some msi, msp files will sign, but not validate .

[johm6340]

Hello
I have an odd behaviour that I am battling to understand .
sign a msi with signtool, and it verifies correctly .
sign the same unsigned msi with jsign, and it will attach a signature, but will fail signtool verify .
the odd thing here is that if I open the unsigned msi with orca, do nothing and close the file , and then submit it , it will sign and verify .
A different flavour of this, is some files will be signed and fail the signtool verify . If I open the signed msi with orca, do nothing and close it, the file then verifies .

I suspect that orca is re-ordering the contents somehow, which causes the hash generation to work correctly .

The file can be repaired by using a powershell script to use the windows installer COM components to open the file, read the summaryinfo block and rewrite it.

Is there any debug, or trace , or some sort of msi dissector I can use to try and work out what the issue with the file is ?

[ebourg]

Could you send the unsigned file to ebourg@apache.org? I'll get a look.

I've already observed this behavior when a file is signed twice, in this case some areas of the MSI structure become unused and this invalidates the hash. signtool compacts the msi file to avoid this, but the library used by Jsign to modify msi files is unable to do it. I've never seen this issue with a fresh unsigned file though.

[johm6340]

I have sent you an msp that demonstrates the problem .
Dont edit it, and sign it with the jsign cli . then try and verify it with signtool . it should fail .
Then take a fresh copy of the original msp, and open it with orca, then close it , dont make any edits . Then try the sign operation, and it should work .
These msp's were built with msbuild based build systems.

[johm6340]

As for the issue with the the msi that contains an existing signature . I have a couple of those . How can we work around that until a fix is implemented in jsign ?

[ebourg]

I have sent you an msp that demonstrates the problem

Thank you, do you know where it comes from or how it was generated?

As for the issue with the the msi that contains an existing signature . I have a couple of those . How can we work around that until a fix is implemented in jsign ?

Actually adding an extra signature should work, but not replacing an existing signature.

[johm6340]

it is built from source by a build system using msbuild, in VS2109 I believe . I dont have access to the source .

For the MSI issue, I am replacing signatures , so looks like hitting the problem you are aware of . Is there a plan to fix it ? .
The workaround I am using at the moment is to run this powershell script before and after signing.

repairmsi.txt

[ebourg]

Is there a plan to fix it ?

Not in the near future, this involves replacing Apache POI with a custom implementation compacting the unallocated space in the MSI files, that's not a quick fix.

[johm6340]

ok, great . I will watch this thread for any progress on the msp issue.
Thank you for the great work and help .