http://bugs.winehq.org/show_bug.cgi?id=34388
Bug #: 34388 Summary: Star Citizen: Certificate authentication failed Product: Wine Version: 1.7.0 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: adys.wh@gmail.com Classification: Unclassified
Star Citizen launcher starts with an error message: "Certificate authentication failed, please re-install to correct the problem"
+crypt attached.
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #1 from Jerome Leclanche adys.wh@gmail.com 2013-08-29 20:17:49 CDT --- Created attachment 45779 --> http://bugs.winehq.org/attachment.cgi?id=45779 WINEDEBUG=+tid,crypt WINEPREFIX=~/starcitizen wine StarCitizenLauncher.exe &> ~/star-citizen.txt
Warning: 25MB text file uncompressed
http://bugs.winehq.org/show_bug.cgi?id=34388
achilleas.k@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |achilleas.k@gmail.com
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #2 from Charles Davis cdavis5x@gmail.com 2013-09-02 00:55:25 CDT --- Created attachment 45818 --> http://bugs.winehq.org/attachment.cgi?id=45818 Patch to fix Star Citizen signature verification bug
I can confirm that this is present on Mac OS as well. (Yes, I know, Wine64 doesn't work on Mac OS yet, but I'm working on it. The installer and launcher are still 32-bit executables, though, so I decided to give 'em a shot to see if I could even install it.)
The launcher executable is signed. You can verify this with winedump(1)--the SECURITY data directory will be non-NULL. Embedded within the signature is the Certificate Authority needed to verify the signature. When it is run, it attempts to import this certificate locally before manually verifying the signature. But one of the items in the certificate is unknown to Wine--its ASN tag is ASN_CONSTRUCTOR|ASN_UNIVERSAL|0x11 (0x31). (You can see this by attempting to run the launcher with +cryptasn. Look for "tag 31 doesn't match expected 30" in the output.) It doesn't seem to contain anything important, because just skipping this item causes the import--and thus, the signature verification--to succeed.
I've attached a patch that should hopefully fix this (it did for me), but I won't be submitting this to wine-patches until I come up with a good test case (i.e. one that can be embedded in Wine's test suite). Try it and see if it works for you, too.
http://bugs.winehq.org/show_bug.cgi?id=34388
Charles Davis cdavis5x@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |cdavis5x@gmail.com
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #3 from Jerome Leclanche adys.wh@gmail.com 2013-09-02 03:14:13 CDT --- Doesn't seem to have fixed the issue here.
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #4 from Jerome Leclanche adys.wh@gmail.com 2013-09-02 09:43:33 CDT --- Created attachment 45823 --> http://bugs.winehq.org/attachment.cgi?id=45823 WINEDEBUG=+tid,+crypt,+cryptasn wine StarCitizenLauncher.exe (patched with 45818)
Patched output attached
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #5 from Charles Davis cdavis5x@gmail.com 2013-09-02 21:14:39 CDT --- I can't see anything obviously wrong from your log. My patch maybe got you a bit further (the attempt to import the certificate no longer fails), but one of the CryptVerifySignature calls that the launcher is making is still failing.
One odd thing I've noticed about your log (vs mine) is that the launcher, after verifying its code signature, makes at least three additional CryptVerifySignature calls (it might make more, if one of them weren't failing) that it's not making on my system for some reason. (There are, in fact, hundreds of CryptVerifySignature calls in your log, but most of them seem to be coming from Wine, since most of the calls are directly to the wide version, but the launcher prefers to GetProcAddress the ANSI version and call that. They must be partying like it's Windows 95 over at CIG. :) Another thing--and this is likely related to you having this file--is that the first VerifySignature call triggers Wine importing a bunch of CAs from "/etc/ssl/certs/ca-certificates.crt".
Hmm... Do you have a root CA named 'UTN-USERFirst-Object' installed? (You might find it under the filename 'UTN_USERFirst_Object_Root_CA.crt'.) I do, and apparently, it's needed to verify the intermediate CA ('COMODO Code Signing CA 2') against which the launcher was signed. If you do, or if you don't and installing it doesn't help, you might also find it helpful to install that intermediate CA.
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #6 from Jerome Leclanche adys.wh@gmail.com 2013-09-02 22:56:22 CDT --- All I have are these: /etc/ssl/certs # ls UTN_* UTN_DATACorp_SGC_Root_CA.pem@ UTN_USERFirst_Email_Root_CA.pem@ UTN_USERFirst_Hardware_Root_CA.pem@
Let me try installing UTN_USERFirst_Object_Root_CA.crt.
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #7 from Jerome Leclanche adys.wh@gmail.com 2013-09-03 00:00:53 CDT --- Beautiful. It works with the certificate installed.
Note: installing a new cert is not straightforward. :/
I wonder though, is it odd it was missing? arch gets its certs from debian's ca-certificates: source=("http://ftp.debian.org/debian/pool/main/c/$%7Bpkgname%7D/$%7Bpkgname%7D_$%7Bp...")
http://bugs.winehq.org/show_bug.cgi?id=34388
Jerome Leclanche adys.wh@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch URL| |https://robertsspaceindustr | |ies.com/hangar-module
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #8 from Charles Davis cdavis5x@gmail.com 2013-09-03 00:21:58 CDT --- (In reply to comment #7)
Beautiful. It works with the certificate installed.
Glad to hear it! (This is with my patch applied, right?)
Note: installing a new cert is not straightforward. :/
At least this doesn't have to be done often. ;)
I wonder though, is it odd it was missing? arch gets its certs from debian's ca-certificates:
I guess neither Debian nor Firefox normally needs it. From the description page:
This package includes PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections.
It includes, among others, certificate authorities used by the Debian infrastructure and those shipped with Mozilla's browsers.
Should I put in a request for this one to be included now?
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #9 from Jerome Leclanche adys.wh@gmail.com 2013-09-03 00:22:42 CDT --- Yes, definitely.
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #10 from Jerome Leclanche adys.wh@gmail.com 2013-09-03 00:23:09 CDT --- (In reply to comment #9) And yes, it was with the patch applied of course.
http://bugs.winehq.org/show_bug.cgi?id=34388
Jerome Leclanche adys.wh@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |34427
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #11 from Charles Davis cdavis5x@gmail.com 2013-09-03 01:10:06 CDT --- (In reply to comment #9)
Yes, definitely.
Request sent and acknowledged. Filed 721692.
http://bugs.winehq.org/show_bug.cgi?id=34388
Jerome Leclanche adys.wh@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |http://bugs.debian.org/7216 | |92
http://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #12 from Jerome Leclanche adys.wh@gmail.com --- (In reply to comment #11) Whats the status on both issues?
http://bugs.winehq.org/show_bug.cgi?id=34388
sxe sxxe@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sxxe@gmx.de
--- Comment #13 from sxe sxxe@gmx.de --- FYI: This also fixes the same "bug" for the Elder Scrolls Online BETA launcher. Thanks for the tips guys!
https://bugs.winehq.org/show_bug.cgi?id=34388
eroen eroen@faith.eroen.eu changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |eroen@faith.eroen.eu
--- Comment #14 from eroen eroen@faith.eroen.eu --- I confirm that on (testing) Gentoo, the patch in Comment 3 makes the Elder Scrolls Online launcher no longer crash immediately.
https://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #15 from Charles Davis cdavis5x@gmail.com --- (In reply to comment #12)
(In reply to comment #11) Whats the status on both issues?
I'm not even sure the patch is correct anymore. I tried writing some tests based on the patch, to see if Windows actually behaves this way, but AFAICT, it doesn't. Also, the issue seems to be gone with recent versions of the SC Hangar Module installer, though I haven't tried it in awhile. I'll have to try the ESO installer sometime. (Somebody contacted me off-list and told me it works on Windows 7, but not on Wine, with similar symptoms as the SC installer. They were even helpful enough to attach the certificate data that Wine doesn't like.)
As for the Debian issue, it looks like what they want to do is change the package layout to better accommodate code-signing CAs like the USERTrust CA used to sign these two games' installers: ca-certificates Git has separate *.pem files for SSL/TLS, email, and code signing. They're leery about adding it directly, because it's not trusted for either SSL/TLS servers or signing emails (just signing binaries). (At least, that's the explanation I got.)
https://bugs.winehq.org/show_bug.cgi?id=34388
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com
http://bugs.winehq.org/show_bug.cgi?id=34388
Corax ajantes@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ajantes@gmx.de
--- Comment #16 from Corax ajantes@gmx.de --- Hello all,
I'm new to Linux and therefore not sure how the correct syntax for installing the certificate is, so could someone post how the exact syntax?! That would help me a lot. Trying to run ESO for the coming beta weekend :)
all the best
http://bugs.winehq.org/show_bug.cgi?id=34388
Jerome Leclanche adys.wh@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Star Citizen: Certificate |Star Citizen: Certificate |authentication failed |authentication failed | |(Affects Elder Scrolls | |Online)
https://bugs.winehq.org/show_bug.cgi?id=34388
Jaroslav Kazunekit@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |Kazunekit@gmail.com
--- Comment #17 from Jaroslav Kazunekit@gmail.com --- Hello, I registered to say that this also affects Tera Online. The patch by Charles Davis fixed the Certificate authentication failed message.
https://bugs.winehq.org/show_bug.cgi?id=34388
Béla Gyebrószki gyebro69@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gyebro69@gmail.com
--- Comment #18 from Béla Gyebrószki gyebro69@gmail.com --- Still present in Wine 1.7.42
The patch from comment #2 fixes the issue in TERA Online.
Fedora 21 x86
https://bugs.winehq.org/show_bug.cgi?id=34388
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download CC| |focht@gmx.net Component|-unknown |crypt32
--- Comment #19 from Anastasius Focht focht@gmx.net --- Hello folks,
Charles' patch is also available/included in Wine-Staging by default:
https://github.com/wine-compholio/wine-staging/blob/master/patches/crypt32-C...
Regards
https://bugs.winehq.org/show_bug.cgi?id=34388
confetti jean_antonin@hotmail.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jean_antonin@hotmail.fr
https://bugs.winehq.org/show_bug.cgi?id=34388
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.wine-staging.c | |om/show_bug.cgi?id=291
https://bugs.winehq.org/show_bug.cgi?id=34388
Michael Müller michael@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |STAGED CC| |michael@fds-team.de, | |sebastian@fds-team.de Staged patchset| |https://github.com/wine-com | |pholio/wine-staging/tree/ma | |ster/patches/crypt32-CMS_Ce | |rtificates
https://bugs.winehq.org/show_bug.cgi?id=34388
André H. nerv@dawncrow.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |nerv@dawncrow.de Staged patchset|https://github.com/wine-com |https://github.com/wine-sta |pholio/wine-staging/tree/ma |ging/wine-staging/tree/mast |ster/patches/crypt32-CMS_Ce |er/patches/crypt32-CMS_Cert |rtificates |ificates
https://bugs.winehq.org/show_bug.cgi?id=34388
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |eli@orbsky.homelinux.org
--- Comment #20 from Anastasius Focht focht@gmx.net --- *** Bug 41634 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=34388
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Star Citizen: Certificate |Multiple games fail to |authentication failed |validate their signed |(Affects Elder Scrolls |executables due to unknown |Online) |items in embedded CMS | |certificate (Star Citizen, | |Affects Elder Scrolls | |Online, TERA)
--- Comment #21 from Anastasius Focht focht@gmx.net --- Hello folks,
refining summary to collect more games here and generate better hits for Bugzilla/appdb/search engines. Obviously still present, re-confirmed with comment #20
$ sha1sum TERA-Minimal-Setup.exe 8063745ef74aa13f0766b91b52b11ce65866aa47 TERA-Minimal-Setup.exe
$ du -sh TERA-Minimal-Setup.exe 60M TERA-Minimal-Setup.exe
$ wine --version wine-3.16-167-g42929b75fc
Regards
https://bugs.winehq.org/show_bug.cgi?id=34388
Vijay Kamuju infyquest@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |infyquest@gmail.com
--- Comment #22 from Vijay Kamuju infyquest@gmail.com --- I found some relevant documentation, where in we are missing ASN_SET and ASN_BOOLEAN. I believe that below definitions hold true ASN_SET = ASN_CONSTRUCTOR | ASN_UNIVERSAL | 0x11 ASN_BOOLEAN = ASN_CONSTRUCTOR | ASN_PRIMITIVE | 0x01
I will test with some test game or app which I can run in my HyperV virtual machine and also check X509 certificate documentation
https://bugs.winehq.org/show_bug.cgi?id=34388
--- Comment #23 from Vijay Kamuju infyquest@gmail.com --- (In reply to Vijay Kamuju from comment #22)
I found some relevant documentation, where in we are missing ASN_SET and ASN_BOOLEAN.
Not from official microsoft documentation.
I believe that below definitions hold true ASN_SET = ASN_CONSTRUCTOR | ASN_UNIVERSAL | 0x11 ASN_BOOLEAN = ASN_CONSTRUCTOR | ASN_PRIMITIVE | 0x01
I will test with some test game or app which I can run in my HyperV virtual machine and also check X509 certificate documentation
https://bugs.winehq.org/show_bug.cgi?id=34388
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://robertsspaceindustr |https://web.archive.org/web |ies.com/hangar-module |/20200818163020/http://patc | |h.tera.enmasse-game.com/tem | |p/TERA-Minimal-Setup.exe
https://bugs.winehq.org/show_bug.cgi?id=34388
David Koolhoven spambox1@koolhoven-home.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |spambox1@koolhoven-home.net
--- Comment #24 from David Koolhoven spambox1@koolhoven-home.net --- This issue does not effect Star Citizen at this time, version 3.13.1.
-
wine-bugs@winehq.org -
WineHQ Bugzilla