https://bugs.winehq.org/show_bug.cgi?id=42518
Bug ID: 42518 Summary: WinVerifyTrust fails for signatures using SHA256 digest Product: Wine Version: 2.2 Hardware: x86 OS: Mac OS X Status: UNCONFIRMED Severity: normal Priority: P2 Component: wintrust Assignee: wine-bugs@winehq.org Reporter: tomek@bayesfusion.com
Created attachment 57407 --> https://bugs.winehq.org/attachment.cgi?id=57407 source code for a minimal program calling WinVerifyTrust
On both Linux and macOS WinVerifyTrust returns 0x80090008 (NTE_BAD_ALGID) when called to verify the executable signed with SHA256 cerfificate and using SHA256 digest (/fd sha256 used when calling signtool). This does not happen when the same SHA256 certificate is used to sign the executable, but with SHA1 digest instead; WinVerifyTrust returns 0 in this case.
WinVerifyTrust returns 0 (as expected) on Windows for SHA256 digest.
To reproduce the issue, either a) use sigcheck.exe from SysInternals and verify the signature of SHA256 digest signature (for example, Chrome 56).
or
b) compile the attached C code (CallWVT.c) to get a program which calls WinVerifyTrust on an executable file specified as its 1st argument.
Also attached are the stderr outputs with WINEDEBUG=+wintrust,+crypt. The log_sha2.txt file is the full output. log_sha1_truncated.txt is truncated at the point of successful return from SoftpubLoadMessage (the whole file would be too large).
https://bugs.winehq.org/show_bug.cgi?id=42518
--- Comment #1 from Tomasz Sowinski tomek@bayesfusion.com --- Created attachment 57408 --> https://bugs.winehq.org/attachment.cgi?id=57408 Output for failed SHA256 signature verification
https://bugs.winehq.org/show_bug.cgi?id=42518
--- Comment #2 from Tomasz Sowinski tomek@bayesfusion.com --- Created attachment 57409 --> https://bugs.winehq.org/attachment.cgi?id=57409 Output for successful SHA1 signature verification
https://bugs.winehq.org/show_bug.cgi?id=42518
--- Comment #3 from Tomasz Sowinski tomek@bayesfusion.com --- The attached logs were obtained by running the compiled code from first attachment on two executables signed with the same SHA256 certificate. The failure happens when signature digest is SHA256, the same executable signed with the same certificate using SHA1 digest passes the test.
https://bugs.winehq.org/show_bug.cgi?id=42518
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=42518
Michael Müller michael@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |michael@fds-team.de
--- Comment #4 from Michael Müller michael@fds-team.de --- I think this is the same issue as described in bug 41356. Can you test whether it works in Wine Staging to make sure?
https://bugs.winehq.org/show_bug.cgi?id=42518
--- Comment #5 from Tomasz Sowinski tomek@bayesfusion.com ---
Can you test whether it works in Wine Staging to make sure?
I ran the original tests on Wine 2.2 Staging.
https://bugs.winehq.org/show_bug.cgi?id=42518
Gijs Vermeulen gijsvrm@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |leslie_alistair@hotmail.com | |, z.figura12@gmail.com
--- Comment #6 from Gijs Vermeulen gijsvrm@gmail.com --- I think this could be marked STAGED with: https://github.com/wine-staging/wine-staging/tree/master/patches/wintrust-Wi...
Patch 4, which should fix this was added on the 2nd of August 2017. Last comment here was February 2017.
In the patch description it also mentions that it fixes a problem with the SWTOR launcher. (I don't know if any of the existing SWTOR bugs mention this problem)
https://bugs.winehq.org/show_bug.cgi?id=42518
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |STAGED Ever confirmed|0 |1 Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/wintrust-WinVeri | |fyTrust
https://bugs.winehq.org/show_bug.cgi?id=42518
--- Comment #7 from Mathew Hodson mathew.hodson@gmail.com --- This is a duplicate of bug 47034.
Bug was in staging only at first as shown here, but then was migrated to the main 4.6 release.
https://bugs.winehq.org/show_bug.cgi?id=42518
Olivier F. R. Dierick o.dierick@piezo-forte.be changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|STAGED |RESOLVED CC| |o.dierick@piezo-forte.be Fixed by SHA1| |b2e72dd09da88e2a4562eb66872 | |7c381ea91d91d Resolution|--- |FIXED
--- Comment #8 from Olivier F. R. Dierick o.dierick@piezo-forte.be --- (In reply to Mathew Hodson from comment #7)
This is a duplicate of bug 47034.
Bug was in staging only at first as shown here, but then was migrated to the main 4.6 release.
Hello,
Not really a dupe, IMO. The other bug was a temporary breakage from partially pulling the staged patchset. Now that it is fully pulled from staging, this STAGED bug may become FIXED.
Regards.
https://bugs.winehq.org/show_bug.cgi?id=42518
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #9 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 4.7.
https://bugs.winehq.org/show_bug.cgi?id=42518
--- Comment #10 from Mathew Hodson mathew.hodson@gmail.com --- (In reply to Olivier F. R. Dierick from comment #8)
(In reply to Mathew Hodson from comment #7)
This is a duplicate of bug 47034.
Bug was in staging only at first as shown here, but then was migrated to the main 4.6 release.
Hello,
Not really a dupe, IMO. The other bug was a temporary breakage from partially pulling the staged patchset. Now that it is fully pulled from staging, this STAGED bug may become FIXED.
Regards.
The user who reported this bug was using Wine Staging 2.2. In 2017, the user was reporting that same temporary breakage, because the first part of the patchset had just been added to Wine Staging. This bug didn't apply to main Wine when the user reported it.
Bug 47034 was reporting the exact same regression but now in main Wine. It really is exactly the same issue, which is that SHA256 certificates break if only the first patch from the series is applied.
-
wine-bugs@winehq.org