[Bug 45757] New: Visual Studio 2017 Installer - " The installer manifest failed signature validation"
https://bugs.winehq.org/show_bug.cgi?id=45757 Bug ID: 45757 Summary: Visual Studio 2017 Installer - "The installer manifest failed signature validation" Product: Wine Version: 3.15 Hardware: x86 URL: https://visualstudio.microsoft.com/downloads/#build-to ols-for-visual-studio-2017 OS: Linux Status: NEW Keywords: download Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs(a)winehq.org Reporter: dark.shadow4(a)web.de Depends on: 45749 Distribution: --- Follow up to bug 45749. After the workaround, the installer opens. But installing anything errors instantly with "The installer manifest failed signature validation" -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 jimbo1qaz <jimbo1qaz(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jimbo1qaz(a)gmail.com --- Comment #1 from jimbo1qaz <jimbo1qaz(a)gmail.com> --- https://developercommunity.visualstudio.com/content/problem/3983/when-the-se... I assume this error is related to implementations of cryptography (Wine? DLL? .Net?) Maybe running ProcMon or some Wine equivalent (not sure what, winedbg +relay?) would help. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 --- Comment #2 from Fabian Maurer <dark.shadow4(a)web.de> --- Yeah, I hope I can take a look tomorrow. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 --- Comment #3 from Fabian Maurer <dark.shadow4(a)web.de> --- Seems like CryptDecodeObjectEx fails, visual studio log says
[00c1:0011][2018-09-03T21:40:25] ManifestVerifier Exception decoding signature value; Unknown error "-2146881269". [00c1:0011][2018-09-03T21:40:25] ManifestVerifier Result: InvalidSignature which corresponds to CRYPT_E_ASN1_BADTAG
Could we maybe just be missing some root certificate? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 --- Comment #4 from Fabian Maurer <dark.shadow4(a)web.de> --- I got the same issue now on my Win7-VM. Installing the updates, specifically the windows update manager update, fixes the issue. It can also be fixed by installing two certain certificates. Doesn't work on wine though, but I still think it's missing certificates. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Installer CC| |focht(a)gmx.net -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 Bug 45757 depends on bug 45749, which changed state. Bug 45749 Summary: Multiple Node.js based applications/installers need ntdll.NtQueryInformationFile to handle 'FileModeInformation' information class (MS Visual Studio 2017 Installer, FACEIT Anti-cheat client) https://bugs.winehq.org/show_bug.cgi?id=45749 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 Jonathan <jomarocas(a)outlook.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jomarocas(a)outlook.com --- Comment #5 from Jonathan <jomarocas(a)outlook.com> --- any update of this issue, i understand is a update from windows update -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 Zebediah Figura <z.figura12(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |crypt32 CC| |z.figura12(a)gmail.com --- Comment #6 from Zebediah Figura <z.figura12(a)gmail.com> --- The program attempts to decode a signed message. It calls CryptMsgGetParam(..., CMSG_CERT_(COUNT_)PARAM) to retrieve certificates. It then fails trying to decode the third one. I tested feeding the same message into native crypt32 and it only returns two certificates. The third one we return is bogus. I have no experience with ASN or CMS, and crypt32 code is an unreadable mess. I'm willing to look into this, but I'd really appreciate it if someone with at least a bit more background could consider picking this up instead. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 --- Comment #7 from Fabian Maurer <dark.shadow4(a)web.de> --- Does it work with native crypt32 though? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 --- Comment #8 from Zebediah Figura <z.figura12(a)gmail.com> --- (In reply to Fabian Maurer from comment #7)
Does it work with native crypt32 though?
Native crypt32 crashes with a page fault somewhere. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 Mike Ellery <mellery(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mellery(a)gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 scorpion81 <scorpion8182(a)googlemail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |scorpion8182(a)googlemail.com --- Comment #9 from scorpion81 <scorpion8182(a)googlemail.com> --- Created attachment 63980 --> https://bugs.winehq.org/attachment.cgi?id=63980 crash log for MS VC Build Tools installer https://visualstudio.microsoft.com/downloads/#build-tools-for-visual-studio-... (not the full VS, but only the buildtools) also fail to install in wine 4.4, 32 bit prefix, even with .NET 4.7.2 being installed via latest winetricks from github. I know that visual studio itself is listed as "garbage" (lol, the test results are meant), but i think that web installer is just "fancier than necessary" lol -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 --- Comment #10 from scorpion81 <scorpion8182(a)googlemail.com> --- Created attachment 64024 --> https://bugs.winehq.org/attachment.cgi?id=64024 content of C:\\users\\username\\Temp\\VSFaultInfo\\190327_082750_2354600\\ErrorInformation.txt hmm after creating an offline installer like described here https://stackoverflow.com/questions/46684230/visualstudio-build-tools-2017-o... and running that like WINEPREFIX=~/wine-vc14 wine vs_buildtools.exe --quiet --installPath C:\MSVC --noweb the installer creates an error output file even. I will also attach wines debug log in another attachment. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 --- Comment #11 from scorpion81 <scorpion8182(a)googlemail.com> --- Created attachment 64025 --> https://bugs.winehq.org/attachment.cgi?id=64025 wine debug log for invocation of offline installer, some telemetry crap craps out seems like some telemetry stuff is being invoked and queries the hardware id... wtf... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 --- Comment #12 from Zebediah Figura <z.figura12(a)gmail.com> --- There's no need to add additional reports and logs; the problem is diagnosed well enough already. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 --- Comment #13 from Dmitry Timoshkov <dmitry(a)baikal.ru> --- Created attachment 64294 --> https://bugs.winehq.org/attachment.cgi?id=64294 CryptMsgUpdate should skip broken certificates I've dumped the blob and created 2 test apps: one loads the blob with CertOpenStore(), and another one loads it with CryptMsgOpenToDecode() + CryptMsgUpdate() (like the VS installer does). The opened store contains 2 certificates because before adding the certificate to the store it gets verified by an attempt to create a certificate context. However CryptMsg* doesn't perform the verification and simply copies the certificate. dumpasn1 shows that the blob in question has 3 certificates, but the last one is corrupted. Attached patch adds the verification step to CryptMsgUpdate(), and this makes the loop that fetches the certificates from the blob and creates the context succeed. Unfortunately after that the installer still fails the signature verification due to another problem. P.S. And yes, crypt32 code is not the best thing to work on. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 --- Comment #14 from Dmitry Timoshkov <dmitry(a)baikal.ru> --- (In reply to Dmitry Timoshkov from comment #13)
Created attachment 64294 [details] CryptMsgUpdate should skip broken certificates
I've dumped the blob and created 2 test apps: one loads the blob with CertOpenStore(), and another one loads it with CryptMsgOpenToDecode() + CryptMsgUpdate() (like the VS installer does). The opened store contains 2 certificates because before adding the certificate to the store it gets verified by an attempt to create a certificate context. However CryptMsg* doesn't perform the verification and simply copies the certificate.
dumpasn1 shows that the blob in question has 3 certificates, but the last one is corrupted.
Attached patch adds the verification step to CryptMsgUpdate(), and this makes the loop that fetches the certificates from the blob and creates the context succeed. Unfortunately after that the installer still fails the signature verification due to another problem.
It's CertVerifyCertificateChainPolicy() that failed with CERT_E_UNTRUSTEDROOT. With the patch applied to wine-staging the signature verification step works just fine, probably the patch in staging that adds Microsoft root certificates helps. After that it's possible to start the installation but it fails later due some not implemented stubs. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Fixed by SHA1| |1875620466d178faead9d0ccea0 | |8bd2eee7c7722 --- Comment #15 from Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> --- Fixed by https://source.winehq.org/git/wine.git/?a=commit;h=1875620466d178faead9d0cce... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #16 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 4.8. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 Michael Stefaniuc <mstefani(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |4.0.x -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45757 Michael Stefaniuc <mstefani(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|4.0.x |--- --- Comment #17 from Michael Stefaniuc <mstefani(a)winehq.org> --- Removing the 4.0.x milestone from bug fixes included in 4.0.3. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
wine-bugs@winehq.org -
WineHQ Bugzilla