This fixes Battle.net error during install and updates which happen to have Battle.net's ephemeral cert installed on host (happens on Macs with native Battle.net client installed). The problem comes from CertDeleteCertificateFromStore() not releasing cert reference which results in leaked store which never flushes changes to registry due to that.
BNet, MS documentation, MS samples in documentation all seem to assume that CertDeleteCertificateFromStore should actually decrement the refcount. And so indirectly do my tests, while I didn't find a good way to test that directly: native crypt32 looks extremely robust to extra certificate release and I couldn't ever get it to crash this way. However, closing store with CERT_CLOSE_STORE_CHECK_FLAG seem to indicate the cases when a cert (and consequently the store) has extra referencesat store close and testing with that confirms that CertDeleteCertificateFromStore() deletes the reference (duplicating cert before store close may trigger the error).
I checked the code for the use CertDeleteCertificateFromStore() which would assume that it does not decrement refcount. I found one in rootstore.c and in cryptui.dll which are changed. I_CertUpdateStore() was leaking references in store1 instead, that looks also fixed by patch 1.
Then, while looking at certificate enumeration which could be sensitive to refcounting changes I found that it is broken for the case of deleting certificate during enumeration even for the exact scenario illustrated in MS example as a recommended way to delete a cert during enumeration (https://learn.microsoft.com/en-us/windows/win32/seccrypto/example-c-program-...). That is tested and fixed in the patches.
Then, given that: - it looks almost impossible to get crypt32 refcounting model correctly, and calling an extra CertFreeCertificateContext() after (at least right after) deleting from store arbitrary amount of times doesn't result in any issue on Windows; - Now when CertDeleteCertificateFromStore() decrement refcount app bugs doing an extra CertFreeCertificateContext after that (like we did on some occasion previously) will lead to crashes on Wine
it seems to me it make sense to replace an assert in Context_Release() which I am doing in patch 5. This way such an extra CertFreeCertificateContext() calls have good chances to be harmless on Wine too.