[Mono-bugs] [Bug 81450][Nor] Changed - Two authenticode issues

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Wed Apr 25 11:04:01 EDT 2007 

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by sebastien at ximian.com.

http://bugzilla.ximian.com/show_bug.cgi?id=81450

--- shadow/81450	2007-04-25 10:34:50.000000000 -0400
+++ shadow/81450.tmp.14269	2007-04-25 11:04:01.000000000 -0400
@@ -1,14 +1,14 @@
 Bug#: 81450
 Product: Mono: Class Libraries
 Version: unspecified
-OS: 
+OS: unknown
 OS Details: 
-Status: NEW   
-Resolution: 
-Severity: 
+Status: RESOLVED   
+Resolution: INVALID
+Severity: Unknown
 Priority: Normal
 Component: Mono.Security
 AssignedTo: sebastien at ximian.com                            
 ReportedBy: pieter at mentalis.org               
 QAContact: mono-bugs at ximian.com
 TargetMilestone: ---
@@ -84,6 +84,43 @@
 a trusted CA, I tried verifying the "invalid_signed_file.exe". To my 
 amazement, this returned no errors. The AuthenticodeDeformatter.IsTrusted 
 method returns true, even though I would have expected it to return false.
 It could be that this is the intended behavior of the IsTrusted method 
 (there were no docs, so I couldn't be sure about that), but I don't see 
 any other method to verify the signature on the file.
+
+------- Additional Comments From sebastien at ximian.com  2007-04-25 11:04 -------
+Here's a quick test I did using SVN HEAD (but there hasn't any recent
+changes in there).
+
+poupou at pollux:~/src/bugzilla/81450> certmgr -add -c Trust
+Microsoft_Root_CA.cer
+Mono Certificate Manager - version 1.2.4.0
+Manage X.509 certificates and CRL from stores.
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell.
+BSD licensed.
+
+1 certificate(s) added to store Trust.
+
+poupou at pollux:~/src/bugzilla/81450> chktrust signed_file.exe
+Mono CheckTrust - version 1.2.4.0
+Verify if an PE executable has a valid Authenticode(tm) signature
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell.
+BSD licensed.
+
+SUCCESS: signed_file.exe signature is valid
+and can be traced back to a trusted root!
+
+poupou at pollux:~/src/bugzilla/81450> chktrust invalid_signed_file.exe
+Mono CheckTrust - version 1.2.4.0
+Verify if an PE executable has a valid Authenticode(tm) signature
+Copyright 2002, 2003 Motus Technologies. Copyright 2004-2006 Novell.
+BSD licensed.
+
+ERROR! invalid_signed_file.exe digital signature is invalid!
+
+
+You should be using Mono's certmgr (even on Windows) to install the
+certificates (it's the only supported way). It's also possible that
+you're missing something in your code. Have a look into chktrust
+source code to see what could be the difference (and re-open the bug
+if you don't get the same results on Windows). Thanks!

More information about the mono-bugs mailing list