Failed to verify signature even though its valid

Question

Failed to verify signature even though its valid

0x0ACB opened this issue 9 months ago · 6 comments

I added a signature with the attach-signature command

.\osslsigncode.exe attach-signature -in .\gw2cc_launcher.exe -sigin .\gw2cc_launcher_signed.der -out .\gw2cc_launcher_signed.exe

Inspecting the signed.exe with Windows shows that everything is alright. But the console output from running the command indicates an issue when verifying the signature:

PE checksum   : 01534FB5


Signature Index: 0  (Primary Signature)

Message digest algorithm  : SHA256
Current message digest    : C1FF3B85C7A9D891C5236C4718F63A1735CEE80E9681CA1B057245FFCC621C1C
Calculated message digest : C1FF3B85C7A9D891C5236C4718F63A1735CEE80E9681CA1B057245FFCC621C1C

Page hash algorithm  : SHA256
Page hash            : 00000000C86D1E6D4C58A5FF57ED5AC249555B0EE9461EC7A3E0051024987CEE ...
Calculated page hash : 00000000C86D1E6D4C58A5FF57ED5AC249555B0EE9461EC7A3E0051024987CEE ...

Signer's certificate:
        ------------------
        Signer #0:
                Subject: /businessCategory=Private Organization/serialNumber=HRA 16144/jurisdictionC=DE/jurisdictionST=Nordrhein-Westfalen/jurisdictionL=Bielefeld/C=DE/ST=Nordrhein-Westfalen/L=Schlo\xC3\x9F Holte-Stukenbrock/street=Erikaweg 7/O=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG/CN=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG
                Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 EV CodeSigning CA 2020
                Serial : 38B34627EDF30D288484DBBA
                Certificate expiration date:
                        notBefore : Mar  4 16:42:20 2024 GMT
                        notAfter : Mar  5 16:42:20 2027 GMT

Message digest algorithm: SHA256

Authenticated attributes:
        Signing time: Mar  5 08:21:56 2024 GMT
        Microsoft Individual Code Signing purpose
        Message digest: 41D9D671C9AE04897274FE5A93689C8292C878D178B92B44E49C31AA0B8517AD

Countersignatures:
        Timestamp time: Mar  5 08:21:58 2024 GMT

CAfile: (null)

Timestamp is not available

Failed to add store lookup file
94090000:error:1700006B:CMS routines:cms_get_enveloped_type:content type not enveloped data:crypto\cms\cms_env.c:41:
Signature verification: failed

Number of verified signatures: 1
Signature mismatch
Failed

Not really sure where the signature verification fails in osslsigncode. Even when I specify the GlobalSign root cert via -CAfile verification fails-

Answer 1 · 2024-03-05T11:18:07.000Z

CAfile: (null)

Yes, Windows uses an implicit list of trusted certificates, and osslsigncode needs to to specify your trusted certificates manually.

Answer 2 · 2024-03-05T11:19:34.000Z

As indicated at the end of my post, even if I specify the CA file it fails to verify
This is using the globalsign root certificate as indicated by the cert chain.

.\osslsigncode.exe attach-signature -in .\gw2cc_launcher.exe -sigin .\gw2cc_launcher.der.signed -out .\gw2cc_launcher_signed.exe -CAfile CA.pem
PE checksum   : 01534FB5


Signature Index: 0  (Primary Signature)

Message digest algorithm  : SHA256
Current message digest    : C1FF3B85C7A9D891C5236C4718F63A1735CEE80E9681CA1B057245FFCC621C1C
Calculated message digest : C1FF3B85C7A9D891C5236C4718F63A1735CEE80E9681CA1B057245FFCC621C1C

Page hash algorithm  : SHA256
Page hash            : 00000000C86D1E6D4C58A5FF57ED5AC249555B0EE9461EC7A3E0051024987CEE ...
Calculated page hash : 00000000C86D1E6D4C58A5FF57ED5AC249555B0EE9461EC7A3E0051024987CEE ...

Signer's certificate:
        ------------------
        Signer #0:
                Subject: /businessCategory=Private Organization/serialNumber=HRA 16144/jurisdictionC=DE/jurisdictionST=Nordrhein-Westfalen/jurisdictionL=Bielefeld/C=DE/ST=Nordrhein-Westfalen/L=Schlo\xC3\x9F Holte-Stukenbrock/street=Erikaweg 7/O=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG/CN=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG
                Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 EV CodeSigning CA 2020
                Serial : 38B34627EDF30D288484DBBA
                Certificate expiration date:
                        notBefore : Mar  4 16:42:20 2024 GMT
                        notAfter : Mar  5 16:42:20 2027 GMT

Message digest algorithm: SHA256

Authenticated attributes:
        Signing time: Mar  5 08:21:56 2024 GMT
        Microsoft Individual Code Signing purpose
        Message digest: 41D9D671C9AE04897274FE5A93689C8292C878D178B92B44E49C31AA0B8517AD

Countersignatures:
        Timestamp time: Mar  5 08:21:58 2024 GMT

CAfile: CA.pem

Timestamp is not available

Signing certificate chain verified using:
        ------------------
        Signer #0:
                Subject: /businessCategory=Private Organization/serialNumber=HRA 16144/jurisdictionC=DE/jurisdictionST=Nordrhein-Westfalen/jurisdictionL=Bielefeld/C=DE/ST=Nordrhein-Westfalen/L=Schlo\xC3\x9F Holte-Stukenbrock/street=Erikaweg 7/O=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG/CN=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG
                Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 EV CodeSigning CA 2020
                Serial : 38B34627EDF30D288484DBBA
                Certificate expiration date:
                        notBefore : Mar  4 16:42:20 2024 GMT
                        notAfter : Mar  5 16:42:20 2027 GMT

        Error: unable to get local issuer certificate

PKCS7_verify error

Failed signing certificate chain retrieved from the signature:
        ------------------
        Signer #0:
                Subject: /businessCategory=Private Organization/serialNumber=HRA 16144/jurisdictionC=DE/jurisdictionST=Nordrhein-Westfalen/jurisdictionL=Bielefeld/C=DE/ST=Nordrhein-Westfalen/L=Schlo\xC3\x9F Holte-Stukenbrock/street=Erikaweg 7/O=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG/CN=Recode Systems UG (haftungsbeschr\xC3\xA4nkt) & Co. KG
                Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 EV CodeSigning CA 2020
                Serial : 38B34627EDF30D288484DBBA
                Certificate expiration date:
                        notBefore : Mar  4 16:42:20 2024 GMT
                        notAfter : Mar  5 16:42:20 2027 GMT

D8960000:error:1700006B:CMS routines:cms_get_enveloped_type:content type not enveloped data:crypto\cms\cms_env.c:41:
D8960000:error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto\pkcs7\pk7_smime.c:295:Verify error: unable to get local issuer certificate
Signature verification: failed

Number of verified signatures: 1
Signature mismatch
Failed

Answer 3 · 2024-03-05T12:50:10.000Z

Apparently, the /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 EV CodeSigning CA 2020 certificate was not found in your CA.pem.

Answer 4 · 2024-04-13T16:42:23.000Z

Is it because of the expiration date starting at Mar 4 2024 and the issue dating from Mar 5 2024? The certificate is too new and therefore not appearing in the used file? Can you suggest a file that is most complete and up to date, or a way to obtain such a file, to feed osslsigncode with? I already tried cURL's "mk-ca-bundle.pl" to build a ca-bundle.cert file from Mozilla's beta channel, but even that does not seem to be up to date enough to keep up with new Mar 2024 certificates.

Answer 5 · 2024-04-15T16:24:17.000Z

I guess there should be a way to download all valid code signing certificates from Microsoft.

Answer 6 · 2024-04-16T14:58:14.000Z

I guess there should be a way to download all valid code signing certificates from Microsoft.

I did it: https://raw.githubusercontent.com/mtrojnar/osslsigncode/master/code_signing_ca.pem
with the following script: https://github.com/mtrojnar/osslsigncode/blob/master/get_code_signing_ca.py
See https://learn.microsoft.com/en-us/security/trusted-root/participants-list for Microsoft's documentation.