Bug 52386 - Chktrust not correctly verifying digital signatures
Summary: Chktrust not correctly verifying digital signatures
Status: NEW
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security ()
Version: 4.6.0 (C8)
Hardware: PC Linux
: --- normal
Target Milestone: Untriaged
Assignee: Martin Baulig
URL:
Depends on:
Blocks:
 
Reported: 2017-02-08 16:07 UTC by Matthew Mellon
Modified: 2017-02-15 12:49 UTC (History)
2 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report for Bug 52386 on GitHub or Developer Community if you have new information to add and do not yet see a matching new report.

If the latest results still closely match this report, you can use the original description:

  • Export the original title and description: GitHub Markdown or Developer Community HTML
  • Copy the title and description into the new report. Adjust them to be up-to-date if needed.
  • Add your new information.

In special cases on GitHub you might also want the comments: GitHub Markdown with public comments

Related Links:
Status:
NEW

Description Matthew Mellon 2017-02-08 16:07:41 UTC
I am having problems with chktrust verifying Windows PE executables signed by the current version of SignTool.exe from Microsoft's Windows 10 SDK. Depending on which digest algorithms are used, you can get it to recognize timestamps or verify the chain of trust, but never both.

Note that the examples below are all using a code signing certificate issued by GoDaddy G2 - you can pick up the required root certificate with mozroots --import --sync. I built a test exe that returns 0 (nothing more)... you can probably duplicate these results with any 32-bit Windows PE executable.

SCENARIO 1: Signing a 32-bit PE executable with an RFC 3161 timestamping service using a sha256 digest and a sha256 timestamp digest:


signing command (using Windows SDK):
"c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "\\xxxxxxxxxx\qa\Code Signing Certificate\ECR-Software-Corporation-ECRSDevelopment.pfx" /tr http://tsa.starfieldtech.com /d "ECRS Product Installer" /du http://ecrs.com  /fd sha256 /td sha256 /p xxxxxxxxxxxxx "test.exe"
Done Adding Additional Store
Successfully signed: test.exe

verification results:
Windows 10 File Explorer: "This signature is OK"
[root@xxxxxxxx ~]# chktrust -v ~mmellon/test.exe
Mono CheckTrust - version 4.6.2.0
Verify if an PE executable has a valid Authenticode(tm) signature
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Verifying file test.exe for Authenticode(tm) signatures...

WARNING! test.exe is not timestamped!
SUCCESS: test.exe signature is valid
and can be traced back to a trusted root!

SCENARIO 2: Signing a 32-bit PE executable with an RFC 3161 timestamping service using a sha256 digest and a sha1 timestamp digest:

"c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "\\xxxxxxxxxx\qa\Code Signing Certificate\ECR-Software-Corporation-ECRSDevelopment.pfx" /tr http://tsa.starfieldtech.com /d "ECRS Product Installer" /du http://ecrs.com  /fd sha256 /td sha1 /p xxxxxxxxxxxxx "test.exe"
Done Adding Additional Store
Successfully signed: test.exe

verification results:
Windows 10 File Explorer: "This signature is OK"
[root@xxxxxxxx ~]# chktrust -v ~mmellon/test.exe
Mono CheckTrust - version 4.6.2.0
Verify if an PE executable has a valid Authenticode(tm) signature
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Verifying file test.exe for Authenticode(tm) signatures...

WARNING! test.exe is not timestamped!
SUCCESS: test.exe signature is valid
and can be traced back to a trusted root!

SCENARIO 3: Signing a 32-bit PE executable with an RFC 3161 timestamping service using a sha1 digest and a sha1 timestamp digest:

"c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "\\xxxxxxxxxx\qa\Code Signing Certificate\ECR-Software-Corporation-ECRSDevelopment.pfx" /tr http://tsa.starfieldtech.com /d "ECRS Product Installer" /du http://ecrs.com  /fd sha1 /td sha1 /p xxxxxxxxxxxxx "test.exe"
Done Adding Additional Store
Successfully signed: test.exe

verification results:
Windows 10 File Explorer: "This signature is OK"
[root@xxxxxxxx ~]# chktrust -v ~mmellon/test.exe
Mono CheckTrust - version 4.6.2.0
Verify if an PE executable has a valid Authenticode(tm) signature
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Verifying file test.exe for Authenticode(tm) signatures...

WARNING! test.exe is not timestamped!
SUCCESS: test.exe signature is valid
and can be traced back to a trusted root!

SCENARIO 4: Signing a 32-bit PE executable with an RFC 3161 timestamping service using a sha1 digest and a sha256 timestamp digest:

"c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "\\xxxxxxxxxx\qa\Code Signing Certificate\ECR-Software-Corporation-ECRSDevelopment.pfx" /tr http://tsa.starfieldtech.com /d "ECRS Product Installer" /du http://ecrs.com  /fd sha1 /td sha1 /p xxxxxxxxxxxxx "test.exe"
Done Adding Additional Store
Successfully signed: test.exe

verification results:
Windows 10 File Explorer: "This signature is OK"
[root@xxxxxxxx ~]# chktrust -v ~mmellon/test.exe
Mono CheckTrust - version 4.6.2.0
Verify if an PE executable has a valid Authenticode(tm) signature
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Verifying file test.exe for Authenticode(tm) signatures...

WARNING! test.exe is not timestamped!
SUCCESS: test.exe signature is valid
and can be traced back to a trusted root!

SCENARIO 5: Signing a 32-bit PE executable with a non-RFC 3161 timestamping service using a sha256 digest:

"c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "\\xxxxxxxxxx\qa\Code Signing Certificate\ECR-Software-Corporation-ECRSDevelopment.pfx" /t http://timestamp.verisign.com/scripts/timstamp.dll/d "ECRS Product Installer" /du http://ecrs.com  /fd sha1  /p xxxxxxxxxxxxx "test.exe"
Done Adding Additional Store
Successfully signed: test.exe

verification results:
Windows 10 File Explorer: "This signature is OK"
[root@xxxxxxxxxxxx ~]# chktrust -v ~mmellon/test.exe
Mono CheckTrust - version 4.6.2.0
Verify if an PE executable has a valid Authenticode(tm) signature
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Verifying file test.exe for Authenticode(tm) signatures...

INFO! test.exe was timestamped on 2/8/2017 3:49:35 PM
ERROR! test.exe signature can't be traced back to a trusted root!

SCENARIO 6: Signing a 32-bit PE executable with a non-RFC 3161 timestamping service using a sha1 digest:

"c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "\\xxxxxxxxxx\qa\Code Signing Certificate\ECR-Software-Corporation-ECRSDevelopment.pfx" /t http://timestamp.verisign.com/scripts/timstamp.dll/d "ECRS Product Installer" /du http://ecrs.com  /fd sha1  /p xxxxxxxxxxxxx "test.exe"
Done Adding Additional Store
Successfully signed: test.exe

verification results:
Windows 10 File Explorer: "This signature is OK"
[root@xxxxxxxxxxxx ~]# chktrust -v ~mmellon/test.exe
Mono CheckTrust - version 4.6.2.0
Verify if an PE executable has a valid Authenticode(tm) signature
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Verifying file test.exe for Authenticode(tm) signatures...

INFO! test.exe was timestamped on 2/8/2017 3:52:21 PM
ERROR! test.exe signature can't be traced back to a trusted root!

I think that all of these scenarios should have shown:

INFO! test.exe was timestamped on ???
SUCCESS: test.exe signature is valid
and can be traced back to a trusted root!

(considering Windows thinks so...)
Comment 1 Matthew Mellon 2017-02-08 16:15:54 UTC
Please forgive me if I opened this in the wrong place... I don't know if the issue is with chktrust itself or the underlying library.
Comment 2 Matthew Mellon 2017-02-08 18:38:52 UTC
Please note that the lack of space between the URL's and the /d parameter in the last two scenarios in the description is a copy-paste error... there was indeed space there.