https://bugs.winehq.org/show_bug.cgi?id=55165
Bug ID: 55165 Summary: Age of Empires II Definitive Edition quits on startup, due to WinVerifyTrust() failing on game binaries. Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: wintrust Assignee: wine-bugs@winehq.org Reporter: david@davidgow.net Distribution: ---
The latest update of Age of Empires II: Definitive Edition no longer runs under wine and wine derivatives like Proton, Crossover, etc. This is because the updated version has an anti-tampering check which calls WinVerifyTrust() on all of the bundled .exe and .dll files (even those the game doesn't use).
Under Wine, WinVerifyTrust() fails with TRUST_E_CERT_SIGNATURE on these PE files, even though it works on other signed executables.
Patching wine to always return 0 from WinVerifyTrust() allows the game to start, and to run successfully. See: https://github.com/ValveSoftware/Proton/issues/3189#issuecomment-1610974028
I've written a simple program which calls WinVerifyTrust() on a file and prints the error: (source): https://davidgow.net/stuff/trustchk.c (x86_64 binary): https://davidgow.net/stuff/trustchk64.exe
The trustchk64.exe binary is signed, so "trustchk64.exe trustchk64.exe" prints: trustchk64.exe: 0 (Success. )
Running against an unsigned binary gives: trustchk.exe: 800B0100 (No Signature found in file. )
Running against AoE2:DE's AoE2DE_s.exe file (or any other .exe or .dll from the game) fails with: AoE2DE_s.exe: 80096004 (TRUST_E_CERT_SIGNATURE: The signature of the certificate cannot be verified.)
I've extracted the offending executable's signature with osslsigncode extract-signature: https://davidgow.net/stuff/AoE2DE_s.sig
Equally, I've verified the executable signature with osslsigncode: https://davidgow.net/stuff/AoE2DE_s.sig-verify.txt
The Steam game info for the affected version is: App ID: 813780 Build ID: 11543327
https://bugs.winehq.org/show_bug.cgi?id=55165
--- Comment #1 from Hans Leidekker hans@meelstraat.net --- Can you attach a WINEDEBUG=+wintrust,+chain,+crypt trace from the failure case?
https://bugs.winehq.org/show_bug.cgi?id=55165
--- Comment #2 from David Gow david@davidgow.net --- Created attachment 74741 --> https://bugs.winehq.org/attachment.cgi?id=74741 Log of WinVerifyTrust() failing on AoE2DE_s.exe (via trustchk) with WINEDEBUG=+wintrust,+chain,+crypt
https://bugs.winehq.org/show_bug.cgi?id=55165
--- Comment #3 from Hans Leidekker hans@meelstraat.net --- 0024:trace:crypt:CRYPT_ImportPublicKeyInfoEx (00359470, 00000001, 0000000000358520, 00000000, 00000000, 0000000000000000, 000000000021F538) 0024:trace:crypt:CryptInitOIDFunctionSet ("CryptDllConvertPublicKeyInfo", 0) 0024:trace:crypt:CryptGetOIDFunctionAddress (00000000010BB320, 1, "1.2.840.10045.2.1", 00000000, 000000000021F3B8, 000000000021F3C0) 0024:trace:crypt:CryptGetOIDFunctionAddress returning 0 0024:trace:crypt:CryptDecodeObjectEx (0x00000001, #0013, 0000000000358740, 65, 0x00000000, 0000000000000000, 0000000000000000, 000000000021F3B4) 0024:trace:crypt:CryptDecodeObjectEx returning 0
1.2.840.10045.2.1 = ecEncryption. #0013 = RSA_CSP_PUBLICKEYBLOB. We're looking for RSA public key info but the issuer certificate is an EC certificate. In the success case the OID is 1.2.840.113549.1.1.1 = rsaEncryption, so the decoding succeeds.
So essentially we need to add support for EC public keys in CryptImportPublicKeyInfoEx().
https://bugs.winehq.org/show_bug.cgi?id=55165
Hans Leidekker hans@meelstraat.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|wintrust |crypt32
https://bugs.winehq.org/show_bug.cgi?id=55165
Paul Gofman pgofman@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pgofman@codeweavers.com
--- Comment #4 from Paul Gofman pgofman@codeweavers.com --- I've been looking at that since yesterday, sent MR: https://gitlab.winehq.org/wine/wine/-/merge_requests/3201
https://bugs.winehq.org/show_bug.cgi?id=55165
--- Comment #5 from Paul Gofman pgofman@codeweavers.com --- FWIW CryptImportPublicKeyInfoEx doesn't have support for such keys as my included test shows, looks like the correct place to handle it is crypt message handling.
https://bugs.winehq.org/show_bug.cgi?id=55165
David Gow david@davidgow.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #6 from David Gow david@davidgow.net --- This was fixed by https://gitlab.winehq.org/wine/wine/-/merge_requests/3201, which landed in 8.12 and has filtered through to most downstream wine variants (e.g. Proton).
https://bugs.winehq.org/show_bug.cgi?id=55165
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #7 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 8.21.