[Bug 42518] New: WinVerifyTrust fails for signatures using SHA256 digest
https://bugs.winehq.org/show_bug.cgi?id=42518 Bug ID: 42518 Summary: WinVerifyTrust fails for signatures using SHA256 digest Product: Wine Version: 2.2 Hardware: x86 OS: Mac OS X Status: UNCONFIRMED Severity: normal Priority: P2 Component: wintrust Assignee: wine-bugs(a)winehq.org Reporter: tomek(a)bayesfusion.com Created attachment 57407 --> https://bugs.winehq.org/attachment.cgi?id=57407 source code for a minimal program calling WinVerifyTrust On both Linux and macOS WinVerifyTrust returns 0x80090008 (NTE_BAD_ALGID) when called to verify the executable signed with SHA256 cerfificate and using SHA256 digest (/fd sha256 used when calling signtool). This does not happen when the same SHA256 certificate is used to sign the executable, but with SHA1 digest instead; WinVerifyTrust returns 0 in this case. WinVerifyTrust returns 0 (as expected) on Windows for SHA256 digest. To reproduce the issue, either a) use sigcheck.exe from SysInternals and verify the signature of SHA256 digest signature (for example, Chrome 56). or b) compile the attached C code (CallWVT.c) to get a program which calls WinVerifyTrust on an executable file specified as its 1st argument. Also attached are the stderr outputs with WINEDEBUG=+wintrust,+crypt. The log_sha2.txt file is the full output. log_sha1_truncated.txt is truncated at the point of successful return from SoftpubLoadMessage (the whole file would be too large). -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 --- Comment #1 from Tomasz Sowinski <tomek(a)bayesfusion.com> --- Created attachment 57408 --> https://bugs.winehq.org/attachment.cgi?id=57408 Output for failed SHA256 signature verification -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 --- Comment #2 from Tomasz Sowinski <tomek(a)bayesfusion.com> --- Created attachment 57409 --> https://bugs.winehq.org/attachment.cgi?id=57409 Output for successful SHA1 signature verification -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 --- Comment #3 from Tomasz Sowinski <tomek(a)bayesfusion.com> --- The attached logs were obtained by running the compiled code from first attachment on two executables signed with the same SHA256 certificate. The failure happens when signature digest is SHA256, the same executable signed with the same certificate using SHA1 digest passes the test. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish(a)gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 Michael Müller <michael(a)fds-team.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |michael(a)fds-team.de --- Comment #4 from Michael Müller <michael(a)fds-team.de> --- I think this is the same issue as described in bug 41356. Can you test whether it works in Wine Staging to make sure? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 --- Comment #5 from Tomasz Sowinski <tomek(a)bayesfusion.com> ---
Can you test whether it works in Wine Staging to make sure?
I ran the original tests on Wine 2.2 Staging. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 Gijs Vermeulen <gijsvrm(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |leslie_alistair(a)hotmail.com | |, z.figura12(a)gmail.com --- Comment #6 from Gijs Vermeulen <gijsvrm(a)gmail.com> --- I think this could be marked STAGED with: https://github.com/wine-staging/wine-staging/tree/master/patches/wintrust-Wi... Patch 4, which should fix this was added on the 2nd of August 2017. Last comment here was February 2017. In the patch description it also mentions that it fixes a problem with the SWTOR launcher. (I don't know if any of the existing SWTOR bugs mention this problem) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |STAGED Ever confirmed|0 |1 Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/wintrust-WinVeri | |fyTrust -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 --- Comment #7 from Mathew Hodson <mathew.hodson(a)gmail.com> --- This is a duplicate of bug 47034. Bug was in staging only at first as shown here, but then was migrated to the main 4.6 release. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 Olivier F. R. Dierick <o.dierick(a)piezo-forte.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|STAGED |RESOLVED CC| |o.dierick(a)piezo-forte.be Fixed by SHA1| |b2e72dd09da88e2a4562eb66872 | |7c381ea91d91d Resolution|--- |FIXED --- Comment #8 from Olivier F. R. Dierick <o.dierick(a)piezo-forte.be> --- (In reply to Mathew Hodson from comment #7)
This is a duplicate of bug 47034.
Bug was in staging only at first as shown here, but then was migrated to the main 4.6 release.
Hello, Not really a dupe, IMO. The other bug was a temporary breakage from partially pulling the staged patchset. Now that it is fully pulled from staging, this STAGED bug may become FIXED. Regards. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #9 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 4.7. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=42518 --- Comment #10 from Mathew Hodson <mathew.hodson(a)gmail.com> --- (In reply to Olivier F. R. Dierick from comment #8)
(In reply to Mathew Hodson from comment #7)
This is a duplicate of bug 47034.
Bug was in staging only at first as shown here, but then was migrated to the main 4.6 release.
Hello,
Not really a dupe, IMO. The other bug was a temporary breakage from partially pulling the staged patchset. Now that it is fully pulled from staging, this STAGED bug may become FIXED.
Regards.
The user who reported this bug was using Wine Staging 2.2. In 2017, the user was reporting that same temporary breakage, because the first part of the patchset had just been added to Wine Staging. This bug didn't apply to main Wine when the user reported it. Bug 47034 was reporting the exact same regression but now in main Wine. It really is exactly the same issue, which is that SHA256 certificates break if only the first patch from the series is applied. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org