Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify Signed 'cab' Files #391

Closed
swe618 opened this issue May 16, 2024 · 1 comment
Closed

Verify Signed 'cab' Files #391

swe618 opened this issue May 16, 2024 · 1 comment
Assignees
@mtrojnar @olszomal

Comments

@swe618
Copy link

swe618 commented May 16, 2024

Hello,

I am new to using osslsigncode and working on a project attempting to verify various signed code. I pulled down some signed 'cab' files that are signed (checked it via VirusTotal). However, using osslsigncode to verify the files appears to fail.

Some insight or input into the matter would be greatly appreciated.

Please see below for a sample output of a failed verification attempt:

============
xxxx@xxxxx:~/codesigner/objects$ osslsigncode verify -in 20484220_5f2718fc6d44c5ae61d4275d679bbf1ededf58e5.cab -CAfile code_signing_ca.pem -untrusted code_signing_ca.pem

Signature Index: 0 (Primary Signature)

Message digest algorithm : SHA1
Current message digest : 407229AA461DC8C4D9208920E87742BB3BCE0CAD
Calculated message digest : 407229AA461DC8C4D9208920E87742BB3BCE0CAD

Signer's certificate:
------------------
Signer #0:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Corporation
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA
Serial : 6119CC93000100000066
Certificate expiration date:
notBefore : Oct 10 20:32:25 2011 GMT
notAfter : Jan 10 20:32:25 2013 GMT

Message digest algorithm: SHA1

Authenticated attributes:
Microsoft Individual Code Signing purpose
Message digest: 88CCB6380730497D08C53EA789685D7715052E40
URL description: http:https://winqual.microsoft.com
Text description: WHQL Driver Update

Countersignatures:
Timestamp time: May 21 22:46:53 2012 GMT
Signing time: May 21 22:46:53 2012 GMT
Hash Algorithm: sha1
Issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA
Serial: 6105133600000000001A

CAfile: code_signing_ca.pem
TSA's certificates file: code_signing_ca.pem

Timestamp verified using:
------------------
Signer #1:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA
Issuer : /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
Serial : 6116683400000000001C
Certificate expiration date:
notBefore : Apr 3 12:53:09 2007 GMT
notAfter : Apr 3 13:03:09 2021 GMT

    Error: unable to get local issuer certificate

CMS_verify error

Failed timestamp certificate chain retrieved from the signature:
------------------
Signer #0:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Corporation
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA
Serial : 6119CC93000100000066
Certificate expiration date:
notBefore : Oct 10 20:32:25 2011 GMT
notAfter : Jan 10 20:32:25 2013 GMT

    ------------------
    Signer #1:
            Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/OU=nCipher DSE ESN:159C-A3F7-2570/CN=Microsoft Time-Stamp Service
            Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA
            Serial : 6105133600000000001A
            Certificate expiration date:
                    notBefore : Jul 25 20:42:17 2011 GMT
                    notAfter : Oct 25 20:42:17 2012 GMT

    ------------------
    Signer #2:
            Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA
            Issuer : /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
            Serial : 6133261A000000000031
            Certificate expiration date:
                    notBefore : Aug 31 22:19:32 2010 GMT
                    notAfter : Aug 31 22:29:32 2020 GMT

    ------------------
    Signer #3:
            Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA
            Issuer : /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
            Serial : 6116683400000000001C
            Certificate expiration date:
                    notBefore : Apr  3 12:53:09 2007 GMT
                    notAfter : Apr  3 13:03:09 2021 GMT

140635644590400:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:253:Verify error:unable to get local issuer certificate

Timestamp Server Signature verification: failed
Signing certificate chain verified using:
------------------
Signer #1:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA
Issuer : /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
Serial : 6133261A000000000031
Certificate expiration date:
notBefore : Aug 31 22:19:32 2010 GMT
notAfter : Aug 31 22:29:32 2020 GMT

    Error: unable to get local issuer certificate

PKCS7_verify error

Failed signing certificate chain retrieved from the signature:
------------------
Signer #0:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Corporation
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA
Serial : 6119CC93000100000066
Certificate expiration date:
notBefore : Oct 10 20:32:25 2011 GMT
notAfter : Jan 10 20:32:25 2013 GMT

    ------------------
    Signer #1:
            Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/OU=nCipher DSE ESN:159C-A3F7-2570/CN=Microsoft Time-Stamp Service
            Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA
            Serial : 6105133600000000001A
            Certificate expiration date:
                    notBefore : Jul 25 20:42:17 2011 GMT
                    notAfter : Oct 25 20:42:17 2012 GMT

    ------------------
    Signer #2:
            Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA
            Issuer : /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
            Serial : 6133261A000000000031
            Certificate expiration date:
                    notBefore : Aug 31 22:19:32 2010 GMT
                    notAfter : Aug 31 22:29:32 2020 GMT

    ------------------
    Signer #3:
            Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA
            Issuer : /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
            Serial : 6116683400000000001C
            Certificate expiration date:
                    notBefore : Apr  3 12:53:09 2007 GMT
                    notAfter : Apr  3 13:03:09 2021 GMT

140635644590400:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:../crypto/pkcs7/pk7_smime.c:284:Verify error:unable to get local issuer certificate
Signature verification: failed

Signature Index: 1

Message digest algorithm : SHA256
Current message digest : F3B4762BD3055DB2BEAD6A781AD3A13A5CDBF829DA1436B657FBE28A398CEF94
Calculated message digest : F3B4762BD3055DB2BEAD6A781AD3A13A5CDBF829DA1436B657FBE28A398CEF94

Signer's certificate:
------------------
Signer #0:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Corporation
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2010
Serial : 6105495500000000000B
Certificate expiration date:
notBefore : Oct 10 20:45:24 2011 GMT
notAfter : Jan 10 20:55:24 2013 GMT

Message digest algorithm: SHA256

Authenticated attributes:
Sequence number: 1
Microsoft Individual Code Signing purpose
Message digest: 32493E9DD4E9BFA0FD93D10ECB28BC099A3A32D7953EF6E31FF0EF7FABB898B1
URL description: http:https://winqual.microsoft.com
Text description: WHQL Driver Update

Countersignatures:
Timestamp time: May 21 22:46:53 2012 GMT
Signing time: N/A
Hash Algorithm: sha1
Issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
Serial: 6107D45500000000000E

CAfile: code_signing_ca.pem
TSA's certificates file: code_signing_ca.pem

Timestamp verified using:
------------------
Signer #1:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
Serial : 6109812A000000000002
Certificate expiration date:
notBefore : Jul 1 21:36:55 2010 GMT
notAfter : Jul 1 21:46:55 2025 GMT

    Error: unable to get local issuer certificate

CMS_verify error

Failed timestamp certificate chain retrieved from the signature:
------------------
Signer #0:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
Serial : 6109812A000000000002
Certificate expiration date:
notBefore : Jul 1 21:36:55 2010 GMT
notAfter : Jul 1 21:46:55 2025 GMT

    ------------------
    Signer #1:
            Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/OU=nCipher DSE ESN:B8EC-30A4-7144/CN=Microsoft Time-Stamp Service
            Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
            Serial : 6107D45500000000000E
            Certificate expiration date:
                    notBefore : Jan  9 21:35:31 2012 GMT
                    notAfter : Apr  9 21:45:31 2013 GMT

140635644590400:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:253:Verify error:unable to get local issuer certificate

Timestamp Server Signature verification: failed
Signing certificate chain verified using:
------------------
Signer #1:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2010
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
Serial : 610C524C000000000003
Certificate expiration date:
notBefore : Jul 6 20:40:17 2010 GMT
notAfter : Jul 6 20:50:17 2025 GMT

    Error: unable to get local issuer certificate

PKCS7_verify error

Failed signing certificate chain retrieved from the signature:
------------------
Signer #0:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Corporation
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2010
Serial : 6105495500000000000B
Certificate expiration date:
notBefore : Oct 10 20:45:24 2011 GMT
notAfter : Jan 10 20:55:24 2013 GMT

    ------------------
    Signer #1:
            Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2010
            Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
            Serial : 610C524C000000000003
            Certificate expiration date:
                    notBefore : Jul  6 20:40:17 2010 GMT
                    notAfter : Jul  6 20:50:17 2025 GMT

140635644590400:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:../crypto/pkcs7/pk7_smime.c:284:Verify error:unable to get local issuer certificate
Signature verification: failed

Number of verified signatures: 2
Failed
@mtrojnar
Copy link
Owner

mtrojnar commented Jun 4, 2024

I updated https://raw.githubusercontent.com/mtrojnar/osslsigncode/master/code_signing_ca.pem to not only include Code Signing certificates.
Please check if this issue is fixed now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mtrojnar mtrojnar

@olszomal olszomal

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mtrojnar @olszomal @swe618