[wix-devs] Authenticode signature verification issue

Heath Stewart Heath.Stewart at microsoft.com
Mon Sep 28 10:10:44 PDT 2015 

Seems the change never made it out then, which for this particular team is probably good. However, this still raises a concern with regard to WIXBUG:3640 (http://wixtoolset.org/issues/3640/). Just because the Authenticode certificate is valid doesn't mean it's the right payload. This caused a lot of problems for us until we started checking the hash always, such as packages being rebuilt with Product/@Id="*" so it was different than what the bundle had, and similar issues. So how can we have integrity as well?

I'll pass on the information to the team, but would like to explore how to fix the original bug. The one referenced above has two separate issues to solve:

1. Give the BA a chance to resolve source after verification failures (i.e. wrong payload), and
2. Verify that the payload is the correct payload and not nearly signed by the same publisher.

Heath Stewart
Visual Studio, Microsoft
http://blogs.msdn.com/heaths

-----Original Message-----
From: wix-devs [mailto:wix-devs-bounces at lists.wixtoolset.org] On Behalf Of Rob Mensching
Sent: Sunday, September 27, 2015 9:26 PM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Subject: Re: [wix-devs] Authenticode signature verification issue

I could be misreading the code or missing a case that hashes files later but AFAICT Burn does not hash the files if it can Authenticode check them. That would break the way Authenticode updating can work today (although I do think removing that case is a reasonable thing to do since the updates you can do in an Authenticode case are limited and the lack of integrity check has issues... in v4).

So I *think* the requested scenario is supported today.


    // If the payload has a certificate root public key identifier provided, verify the certificate.
    if (pPayload->pbCertificateRootPublicKeyIdentifier)
    {
        hr = CacheVerifyPayloadSignature(pPayload, wzUnverifiedPayloadPath, hFile);
        ExitOnFailure1(hr, "Failed to verify payload signature: %ls", wzCachedPath);
    }
    else if (pPayload->pCatalog) // If catalog files are specified, attempt to verify the file with a catalog file
    {
        hr = VerifyPayloadWithCatalog(pPayload, wzUnverifiedPayloadPath, hFile);
        ExitOnFailure1(hr, "Failed to verify payload signature: %ls", wzCachedPath);
    }
    else if (pPayload->pbHash) // the payload should have a hash we can use to verify it.
    {
        hr = VerifyHash(pPayload->pbHash, pPayload->cbHash, wzUnverifiedPayloadPath, hFile);
        ExitOnFailure1(hr, "Failed to verify payload hash: %ls", wzCachedPath);
    }



_______________________________________________________________
 FireGiant  |  Dedicated support for the WiX toolset  |  https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.firegiant.com%2f&data=01%7c01%7cHeath.Stewart%40microsoft.com%7ce435152c4f014c78b45f08d2c7bcfcd7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Btz0iE0%2ff%2bbKb6DDqD7TayuAoJSZxIXuMsOvKYh3oW0%3d


-----Original Message-----
From: wix-devs [mailto:wix-devs-bounces at lists.wixtoolset.org] On Behalf Of Heath Stewart
Sent: Sunday, September 27, 2015 9:10 PM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Subject: Re: [wix-devs] Authenticode signature verification issue

Burn always does hash checks now. We made that change long ago and you said you'd probably just remove the Authenticode check. The point is that Authenticode doesn't let us know if it's the right file, so we always check the hash. The ask is to provide an option to only check Authenticode so they can sign the file later.

Sent from my Windows Phone



____________________________________________________________________
WiX Toolset Developer Mailing List provided by FireGiant https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.firegiant.com%2f&data=01%7c01%7cHeath.Stewart%40microsoft.com%7ce435152c4f014c78b45f08d2c7bcfcd7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Btz0iE0%2ff%2bbKb6DDqD7TayuAoJSZxIXuMsOvKYh3oW0%3d
____________________________________________________________________
WiX Toolset Developer Mailing List provided by FireGiant https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.firegiant.com%2f&data=01%7c01%7cHeath.Stewart%40microsoft.com%7ce435152c4f014c78b45f08d2c7bcfcd7%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Btz0iE0%2ff%2bbKb6DDqD7TayuAoJSZxIXuMsOvKYh3oW0%3d

More information about the wix-devs mailing list