Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xca.exe(portable) without signature since 2.5.0 #603

Open
fadecore opened this issue Oct 24, 2024 · 0 comments
Open

xca.exe(portable) without signature since 2.5.0 #603

fadecore opened this issue Oct 24, 2024 · 0 comments

Comments

@fadecore
Copy link

fadecore commented Oct 24, 2024

Problem

I use the portable version on a windows laptop and it worked for all versions < 2.7.0
Since 2.7.0 I can't start xca anymore, because Microsoft Defender SmartScreen intercepts :(
After digging into it a little bit I found out that portable versions(xca.exe) <2.5.0 are signed, but till 2.5.0 the xca.exe has no signature.
The missing signature has negative influence on the score for Microsoft Defender SmartScreen and should be added again.
Hopefully this helps to get rid of the warnings in the future.

Reproduce Issue

  1. Download portable versions(2.5.0-2.8.0)
  2. Check if signature is available:
$ osslsigncode.exe verify xca-2.5.0.exe
Current PE checksum   : 0068C4C5
Calculated PE checksum: 0068C4C4
Warning: invalid PE checksum
No signature found
Unable to extract existing signature
Failed

What is expected

The xca.exe for 2.4.0 is signed and a validation is possible.
Example doesn't include a real validation, so it is expected to fail at the end

$ osslsigncode.exe verify xca-2.4.0.exe
PE checksum   : 0024B842

Signature Index: 0  (Primary Signature)

Message digest algorithm  : SHA256
Current message digest    : 590852131C3FCA75B186127982C92708AD7B2F9C108C2EE292AD1B76406126FF
Calculated message digest : 590852131C3FCA75B186127982C92708AD7B2F9C108C2EE292AD1B76406126FF

Signer's certificate:
        ------------------
        Signer #0:
                Subject: /C=DE/ST=Nordrhein-Westfalen/L=Hille/O=Open Source Developer/CN=Open Source Developer, Christian Hohnstaedt/[email protected]
                Issuer : /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Code Signing CA SHA2
                Serial : 04FF54FF7D5578046E4672CE42E11D3D
                Certificate expiration date:
                        notBefore : Apr 30 04:42:59 2021 GMT
                        notAfter : Apr 30 04:42:59 2022 GMT

Message digest algorithm: SHA256

Authenticated attributes:
        Signing time: May  7 20:46:09 2021 GMT
        Microsoft Individual Code Signing purpose
        Message digest: DB22EDDA23B0BCEC54DAE9EC0270B3E6BD6C8AE25DE9282F0CD9B96CB0A74E20
        URL description: https://hohnstaedt.de/xca
        Text description: XCA 2.4.0

Countersignatures:
        Timestamp time: May  7 20:46:10 2021 GMT
        Signing time: May  7 20:46:10 2021 GMT
        Hash Algorithm: sha384
        Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Time Stamping CA
        Serial: 8C77A0008FF4D1B0C63D9F3A48838D6B

CAfile: (null)
Use the "-TSA-CAfile" option to add the Time-Stamp Authority certificates bundle to verify the Timestamp Server.

Timestamp Server Signature verification: failed
Failed to add store lookup file
Signature verification: failed

Number of verified signatures: 1
Failed

Workaround

Ignore the Microsoft Defender warning and force execution of xca.exe.
It seems the warning disappears in the future, after forcing the execution once.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant