https://bugs.winehq.org/show_bug.cgi?id=42518
Bug ID: 42518 Summary: WinVerifyTrust fails for signatures using SHA256 digest Product: Wine Version: 2.2 Hardware: x86 OS: Mac OS X Status: UNCONFIRMED Severity: normal Priority: P2 Component: wintrust Assignee: wine-bugs@winehq.org Reporter: tomek@bayesfusion.com
Created attachment 57407 --> https://bugs.winehq.org/attachment.cgi?id=57407 source code for a minimal program calling WinVerifyTrust
On both Linux and macOS WinVerifyTrust returns 0x80090008 (NTE_BAD_ALGID) when called to verify the executable signed with SHA256 cerfificate and using SHA256 digest (/fd sha256 used when calling signtool). This does not happen when the same SHA256 certificate is used to sign the executable, but with SHA1 digest instead; WinVerifyTrust returns 0 in this case.
WinVerifyTrust returns 0 (as expected) on Windows for SHA256 digest.
To reproduce the issue, either a) use sigcheck.exe from SysInternals and verify the signature of SHA256 digest signature (for example, Chrome 56).
or
b) compile the attached C code (CallWVT.c) to get a program which calls WinVerifyTrust on an executable file specified as its 1st argument.
Also attached are the stderr outputs with WINEDEBUG=+wintrust,+crypt. The log_sha2.txt file is the full output. log_sha1_truncated.txt is truncated at the point of successful return from SoftpubLoadMessage (the whole file would be too large).