Notice (2018-05-24): bugzilla.xamarin.com is now in
Please join us on
Visual Studio Developer Community and in the
Mono organizations on
GitHub to continue tracking issues. Bugzilla will remain
available for reference in read-only mode. We will continue to work
on open Bugzilla bugs, copy them to the new locations
as needed for follow-up, and add the new items under Related
Our sincere thanks to everyone who has contributed on this bug
tracker over the years. Thanks also for your understanding as we
make these adjustments and improvements for the future.
Please create a new report for Bug 592 on
GitHub or Developer Community if you have new
information to add and do not yet see a matching new report.
If the latest results still closely match this report, you can use the
In special cases on GitHub you might also want the comments:
GitHub Markdown with public comments
As stated on the summary, Microsoft files' (i.e. Winword.exe, Powerpnt.exe, csc.exe) digital certificate can't be traced to a trusted root even if all MS-related certs are already imported/installed in Mono store (using both mozroots and a powershell script to import all certs on a particular machine to mono store)
This is validated using chktrust.
This bug is aligned with 2 posts in mono forum, which are:
1. [mozroots]: Microsoft Office files can't be traced to a trusted root
2. [mono][chktrust]: signature can't be traced back to a trusted root!
This looks more like a setup issue than a bug, even then it would not be a critical bug (downgrading to minor).
Some key points (to clear some confusion from the emails):
1) Mono provides the tools, not the data, when dealing with X.509 certificate-based technologies, like HTTPS and Authenticode(tm).
2) 'mozroots' is a tool to allow users to retrieve data. However you cannot use 'mozroots' to install "all" MS-related certificates because they are simply unrelated.
Why ? Because 'mozroots' goal is to migrate the root certificates that *Mozilla* uses for *Firefox* into a user (or machine) trusted certificates store that Mono-based applications can use.
That covers _most_ of the HTTPS cases but it does NOT guarantee compatibility with IE (or Windows since this is shared) for HTTPS - MS and Mozilla have different processes to accept CA. It's even less likely to work for something as totally different as Authenticode - code signing differs a lot more between MS and Mozilla.
3) Using a script to gather/import certificates is a good idea, conceptually similar to what 'mozroots' does. However it does not mean it provide everything that's required or that it will give you consistent results across several computers (because of the way MS updates it's roots). YMMV
I do not have MS Office to test this but I'll check the signature on CSC.exe.
Thanks for the comment Sebastian.
Let me take this opportunity to ask questions regarding this issue.
Based on what you said, how will I be able or what is the correct way to install/migrate "all" or "most" of MS related certificates into a machine's trusted certificate store that Mono will be able to identify? For WINWORD, EXCEL and POWERPNT executables, it's really weird for its certificates not to be identified or traced by Mono given that (1)it is installed in the computer and (2)certificates of both digital and counter signatures are present in the trusted store.
Lastly, you've mentioned at the start of your reply that this is more of a setup issue. Can kindly elaborate? I mean, do IO have to do some necessary setup?
Again, thank you
(1) I cannot say if you're setup is correct, i.e. if you have everything, data-wise, installed correctly.
Mono does not provide* a [ie|win]roots tool because it would only be limited to Windows, while 'mozroots' works for every platform since we can download them from the web.
* you are welcome to contribute such a tool :-)
That does mean it's less than ideal for 'chktrust' - but this is only one (of many) tools that mono provides and one that mono itself does not use/require (we did not knew that at the time the tool was written ;-) and of course MS provides it's own 'chktrust' tool in its SDK (that works with its own, cryptoapi-based, certificate store).
(2) The trusted store is meant for root certificates only. If you add non-root certificates in them then you might introduce problems when building the chain (GIGO).
A [counter]signature can only be valid if it can be chained back to a trusted root (and that's not the only condition). If the chain is broken (e.g. missing root or intermediate certificate) then it's impossible to assert any trust to a signature.
Thanks for the feedback again Sebastian.
"That does mean it's less than ideal for 'chktrust' - but this is only one (of
many) tools that mono provides and one that mono itself does not use/require
(we did not knew that at the time the tool was written ;-) and of course MS
provides it's own 'chktrust' tool in its SDK (that works with its own,
cryptoapi-based, certificate store)."
[Jayson]: having this said, what tools do mono suggest or use to verify trust for MS files?
"(2) The trusted store is meant for root certificates only. If you add non-root
certificates in them then you might introduce problems when building the chain
[Jayson]: can you kindly clarify what do you mean by non-root certificates here?
Again, thank you! :)
[Jayson]: having this said, what tools do mono suggest or use to verify trust
for MS files?
See key point #1 from comment #1.
[Jayson]: can you kindly clarify what do you mean by non-root certificates
Will just make a follow-up on this. Have you checked csc.exe already?
In addtion, I asked for the tools and you mentioned to look on your keypoint #1 on comment #1. Apologies for the confusion but are you pertaining to HTTPS and Authenticode as the tools? If yes, do they come in the mono installation (i.e. is it like mozroots and chktrust callable via commandline). If not, can you kindly specifically tell what are the tools included in mono that I can use to verify trust of MS files.
Lastly, regarding non-root certificates. How will I be able to verify them using mono?
Any updates on this bug? thank you
Following up again. Have you verified this already?
Thank you :)
No. I'll test this when I have to boot up my Windows virtual machine and have time to install Mono and investigate the issue.
Having similar issues with tracing digital certificates inside microsoft fonts back to a trusted root. The signerChain doesn't want to lengthen to include the root certificates which I fed it. May or may not be related.
Argh, it looks like the issue my experienced with tracing certificates backwards through the chain is issue 1 in:
okay, the thread on
gave me enough to fix m problem - my problem is to do with the treatment of
self-signed certificates. Self-signed certificates are understandably treated as untrusted unless they are marked as being from a certificate root authority (which is what they should be in this context...).