http://bugs.winehq.org/show_bug.cgi?id=59275 Bug ID: 59275 Summary: Multiple applications require system DLLs to pass WinVerifyTrust/CryptCATAdminEnumCatalogFromHash Product: Wine Version: 11.0 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: wintrust Assignee: wine-bugs@list.winehq.org Reporter: mkrsym1@gmail.com Distribution: --- Multiple applications expect system DLLs to be signed with a trusted certificate, or for their hashes to be present in a CAT file signed with a trusted certificate. The two specific APIs for this are WinVerifyTrust and CryptCATAdminEnumCatalogFromHash. Non-exhaustive list of things I know in particular: - Games using TPShell protector > Dec 2025 (Duet Night Abyss, ...). Check triggers if the module is attempted to be loaded from KiUserApcDispatcher/KiUserCallbackDispatcher. This results in winex11.drv, uxtheme.dll, ... being rejected, as they don't have a trusted signature. Verification is by both VerifyTrust and CatalogFromHash. Testing is hindered by kernel driver. - Honkai: Star Rail wants d3d9.dll, d3d11.dll, dxgi.dll to be present in CatalogFromHash, terminates on load otherwise. Previous mention of similar issue: https://bugs.winehq.org/show_bug.cgi?id=54836 . Mentions that "it may deserve some discussion", which I assume never took place. A potential solution I see is to allow (optionally?) specifying a certificate and a signing key at ./configure time, which would then be used to sign the DLLs, afterwards a catalog will be generated and signed by it too. The certificate would then be installed via wine.inf. This however comes at a cost of technically making builds non-reproducible, unless the signing key is public? Alternatively, maybe it could be possible to generate a new authority on every ./configure? Another potential "solution" would be to make both APIs pretend that builtin DLLs are signed, which I would imagine comes with it's own set of issues. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.