https://bugs.winehq.org/show_bug.cgi?id=45757
--- Comment #14 from Dmitry Timoshkov dmitry@baikal.ru --- (In reply to Dmitry Timoshkov from comment #13)
Created attachment 64294 [details] CryptMsgUpdate should skip broken certificates
I've dumped the blob and created 2 test apps: one loads the blob with CertOpenStore(), and another one loads it with CryptMsgOpenToDecode() + CryptMsgUpdate() (like the VS installer does). The opened store contains 2 certificates because before adding the certificate to the store it gets verified by an attempt to create a certificate context. However CryptMsg* doesn't perform the verification and simply copies the certificate.
dumpasn1 shows that the blob in question has 3 certificates, but the last one is corrupted.
Attached patch adds the verification step to CryptMsgUpdate(), and this makes the loop that fetches the certificates from the blob and creates the context succeed. Unfortunately after that the installer still fails the signature verification due to another problem.
It's CertVerifyCertificateChainPolicy() that failed with CERT_E_UNTRUSTEDROOT. With the patch applied to wine-staging the signature verification step works just fine, probably the patch in staging that adds Microsoft root certificates helps.
After that it's possible to start the installation but it fails later due some not implemented stubs.