-
-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
some msi, msp files will sign, but not validate . #169
Comments
Could you send the unsigned file to [email protected]? I'll get a look. I've already observed this behavior when a file is signed twice, in this case some areas of the MSI structure become unused and this invalidates the hash. signtool compacts the msi file to avoid this, but the library used by Jsign to modify msi files is unable to do it. I've never seen this issue with a fresh unsigned file though. |
I have sent you an msp that demonstrates the problem . |
As for the issue with the the msi that contains an existing signature . I have a couple of those . How can we work around that until a fix is implemented in jsign ? |
Thank you, do you know where it comes from or how it was generated?
Actually adding an extra signature should work, but not replacing an existing signature. |
it is built from source by a build system using msbuild, in VS2109 I believe . I dont have access to the source . For the MSI issue, I am replacing signatures , so looks like hitting the problem you are aware of . Is there a plan to fix it ? . |
Not in the near future, this involves replacing Apache POI with a custom implementation compacting the unallocated space in the MSI files, that's not a quick fix. |
ok, great . I will watch this thread for any progress on the msp issue. |
I've pushed an update to use the latest version of Apache POI. I think it should fix the various issues reported when re-signing MSI files. However I checked with the supplied .msp file and the signature is still invalid, so there is another issue here. |
Hello
I have an odd behaviour that I am battling to understand .
sign a msi with signtool, and it verifies correctly .
sign the same unsigned msi with jsign, and it will attach a signature, but will fail signtool verify .
the odd thing here is that if I open the unsigned msi with orca, do nothing and close the file , and then submit it , it will sign and verify .
A different flavour of this, is some files will be signed and fail the signtool verify . If I open the signed msi with orca, do nothing and close it, the file then verifies .
I suspect that orca is re-ordering the contents somehow, which causes the hash generation to work correctly .
The file can be repaired by using a powershell script to use the windows installer COM components to open the file, read the summaryinfo block and rewrite it.
Is there any debug, or trace , or some sort of msi dissector I can use to try and work out what the issue with the file is ?
The text was updated successfully, but these errors were encountered: