Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sigcheck unable to verify catalog signed status on OpenConsoleProxy.dll #13294

Closed
joeltuckwell opened this issue Jun 14, 2022 · 7 comments · Fixed by #14710
Closed

Sigcheck unable to verify catalog signed status on OpenConsoleProxy.dll #13294

joeltuckwell opened this issue Jun 14, 2022 · 7 comments · Fixed by #14710
Labels
Needs-Tag-Fix Doesn't match tag requirements Needs-Triage It's a new issue that the core contributor team needs to triage at the next triage meeting Resolution-Fix-Committed Fix is checked in, but it might be 3-4 weeks until a release.

Comments

@joeltuckwell
Copy link

I am opening this as a new issue as I haven't received a reply on issue #12695

I have run two versions of this file against sigcheck -a -i which should confirm the file is catalog signed as stated but it always returns unsigned. Can you please provide evidence that this file is catalog signed?

Windows Terminal version
1.12.10393.0
1.12.2204.8003

Windows build number
10.0.22000.0
21H2 22000.675

Other Software
No response

Steps to reproduce
View properties on files "C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsTerminal_1.12.10393.0_x64__8wekyb3d8bbwe\PackagedCom\OpenConsoleProxy.dll"

"C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsTerminal_1.12.10983.0_x64__8wekyb3d8bbwe\PackagedCom\OpenConsoleProxy"

Notice that Digital Signatures tab does not appear in the properties.

Virus total also confirms the file is not digitally signed:
https://www.virustotal.com/gui/file/320addd674045f097f85da27a88d0b0cf935adb8f1301b7af52c4c8f0a9145e5/details

https://www.virustotal.com/gui/file/3b627cff9f15797656d2b8744ea0a7e53b2583018b8234e1ce27ccc618a9f41a/details

Expected Behavior
File should be digitally signed like other official Microsoft files.

Actual Behavior
File is not digitally signed. This can cause the file to be blocked by application allow listing software.

I just wanted to jump on this issue @DHowett - I've run this file against sigcheck (with the flags to check catalog signing) and it's returning n/a for publisher. Are you seeing something different on your system? If so could you please provide what you are seeing on your system and the hash for the version of OpenConsoleProxy.dll that you are checking?

Thank you!

image

Originally posted by @joeltuckwell in #12695 (comment)
@ghost ghost added Needs-Triage It's a new issue that the core contributor team needs to triage at the next triage meeting Needs-Tag-Fix Doesn't match tag requirements labels Jun 14, 2022
@joeltuckwell
Copy link
Author

Additional information:

image

@joeltuckwell joeltuckwell reopened this Jun 14, 2022
@elsaco
Copy link

elsaco commented Jun 14, 2022

@joeltuckwell if you check terminal's files they'll show as NotSigned. However, the MSIX packages are signed. Here's sample signature check for Terminal Preview 1.14.1451 bundle:

Get-AuthenticodeSignature .\Microsoft.WindowsTerminalPreview_Win10_1.14.1451.0_8wekyb3d8bbwe.msixbundle | fl

SignerCertificate      : [Subject]
                           CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Issuer]
                           CN=Microsoft Marketplace CA G 027, OU=EOC, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Serial Number]
                           3300168484221784EE03ECF7ED000000168484

                         [Not Before]
                           5/25/2022 2:05:16 PM

                         [Not After]
                           5/28/2022 2:05:16 PM

                         [Thumbprint]
                           8864EC39545C61DC3132393ECEC74A7010262406

TimeStamperCertificate : [Subject]
                           CN=Microsoft Time-Stamp Service, OU=Thales TSS ESN:4D2F-E3DD-BEEF, OU=Microsoft Operations Puerto Rico, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Issuer]
                           CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Serial Number]
                           33000001B0A1E38332E88D3BC00001000001B0

                         [Not Before]
                           3/2/2022 10:51:42 AM

                         [Not After]
                           5/11/2023 11:51:42 AM

                         [Thumbprint]
                           029E2F90DDDF0F914D05561992565E4BF2453C18

Status                 : Valid
StatusMessage          : Signature verified.
Path                   : C:\Users\elsaco\Downloads\Microsoft.WindowsTerminalPreview_Win10_1.14.1451.0_8wekyb3d8bbwe.msixbundle
SignatureType          : Authenticode
IsOSBinary             : False

and openconsoleproxy.dll:

SignerCertificate      :
TimeStamperCertificate :
Status                 : NotSigned
StatusMessage          : The file C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsTerminalPreview_1.14.1451.0_x6
                         4__8wekyb3d8bbwe\PackagedCom\OpenConsoleProxy.dll is not digitally signed. You cannot run this script on the
                         current system. For more information about running scripts and setting execution policy, see
                         about_Execution_Policies at https://go.microsoft.com/fwlink/?LinkID=135170
Path                   : C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsTerminalPreview_1.14.1451.0_x64__8wekyb
                         3d8bbwe\PackagedCom\OpenConsoleProxy.dll
SignatureType          : None
IsOSBinary             : False

@joeltuckwell
Copy link
Author

Thank you for all this information. This allowed us to pinpoint an issue on our end. We do not look at the msixbundle files as a source of trust, rather the codeintegrity.cat digest to confirm the file is signed. However we were looking in Program Files for this file (for 3rd-party Windows Applications) and not ProgramData (for native applications), and thus missed this catalog.

I appreciate the reply and the information. I will close this case.

@christophvw
Copy link

Please sign the file properly. Otherwise it cannot be allowed in a secure way by AppLocker.

@DHowett
Copy link
Member

DHowett commented Jan 19, 2023

Yeah, this is nuanced. We're just gonna sign the files. :)

@DHowett DHowett mentioned this issue Jan 20, 2023
Merged
@ghost ghost added In-PR This issue has a related PR and removed In-PR This issue has a related PR labels Jan 20, 2023
DHowett added a commit that referenced this issue Jan 20, 2023
@DHowett
Code sign the contents of the Terminal package (#14710)
72be9a9 
Up until now, we have been relying on the catalog signature produced for our MSIX package.
There are some things (Packaged COM, Process Explorer as of 2022) that cannot handle catalog-signed
files. It's easier and safer for us to simply sign all the executables we produce before packaging them.

Unfortunately, we can't do it before we package them. We have to unpack and re-pack our package.

In the future, this will allow us to provide a codesigned distribution that is not in an MSIX package.

TEST=Ran a build and checked out the contents of the package. They were all signed!

Closes #13294
Closes #12695
Closes #9670
@ghost ghost added the Resolution-Fix-Committed Fix is checked in, but it might be 3-4 weeks until a release. label Jan 20, 2023
DHowett added a commit that referenced this issue Jan 20, 2023
@DHowett
Code sign the contents of the Terminal package (#14710)
c53b714 
Up until now, we have been relying on the catalog signature produced for our MSIX package.
There are some things (Packaged COM, Process Explorer as of 2022) that cannot handle catalog-signed
files. It's easier and safer for us to simply sign all the executables we produce before packaging them.

Unfortunately, we can't do it before we package them. We have to unpack and re-pack our package.

In the future, this will allow us to provide a codesigned distribution that is not in an MSIX package.

TEST=Ran a build and checked out the contents of the package. They were all signed!

Closes #13294
Closes #12695
Closes #9670

(cherry picked from commit 72be9a9)
Service-Card-Id: 87690424
Service-Version: 1.16
@ghost
Copy link

ghost commented Jan 24, 2023

🎉This issue was addressed in #14710, which has now been successfully released as Windows Terminal v1.16.1023 (10231 and 10232).:tada:

Handy links:

@ghost
Copy link

ghost commented Jan 24, 2023

🎉This issue was addressed in #14710, which has now been successfully released as Windows Terminal Preview v1.17.1023.:tada:

Handy links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs-Tag-Fix Doesn't match tag requirements Needs-Triage It's a new issue that the core contributor team needs to triage at the next triage meeting Resolution-Fix-Committed Fix is checked in, but it might be 3-4 weeks until a release.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Code sign the contents of the Terminal package microsoft/terminal
4 participants
@DHowett @elsaco @christophvw @joeltuckwell