[Mono-bugs] [Bug 81450][Nor] Changed - Two authenticode issues

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Wed Apr 25 12:02:00 EDT 2007

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by pieter at mentalis.org.


--- shadow/81450	2007-04-25 11:04:01.000000000 -0400
+++ shadow/81450.tmp.15268	2007-04-25 12:02:00.000000000 -0400
@@ -1,13 +1,13 @@
 Bug#: 81450
 Product: Mono: Class Libraries
 Version: unspecified
 OS: unknown
 OS Details: 
-Status: RESOLVED   
-Resolution: INVALID
+Status: REOPENED   
 Severity: Unknown
 Priority: Normal
 Component: Mono.Security
 AssignedTo: sebastien at ximian.com                            
 ReportedBy: pieter at mentalis.org               
 QAContact: mono-bugs at ximian.com
@@ -121,6 +121,33 @@
 You should be using Mono's certmgr (even on Windows) to install the
 certificates (it's the only supported way). It's also possible that
 you're missing something in your code. Have a look into chktrust
 source code to see what could be the difference (and re-open the bug
 if you don't get the same results on Windows). Thanks!
+------- Additional Comments From pieter at mentalis.org  2007-04-25 12:02 -------
+Hi Sebastien,
+I installed the mono runtime (I only had the source here), and after 
+using the certmgr application to install the certificate, problem 1 
+went away. I'm still not sure why there's a difference, but it 
+doesn't really matter.
+For Problem 2 however, it turns out that the origin of this issue is 
+located in the IsTrusted method. Apparently, this method 
+recalculates the 'Reason' integer, without taking the signature into 
+account. So when you load a file with an invalid signature, the 
+AuthenticodeDeformatter instance sets the Reason to 2 (= invalid 
+signature). However if you call IsTrusted, it still returns true, 
+and all subsequent calls to the Reason property return 0 instead of 
+You're not seeing this issue with the chktrust tool, because it 
+doesn't use the IsTrusted property but rather it interprets the 
+Reason code directly.
+Is this the expected behavior? What exactly is the definition of the 
+IsTrusted method? Should it only check the certificates, or should 
+it also check the signature? If it should only check the 
+certificates, how can I know whether the signature was valid or not 
+(after calling IsTrusted)?

More information about the mono-bugs mailing list