Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

winget package signing issue #1100

Closed
strager opened this issue Oct 27, 2023 · 6 comments
Closed

winget package signing issue #1100

strager opened this issue Oct 27, 2023 · 6 comments
Assignees
@strager

Comments

@strager
Copy link
Collaborator

strager commented Oct 27, 2023

microsoft/winget-pkgs#123771

Some logs from their CI server:

2023-10-25 18:32:10.155 [CORE] Starting RequestAddPackageAsync operation #0: https://c.quick-lint-js.com/releases/2.17.0/windows/quick-lint-js.msix
2023-10-25 18:32:10.158 [CORE] Begin waiting for operation #0
2023-10-25 18:32:10.158 [CORE] Begin blocking for operation #0
2023-10-25 18:32:12.351 [CORE] Deployment operation #0: error 0x800B0101: Opening the package from location quick-lint-js.msix failed.
2023-10-25 18:32:12.351 [FAIL] D:\a_work\1\s\external\pkg\src\AppInstallerCommonCore\Deployment.cpp(161)\WindowsPackageManager.dll!00007FFBEC479A45: (caller: 00007FFBEC403515) Exception(1) tid(2204) 800B0101 A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
@strager strager self-assigned this Oct 28, 2023
@strager
Copy link
Collaborator Author

strager commented Nov 2, 2023

Verification failed for twitch.tv/saibotu:

On my machine I get a different certificate path:
image

Possibly related: Bad Certum cert:
https://old.reddit.com/r/sysadmin/comments/16g1y88/heads_up_sslcom_expired_cert_under_certum_fix/

@strager
Copy link
Collaborator Author

strager commented Nov 2, 2023
edited
Loading

Broken (expired):

  • twitch.tv/saibotu (Windows 11 22H2 (10.0.22621.2428))
  • twitch.tv/Butters_40 (Windows 10 Pro 22H2 19045.3570)
  • twitch.tv/chakypc (10.0.19045.3570)
  • twitch.tv/k1ng440 (20H2 19042.867)

Working (unexpired):

  • me (Version 22H2 (OS Build 19045.3208))
  • twitch.tv/x_Egoist (Version 22H2 (OS Build 19045.3448))
  • twitch.tv/FonkeLime (Win11 22H2 - Version 10.0.22621.2428)

@strager
Copy link
Collaborator Author

strager commented Nov 2, 2023

Likely related: https://www.ssl.com/blogs/ssl-com-legacy-cross-signed-root-certificate-expiring-on-september-11-2023/

@strager
Copy link
Collaborator Author

strager commented Nov 2, 2023
edited
Loading

It magically fixed itself for both k1ng440 and saibotu. 🤷‍♀️
Message from saibotu:

tested it on a pretty much clean vm: when you check the cert the first time it is invalid but it starts downloading some stuff in the background. When you check again after that it shows as valid.

I think I know how to fix it, though. We need to sign without Certum in the chain. (I think this means we need to update the SSL.com root CA too.)

@strager
Copy link
Collaborator Author

strager commented Nov 2, 2023

saibotu: i assume i tries to get the missing (certum) root first and then fails verification. when you remove the cross-signed root it would probably grab the SSL.com self-signed root first

I like this hypothesis.

@strager strager closed this as completed in ff9668a Nov 3, 2023
@strager
Copy link
Collaborator Author

strager commented Nov 3, 2023

Fixed in quick-lint-js version 2.18.0 due to Git commit ff9668a.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@strager strager

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@strager