Page 6 of 6

Re: A complete rewrite of the Linux scripts

PostPosted: 02.04.2018, 10:38
by hbuhrmester
The option use_file_signature_verification uses Sysinternals Sigcheck, running under wine, to try a verification of digital file signatures.

Thus, you need to install wine in addition to the other requirements. You get a warning by the script, if the option is enabled, but wine is missing.

Then it should work halfway, but, with a default wine installation, Sigcheck can only detect, if a file has a digital file signature or not. It can not actually validate the digital file signature. This seems to be a limitation of the built-in wine library CRYPT32.dll, even in recent wine versions (here wine-3.0 from Debian 9 Stretch-Backports).

To get everything working, there are two additional steps necessary:

  1. The built-in wine library CRYPT32.dll must be replaced with a native Windows library. This can be done with the script winetricks:
  2. The Microsoft root certificates must be transferred from Windows to Linux. I never managed that much.

The Manual.pdf discusses most of this: The chapter Introduction on the first page already says:

The verification of digital file signatures with Sysinternals Sigcheck running under wine was tried, but it doesn't really work without the necessary root certificates.

The same warning is also in the first post of this forum thread: viewtopic.php?f=9&t=6180#p21327

The chapter Validation of downloaded files later in the Manual.pdf concludes:

Thus, although a preliminary implementation for wine and Sigcheck exists, it needs more work, especially to transfer the root certificates from Windows to Linux.

The chapter Requirements in Manual.pdf discusses required, recommended and optional applications.

The idea with options like use_file_signature_verification was, that they can be enabled by renaming the file preferences-template.bash to preferences.bash, and then editing that file. Every option is explained in this file.

However, most security updates can be validated by comparing their SHA-1 hashes, which are plainly embedded into their file names, with the hashes, which are calculated by hashdeep.