msi packages of 3.6.0 release not signed in contrast to recent months of 3.5.x msi packages? Problem description: the microsoft windows platform msi installer packages (tried main installer msi and german-help pack installer) are NOT signed (authenticode digital signature) any more, in contrast to the recent releases of 3.5.x branch Steps to reproduce: 1. verify yourselves the msi (multi) package and the german-help package at least of 3.6.x http://download.documentfoundation.org/libreoffice/stable/3.6.0/win/x86/LibO_3.6.0_Win_x86_install_multi.msi http://download.documentfoundation.org/libreoffice/stable/3.6.0/win/x86/LibO_3.6.0_Win_x86_helppack_de.msi 2. sigcheck -a filename 3. sigcheck -r filename 4. sigcheck -u filename 5. sigcheck = microsoft sysinternal tool from: http://technet.microsoft.com/en-us/sysinternals/bb897441.aspx Current behavior: no signature found in these msi packages from 3.6.0 but good signature from documentfoundation found for 3.5.x packages at least 3.5.4 Expected behavior: compare with output WITH signatures of 3.5.x, e.g. 3.5.5 with sigcheck C:>sigcheck -a -r -h -m -i "C:\LibO_3.5.5_Win_x86_helppack_de.msi" Sigcheck v1.71 - File version and signature viewer Copyright (C) 2004-2010 Mark Russinovich Sysinternals - www.sysinternals.com C:\desktop\LibO_3.5.5_Win_x86_helppack_de.msi: Verified: Signed Catalog: C:\desktop\LibO_3.5.5_ Win_x86_helppack_de.msi Signers: The Document Foundation StartCom Class 2 Primary Intermediate Object CA StartCom Certification Authority Signing date: 17:31 08.08.2012 Publisher: n/a Description: n/a Product: n/a Version: n/a File version: n/a Strong Name: Unsigned Original Name: n/a Internal Name: n/a Copyright: n/a Comments: n/a MD5: e8e1cdb3491c5103abed37d0e51ef87e SHA1: d1a5d713d9461a4e88cc933a7b878a18f56da6f4 SHA256: 9de696e3ca6c40fe3b14fd81083cc87526de514d95de990e72e10678e835a570 C:>sigcheck -a -r -h -m -i "C:\LibO_3.5.5_Win_x86_install_multi.msi" Sigcheck v1.71 - File version and signature viewer Copyright (C) 2004-2010 Mark Russinovich Sysinternals - www.sysinternals.com C:\LibO_3.5.5_Win_x86_install_multi.msi: Verified: Signed Catalog: C:\desktop\LibO_3.5.5_ Win_x86_install_multi.msi Signers: The Document Foundation StartCom Class 2 Primary Intermediate Object CA StartCom Certification Authority Signing date: 17:32 08.08.2012 Publisher: n/a Description: n/a Product: n/a Version: n/a File version: n/a Strong Name: Unsigned Original Name: n/a Internal Name: n/a Copyright: n/a Comments: n/a MD5: fe7f09caaedd263e590d9c6316cc30c8 SHA1: 5bf6bad4f10ad621f4588b9bab5a5ba2a6208322 SHA256: 2bf3643367e41e10b0c2947a39688a6ec5588ba8c6b1936819e1274cf02a052b Platform (if different from the browser): windows xp 32bit, professional, sp3 Browser: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
dont know if the release version 3.6.0 is supposed to be 3.6.0.4, and the automated bugreporting assitant was having trouble identifying 3.6.0.4 version but it was offering me this nevertheless. weird.
this is the bad results with the 3.6.0 msi files C:\libreoffice>C:\sigcheck -a -h -i -m -r LibO_3.6.0_Win_x86_helppack_de.msi Sigcheck v1.71 - File version and signature viewer Copyright (C) 2004-2010 Mark Russinovich Sysinternals - www.sysinternals.com C:\libreoffice\LibO_3.6.0_Win_x86_helppack_de.msi: Verified: Unsigned File date: 18:57 08.08.2012 Publisher: n/a Description: n/a Product: n/a Version: n/a File version: n/a Strong Name: Unsigned Original Name: n/a Internal Name: n/a Copyright: n/a Comments: n/a MD5: 1708994e2f96a14ec6a4930f785383b5 SHA1: da493d7c83b0b21c907ceffd8a6a57d65d5444a2 SHA256: debaca218bd6204cc528d2201728695d0ce1ecf8b2184719cafaf791262d854c C:\libreoffice>C:\sigcheck -a -h -i -m -r LibO_3.6.0_Win_x86_install_multi.msi Sigcheck v1.71 - File version and signature viewer Copyright (C) 2004-2010 Mark Russinovich Sysinternals - www.sysinternals.com C:\libreoffice\LibO_3.6.0_Win_x86_install_multi.msi: Verified: Unsigned File date: 18:58 08.08.2012 Publisher: n/a Description: n/a Product: n/a Version: n/a File version: n/a Strong Name: Unsigned Original Name: n/a Internal Name: n/a Copyright: n/a Comments: n/a MD5: 78e05827b0d2cc2a2d21529b94518bc3 SHA1: 58bcb5e5f4a9b002b62c573f36dae669516ff97d SHA256: 89f372c3e7204a9b9a44a562fca1eaaace85f5d1ce3352010ae3adbc1ecca9d9 both oft hem UNSIGNED
I dont know what is wrong with documentfoundation and/or libreoffice teams, but the realease notes about 3.6.0 says thats its bitidentical with some latest RCx version, and if thats true the signature was already missing in the RCx. oddly enough there seem to be different binaries served from the docufoundation bouncers and mirrors, as I have just received an apparently signed msi package for the german help pack, although not directly personally, but an online virus scan service has managed to receive a different sized msi binary for the german help msi which actually does has some signature. very weird signed: https://www.virustotal.com/file/b942086da97bde38752b58709df31bceaefae48c089b7c5f5c0960f71e82f155/analysis/1344515525/ First seen by VirusTotal 2012-08-09 12:32:05 UTC ( 1 Minute ago ) Last seen by VirusTotal 2012-08-09 12:32:05 UTC ( 1 Minute ago ) File names (max. 25) LibO_3.6.0_Win_x86_helppack_de.msi SHA256: b942086da97bde38752b58709df31bceaefae48c089b7c5f5c0960f71e82f155 SHA1: 53db9d3803ee928f15874f311055add9a64b1d3e MD5: 80096c9b7b9c0efdad71ce9e10f83fbb File size: 10.3 MB ( 10784768 bytes ) File name: LibO_3.6.0_Win_x86_helppack_de.msi File type: FlashPix Detection ratio: 0 / 42 Analysis date: 2012-08-09 12:32:05 UTC ( 1 Minute ago ) so the signed version is rather brand new according to virustotal unsigned as being served to my internet connections and same as from yesterday: https://www.virustotal.com/file/debaca218bd6204cc528d2201728695d0ce1ecf8b2184719cafaf791262d854c/analysis/1344515680/ First seen by VirusTotal 2012-08-08 14:15:01 UTC ( 22 Stunden, 22 Minuten ago ) Last seen by VirusTotal 2012-08-09 12:34:40 UTC ( 2 Minuten ago ) File names (max. 25) LibO_3.6.0_Win_x86_helppack_de.msi SHA256: debaca218bd6204cc528d2201728695d0ce1ecf8b2184719cafaf791262d854c SHA1: da493d7c83b0b21c907ceffd8a6a57d65d5444a2 MD5: 1708994e2f96a14ec6a4930f785383b5 File size: 10.3 MB ( 10776576 bytes ) File name: LibO_3.6.0_Win_x86_helppack_de.msi File type: FlashPix Detection ratio: 0 / 42 Analysis date: 2012-08-09 12:34:40 UTC ( 2 Minuten ago ) filesizes are different and so are hashes what is wrong with the release and signing cycle over at docufoundation/libreoffice? this doesnt demonstrate a proper handling of releases and handly security matters.
New, signed binaries are distributed to mirrors now.