Bug 53254 - UI: msi packages of 3.6.0 release not signed in contrast to recent months of 3.5.x msi packages?
Summary: UI: msi packages of 3.6.0 release not signed in contrast to recent months of ...
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Installation (show other bugs)
Version:
(earliest affected)
3.6.0.4 release
Hardware: x86 (IA32) Windows (All)
: high major
Assignee: Andras Timar
URL:
Whiteboard: BSA
Keywords: security
Depends on:
Blocks:
 
Reported: 2012-08-08 15:35 UTC by real name
Modified: 2012-08-09 16:47 UTC (History)
0 users

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description real name 2012-08-08 15:35:32 UTC
msi packages of 3.6.0 release not signed in contrast to recent months of 3.5.x msi packages?

Problem description: 
the microsoft windows platform msi installer packages (tried main installer msi and german-help pack installer) are NOT signed (authenticode digital signature) any more, in contrast to the recent releases of 3.5.x branch

Steps to reproduce:
1. verify yourselves the msi (multi) package and the german-help package at least of 3.6.x

http://download.documentfoundation.org/libreoffice/stable/3.6.0/win/x86/LibO_3.6.0_Win_x86_install_multi.msi

http://download.documentfoundation.org/libreoffice/stable/3.6.0/win/x86/LibO_3.6.0_Win_x86_helppack_de.msi
2. sigcheck -a filename
3. sigcheck -r filename
4. sigcheck -u filename
5. sigcheck = microsoft sysinternal tool from: 
http://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

Current behavior:
no signature found in these msi packages from 3.6.0
but good signature from documentfoundation found for 3.5.x packages at least 3.5.4 
Expected behavior:


compare with output WITH signatures of 3.5.x, e.g. 3.5.5 with sigcheck

C:>sigcheck -a -r -h -m -i "C:\LibO_3.5.5_Win_x86_helppack_de.msi"

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\desktop\LibO_3.5.5_Win_x86_helppack_de.msi:

        Verified:       Signed
        Catalog:        C:\desktop\LibO_3.5.5_
Win_x86_helppack_de.msi
        Signers:
                The Document Foundation
                StartCom Class 2 Primary Intermediate Object CA
                StartCom Certification Authority
        Signing date:   17:31 08.08.2012
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        Strong Name:    Unsigned
        Original Name:  n/a
        Internal Name:  n/a
        Copyright:      n/a
        Comments:       n/a
        MD5:    e8e1cdb3491c5103abed37d0e51ef87e
        SHA1:   d1a5d713d9461a4e88cc933a7b878a18f56da6f4
        SHA256: 9de696e3ca6c40fe3b14fd81083cc87526de514d95de990e72e10678e835a570


C:>sigcheck -a -r -h -m -i "C:\LibO_3.5.5_Win_x86_install_multi.msi"

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\LibO_3.5.5_Win_x86_install_multi.msi:
        Verified:       Signed
        Catalog:        C:\desktop\LibO_3.5.5_
Win_x86_install_multi.msi
        Signers:
                The Document Foundation
                StartCom Class 2 Primary Intermediate Object CA
                StartCom Certification Authority
        Signing date:   17:32 08.08.2012
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        Strong Name:    Unsigned
        Original Name:  n/a
        Internal Name:  n/a
        Copyright:      n/a
        Comments:       n/a
        MD5:    fe7f09caaedd263e590d9c6316cc30c8
        SHA1:   5bf6bad4f10ad621f4588b9bab5a5ba2a6208322
        SHA256: 2bf3643367e41e10b0c2947a39688a6ec5588ba8c6b1936819e1274cf02a052b

Platform (if different from the browser): 
windows xp 32bit, professional, sp3
              
Browser: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Comment 1 real name 2012-08-08 15:37:44 UTC
dont know if the release version 3.6.0 is supposed to be 3.6.0.4, and the automated bugreporting assitant was having trouble identifying 3.6.0.4 version but it was offering me this nevertheless. weird.
Comment 2 real name 2012-08-08 17:02:28 UTC
this is the bad results with the 3.6.0 msi files


C:\libreoffice>C:\sigcheck -a -h -i -m -r LibO_3.6.0_Win_x86_helppack_de.msi

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\libreoffice\LibO_3.6.0_Win_x86_helppack_de.msi:
        Verified:       Unsigned
        File date:      18:57 08.08.2012
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        Strong Name:    Unsigned
        Original Name:  n/a
        Internal Name:  n/a
        Copyright:      n/a
        Comments:       n/a
        MD5:    1708994e2f96a14ec6a4930f785383b5
        SHA1:   da493d7c83b0b21c907ceffd8a6a57d65d5444a2
        SHA256: debaca218bd6204cc528d2201728695d0ce1ecf8b2184719cafaf791262d854c


C:\libreoffice>C:\sigcheck -a -h -i -m -r LibO_3.6.0_Win_x86_install_multi.msi

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\libreoffice\LibO_3.6.0_Win_x86_install_multi.msi:
        Verified:       Unsigned
        File date:      18:58 08.08.2012
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        Strong Name:    Unsigned
        Original Name:  n/a
        Internal Name:  n/a
        Copyright:      n/a
        Comments:       n/a
        MD5:    78e05827b0d2cc2a2d21529b94518bc3
        SHA1:   58bcb5e5f4a9b002b62c573f36dae669516ff97d
        SHA256: 89f372c3e7204a9b9a44a562fca1eaaace85f5d1ce3352010ae3adbc1ecca9d9



both oft hem UNSIGNED
Comment 3 real name 2012-08-09 12:43:14 UTC
I dont know what is wrong with documentfoundation and/or libreoffice teams, but the realease notes about 3.6.0 says thats its bitidentical with some latest RCx version, and if thats true the signature was already missing in the RCx.

oddly enough there seem to be different binaries served from the docufoundation bouncers and mirrors, as I have just received an apparently signed msi package for the german help pack, although not directly personally, but an online virus scan service has managed to receive a different sized msi binary for the german help msi which actually does has some signature.

very weird

signed:
https://www.virustotal.com/file/b942086da97bde38752b58709df31bceaefae48c089b7c5f5c0960f71e82f155/analysis/1344515525/


First seen by VirusTotal
2012-08-09 12:32:05 UTC ( 1 Minute ago )
Last seen by VirusTotal
2012-08-09 12:32:05 UTC ( 1 Minute ago )
File names (max. 25)

    LibO_3.6.0_Win_x86_helppack_de.msi


SHA256: 	b942086da97bde38752b58709df31bceaefae48c089b7c5f5c0960f71e82f155
SHA1:  53db9d3803ee928f15874f311055add9a64b1d3e
MD5: 	80096c9b7b9c0efdad71ce9e10f83fbb
File size: 	10.3 MB ( 10784768 bytes )
File name: 	LibO_3.6.0_Win_x86_helppack_de.msi
File type: 	FlashPix
Detection ratio: 	0 / 42
Analysis date: 	2012-08-09 12:32:05 UTC ( 1 Minute ago ) 


so the signed version is rather brand new according to virustotal



unsigned as being served to my internet connections and same as from yesterday:
https://www.virustotal.com/file/debaca218bd6204cc528d2201728695d0ce1ecf8b2184719cafaf791262d854c/analysis/1344515680/


First seen by VirusTotal
2012-08-08 14:15:01 UTC ( 22 Stunden, 22 Minuten ago )
Last seen by VirusTotal
2012-08-09 12:34:40 UTC ( 2 Minuten ago )
File names (max. 25)

    LibO_3.6.0_Win_x86_helppack_de.msi

SHA256: 	debaca218bd6204cc528d2201728695d0ce1ecf8b2184719cafaf791262d854c
SHA1:  da493d7c83b0b21c907ceffd8a6a57d65d5444a2
MD5: 	1708994e2f96a14ec6a4930f785383b5
File size: 	10.3 MB ( 10776576 bytes )
File name: 	LibO_3.6.0_Win_x86_helppack_de.msi
File type: 	FlashPix
Detection ratio: 	0 / 42
Analysis date: 	2012-08-09 12:34:40 UTC ( 2 Minuten ago ) 




filesizes are different and so are hashes
what is wrong with the release and signing cycle over at docufoundation/libreoffice?

this doesnt demonstrate a proper handling of releases and handly security matters.
Comment 4 Andras Timar 2012-08-09 16:47:24 UTC
New, signed binaries are distributed to mirrors now.