-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sigcheck unable to verify catalog signed status on OpenConsoleProxy.dll #13294
Comments
@joeltuckwell if you check terminal's files they'll show as
and
|
Thank you for all this information. This allowed us to pinpoint an issue on our end. We do not look at the msixbundle files as a source of trust, rather the codeintegrity.cat digest to confirm the file is signed. However we were looking in Program Files for this file (for 3rd-party Windows Applications) and not ProgramData (for native applications), and thus missed this catalog. I appreciate the reply and the information. I will close this case. |
Please sign the file properly. Otherwise it cannot be allowed in a secure way by AppLocker. |
Yeah, this is nuanced. We're just gonna sign the files. :) |
Up until now, we have been relying on the catalog signature produced for our MSIX package. There are some things (Packaged COM, Process Explorer as of 2022) that cannot handle catalog-signed files. It's easier and safer for us to simply sign all the executables we produce before packaging them. Unfortunately, we can't do it before we package them. We have to unpack and re-pack our package. In the future, this will allow us to provide a codesigned distribution that is not in an MSIX package. TEST=Ran a build and checked out the contents of the package. They were all signed! Closes #13294 Closes #12695 Closes #9670
Up until now, we have been relying on the catalog signature produced for our MSIX package. There are some things (Packaged COM, Process Explorer as of 2022) that cannot handle catalog-signed files. It's easier and safer for us to simply sign all the executables we produce before packaging them. Unfortunately, we can't do it before we package them. We have to unpack and re-pack our package. In the future, this will allow us to provide a codesigned distribution that is not in an MSIX package. TEST=Ran a build and checked out the contents of the package. They were all signed! Closes #13294 Closes #12695 Closes #9670 (cherry picked from commit 72be9a9) Service-Card-Id: 87690424 Service-Version: 1.16
🎉This issue was addressed in #14710, which has now been successfully released as Handy links: |
🎉This issue was addressed in #14710, which has now been successfully released as Handy links: |
I am opening this as a new issue as I haven't received a reply on issue #12695
I have run two versions of this file against sigcheck -a -i which should confirm the file is catalog signed as stated but it always returns unsigned. Can you please provide evidence that this file is catalog signed?
Windows Terminal version
1.12.10393.0
1.12.2204.8003
Windows build number
10.0.22000.0
21H2 22000.675
Other Software
No response
Steps to reproduce
View properties on files "C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsTerminal_1.12.10393.0_x64__8wekyb3d8bbwe\PackagedCom\OpenConsoleProxy.dll"
"C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsTerminal_1.12.10983.0_x64__8wekyb3d8bbwe\PackagedCom\OpenConsoleProxy"
Notice that Digital Signatures tab does not appear in the properties.
Virus total also confirms the file is not digitally signed:
https://www.virustotal.com/gui/file/320addd674045f097f85da27a88d0b0cf935adb8f1301b7af52c4c8f0a9145e5/details
https://www.virustotal.com/gui/file/3b627cff9f15797656d2b8744ea0a7e53b2583018b8234e1ce27ccc618a9f41a/details
Expected Behavior
File should be digitally signed like other official Microsoft files.
Actual Behavior
File is not digitally signed. This can cause the file to be blocked by application allow listing software.
I just wanted to jump on this issue @DHowett - I've run this file against sigcheck (with the flags to check catalog signing) and it's returning n/a for publisher. Are you seeing something different on your system? If so could you please provide what you are seeing on your system and the hash for the version of OpenConsoleProxy.dll that you are checking?
Thank you!
Originally posted by @joeltuckwell in #12695 (comment)
The text was updated successfully, but these errors were encountered: