A complete rewrite of the Linux scripts

Re: A complete rewrite of the Linux scripts

Postby hbuhrmester » 02.04.2018, 09:38

The option use_file_signature_verification uses Sysinternals Sigcheck, running under wine, to try a verification of digital file signatures.

Thus, you need to install wine in addition to the other requirements. You get a warning by the script, if the option is enabled, but wine is missing.

Then it should work halfway, but, with a default wine installation, Sigcheck can only detect, if a file has a digital file signature or not. It can not actually validate the digital file signature. This seems to be a limitation of the built-in wine library CRYPT32.dll, even in recent wine versions (here wine-3.0 from Debian 9 Stretch-Backports).

To get everything working, there are two additional steps necessary:

  1. The built-in wine library CRYPT32.dll must be replaced with a native Windows library. This can be done with the script winetricks: https://github.com/Winetricks/winetricks
  2. The Microsoft root certificates must be transferred from Windows to Linux. I never managed that much.


The Manual.pdf discusses most of this: The chapter Introduction on the first page already says:

The verification of digital file signatures with Sysinternals Sigcheck running under wine was tried, but it doesn't really work without the necessary root certificates.


The same warning is also in the first post of this forum thread: viewtopic.php?f=9&t=6180#p21327


The chapter Validation of downloaded files later in the Manual.pdf concludes:

Thus, although a preliminary implementation for wine and Sigcheck exists, it needs more work, especially to transfer the root certificates from Windows to Linux.


The chapter Requirements in Manual.pdf discusses required, recommended and optional applications.


The idea with options like use_file_signature_verification was, that they can be enabled by renaming the file preferences-template.bash to preferences.bash, and then editing that file. Every option is explained in this file.


However, most security updates can be validated by comparing their SHA-1 hashes, which are plainly embedded into their file names, with the hashes, which are calculated by hashdeep.
hbuhrmester
 
Posts: 525
Joined: 11.10.2013, 20:59

Re: A complete rewrite of the Linux scripts

Postby slycordinator » 14.06.2019, 13:40

1) At least on a x86_64 linux debian install I've got, when I enabled sigcheck, installing wine as recommended in the script wasn't enough. When I ran "wine sigcheck.exe sigcheck.exe", I received an error that it needed wine32.

2) It's also of note that running/enabling sigcheck doesn't work on ARM-based linux installs, even if wine is installed. It seems that wine on ARM enables running windows binaries that were built for ARM (and presumably sigcheck.exe is an x86-only binary).
slycordinator
 
Posts: 8
Joined: 23.02.2019, 07:48

Re: A complete rewrite of the Linux scripts

Postby boco » 14.06.2019, 16:18

1. WOU does include also sigcheck64.exe. Doesn't the Linux script use this on 64bit systems?
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: A complete rewrite of the Linux scripts

Postby hbuhrmester » 14.06.2019, 19:31

sigcheck64.exe is not used yet, but a switch could easily be added to the file 20-get-sysinternals-helpers.bash:

Code: Select all
# Since Sigcheck 2.5.1, both architectures i686 and x86_64 are
# supported. The hardware architecture can be determined with uname -m,
# according to the POSIX standard.
#
# https://en.wikipedia.org/wiki/Uname
#
# TODO: Actually, the architecture of the operating system should be
# used. If a 32-bit operating system is running on 64-bit hardware,
# then uname -m will return the wrong value. uname -i may work better,
# but this is not really standardized.

hardware_architecture="$(uname -m)"
case "${hardware_architecture}" in
    i386 | i686 | x86)
        sigcheck_bin="sigcheck.exe"
    ;;
    amd64 | x86_64)
        sigcheck_bin="sigcheck64.exe"
    ;;
    arm*)
        log_warning_message "ARM processors are not supported by Sysinternals Sigcheck."
    ;;
    *)
        log_warning_message "Unknown architecture ${hardware_architecture}."
    ;;
esac


The download part would also need to be modified:

Code: Select all
# Get Sysinternals Sigcheck
initial_errors="$(get_error_count)"
if [[ -f "../bin/sigcheck.exe" && -f "../bin/sigcheck64.exe" ]]
then
    log_info_message "Found Sysinternals Sigcheck"
else
    log_info_message "Downloading Sysinternals Sigcheck ..."
    download_single_file "../bin" "${sigcheck_link}"
    if same_error_count "${initial_errors}"
    then
        log_info_message "Extracting Sysinternals Sigcheck ..."
        if unzip -u -o "../bin/${sigcheck_archive}" "sigcheck.exe" "sigcheck64.exe" -d "../bin"
        then
            log_info_message "Trashing/deleting archive ${sigcheck_archive} ..."
            trash_file "../bin/${sigcheck_archive}"
            log_info_message "Installed Sysinternals Sigcheck"
        else
            log_error_message "Extraction of Sysinternals Sigcheck failed"
        fi
    else
        log_error_message "Download of Sysinternals Sigcheck failed"
    fi
fi


Regards,
hbuhrmester
hbuhrmester
 
Posts: 525
Joined: 11.10.2013, 20:59

Re: A complete rewrite of the Linux scripts

Postby slycordinator » 15.06.2019, 02:40

In the other thread, I posted a modification to libraries/digital-file-signatures.bash to run on cygwin. But it had one mistake, in that the "linux_path" needed to be set using cygpath to make it unix-ified. So, here's the combined diff of the original from the 11.7.2 archive and what I changed.

Code: Select all
--- digital-file-signatures.bash_orig   2019-06-15 10:34:01.882961800 +0900
+++ digital-file-signatures.bash   2019-06-15 10:34:14.411258900 +0900
@@ -107,11 +107,20 @@
         log_info_message "Verification of digital file signatures is disabled in preferences"
         return 0
     fi
-    if ! type -P wine > /dev/null
-    then
-        log_warning_message "Please install the package wine to verify digital file signatures with Sysinternals Sigcheck"
-        return 0
-    fi
+   kernel_name="$(uname -s)"
+   case "${kernel_name}" in
+      CYGWIN*)
+            true
+            ;;
+
+        *)
+         if ! type -P wine > /dev/null
+         then
+            log_warning_message "Please install the package wine to verify digital file signatures with Sysinternals Sigcheck"
+            return 0
+         fi
+         ;;
+   esac
     if [[ ! -f ../bin/"${sigcheck_bin}" ]]
     then
         log_warning_message "Verification of digital file signatures requires Sysinternals Sigcheck"
@@ -154,7 +163,15 @@
     #
     # The result code of sigcheck cannot be tested, because it is masked
     # by wine.
-    sigcheck_output="$(wine "../bin/${sigcheck_bin}" "${sigcheck_options[@]}" "${download_dir}" 2> /dev/null | tail -n +2 | unquote)" || true
+    case "${kernel_name}" in
+      CYGWIN*)
+            sigcheck_output="$(../bin/"${sigcheck_bin}" "${sigcheck_options[@]}" "${download_dir}" 2> /dev/null | tail -n +2 | unquote)" || true
+            ;;
+
+        *)
+         sigcheck_output="$(wine ../bin/"${sigcheck_bin}" "${sigcheck_options[@]}" "${download_dir}" 2> /dev/null | tail -n +2 | unquote)" || true
+         ;;
+   esac
     log_debug_message "Sigcheck output:"
     log_debug_message "${sigcheck_output}"
 
@@ -173,7 +190,15 @@
         #
         # The resulting file path could be further shortened with
         # readlink -f.
-        linux_path="$(winepath --unix "${windows_path}")"
+        case "${kernel_name}" in
+         CYGWIN*)
+            linux_path="cygpath -u ${windows_path}"
+            ;;
+
+         *)
+            linux_path="$(winepath --unix "${windows_path}")"
+            ;;
+      esac
         filename="${linux_path##*/}"
 
         log_debug_message "Windows path: ${windows_path}"
slycordinator
 
Posts: 8
Joined: 23.02.2019, 07:48

Re: A complete rewrite of the Linux scripts

Postby slycordinator » 15.06.2019, 04:10

hbuhrmester wrote:sigcheck64.exe is not used yet, but a switch could easily be added to the file 20-get-sysinternals-helpers.bash:

Code: Select all
# Since Sigcheck 2.5.1, both architectures i686 and x86_64 are
# supported. The hardware architecture can be determined with uname -m,
# according to the POSIX standard.
#
# https://en.wikipedia.org/wiki/Uname
#
# TODO: Actually, the architecture of the operating system should be
# used. If a 32-bit operating system is running on 64-bit hardware,
# then uname -m will return the wrong value. uname -i may work better,
# but this is not really standardized.

hardware_architecture="$(uname -m)"
case "${hardware_architecture}" in
    i386 | i686 | x86)
        sigcheck_bin="sigcheck.exe"
    ;;
    amd64 | x86_64)
        sigcheck_bin="sigcheck64.exe"
    ;;
    arm*)
        log_warning_message "ARM processors are not supported by Sysinternals Sigcheck."
    ;;
    *)
        log_warning_message "Unknown architecture ${hardware_architecture}."
    ;;
esac


The download part would also need to be modified:

Code: Select all
# Get Sysinternals Sigcheck
initial_errors="$(get_error_count)"
if [[ -f "../bin/sigcheck.exe" && -f "../bin/sigcheck64.exe" ]]
then
    log_info_message "Found Sysinternals Sigcheck"
else
    log_info_message "Downloading Sysinternals Sigcheck ..."
    download_single_file "../bin" "${sigcheck_link}"
    if same_error_count "${initial_errors}"
    then
        log_info_message "Extracting Sysinternals Sigcheck ..."
        if unzip -u -o "../bin/${sigcheck_archive}" "sigcheck.exe" "sigcheck64.exe" -d "../bin"
        then
            log_info_message "Trashing/deleting archive ${sigcheck_archive} ..."
            trash_file "../bin/${sigcheck_archive}"
            log_info_message "Installed Sysinternals Sigcheck"
        else
            log_error_message "Extraction of Sysinternals Sigcheck failed"
        fi
    else
        log_error_message "Download of Sysinternals Sigcheck failed"
    fi
fi


Regards,
hbuhrmester
By the way,
"uname -m" on ARM usually gives an architecture of "aarch*" (aarch64 or aarch32).
slycordinator
 
Posts: 8
Joined: 23.02.2019, 07:48

Previous

Return to Linux

Who is online

Users browsing this forum: No registered users and 39 guests