the combination that signtool uses might be a challenge. However, the cat file supposedly only contains sha256 hashes of the files in the Appx.

We can use certutil -dump CodeIntegrity.cat to get the contents in human readable form. Also double clicking the cat file on Windows will show a properties dialog.

Interestingly the CodeIntegrity.cat file seems only to be created when the Appx contains additional (.dll) files in the root folder. (That is why I added the native cordova plugin to create the project).

from osslsigncode.

mtrojnar avatar mtrojnar commented on June 16, 2024

I meant: How can I reproduce the error caused by the missing file?

from osslsigncode.

st-gr avatar st-gr commented on June 16, 2024

Hi @mtrojnar,

The missing file does not trigger an error and passes the Windows App Certification Kit (WACK) checks.
2024-04-15_10-24-24-WACK

I haven't tested it on the MS Store as I lack an account to do so. The discrepancy was noticed during a comparison of packages between my Linux Wine Appx build and a Windows build, leading me to report it as a missing functionality relative to signtool. It appears the file is optional, maybe this will change in future?

Given that I am ok to close this for now.

from osslsigncode.

mtrojnar avatar mtrojnar commented on June 16, 2024

It's not a trivial functionality to implement. If it ain't broke, don't fix it.

from osslsigncode.

st-gr avatar st-gr commented on June 16, 2024

Agreed.

from osslsigncode.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.