Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSOffice2011Updates.download: Code signature check fails for Update 14.7.1 #194

Open
peterkelm opened this issue Mar 5, 2017 · 3 comments
Open

MSOffice2011Updates.download: Code signature check fails for Update 14.7.1 #194

peterkelm opened this issue Mar 5, 2017 · 3 comments

Comments

@peterkelm
Copy link

The code signature check in the MSOffice2011Updates.download recipe fails for Office 2011 update 14.7.1.

CodeSignatureVerifier: Verifying installer package signature...
CodeSignatureVerifier: Package "Office 2011 14.7.1 Update":
CodeSignatureVerifier:    Status: signed by a certificate trusted by Mac OS X
CodeSignatureVerifier:    Certificate Chain:
CodeSignatureVerifier:     1. Developer ID Installer: Microsoft Corporation
CodeSignatureVerifier:        SHA1 fingerprint: AE D0 A7 C5 31 01 2B 70 D7 FB 49 5A 23 30 3A 67 05 36 5A 11
CodeSignatureVerifier:        -----------------------------------------------------------------------------
CodeSignatureVerifier:     2. Developer ID Certification Authority
CodeSignatureVerifier:        SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
CodeSignatureVerifier:        -----------------------------------------------------------------------------
CodeSignatureVerifier:     3. Apple Root CA
CodeSignatureVerifier:        SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
CodeSignatureVerifier: 
CodeSignatureVerifier: Signature is valid
CodeSignatureVerifier: Mismatch in authority names
CodeSignatureVerifier: Expected: Developer ID Installer: Microsoft Corporation (UBF8T346G9) -> Developer ID Certification Authority -> Apple Root CA
CodeSignatureVerifier: Found:    Developer ID Installer: Microsoft Corporation -> Developer ID Certification Authority -> Apple Root CA
Mismatch in authority names. Note that all verification can be disabled by setting the variable DISABLE_CODE_SIGNATURE_VERIFICATION to a non-empty value.
Failed.
@gregneagle
Copy link
Contributor

Can't replicate that here.

CodeSignatureVerifier
{'Input': {'expected_authority_names': (
    "Developer ID Installer: Microsoft Corporation (UBF8T346G9)",
    "Developer ID Certification Authority",
    "Apple Root CA"
),
           'input_path': u'/var/madmin/Library/AutoPkg/Cache/com.github.autopkg.download.Office2011Updates/downloads/Office2011-1471Update_EN-US.dmg/Office*.*pkg'}}
CodeSignatureVerifier: Mounted disk image /var/madmin/Library/AutoPkg/Cache/com.github.autopkg.download.Office2011Updates/downloads/Office2011-1471Update_EN-US.dmg
CodeSignatureVerifier: Using path '/private/tmp/dmg.uux1te/Office 2011 14.7.1 Update.pkg' matched from globbed '/private/tmp/dmg.uux1te/Office*.*pkg'.
CodeSignatureVerifier: Verifying installer package signature...
CodeSignatureVerifier: Package "Office 2011 14.7.1 Update":
CodeSignatureVerifier:    Status: signed by a certificate trusted by Mac OS X
CodeSignatureVerifier:    Certificate Chain:
CodeSignatureVerifier:     1. Developer ID Installer: Microsoft Corporation (UBF8T346G9)
CodeSignatureVerifier:        SHA1 fingerprint: 9B 6B 91 3B B1 3F 68 26 12 20 EC 72 11 F0 F2 0E 92 E4 B1 EB
CodeSignatureVerifier:        -----------------------------------------------------------------------------
CodeSignatureVerifier:     2. Developer ID Certification Authority
CodeSignatureVerifier:        SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
CodeSignatureVerifier:        -----------------------------------------------------------------------------
CodeSignatureVerifier:     3. Apple Root CA
CodeSignatureVerifier:        SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
CodeSignatureVerifier: 
CodeSignatureVerifier: Signature is valid
CodeSignatureVerifier: Authority name chain is valid

Microsoft seems to have multiple build machines signing packages and the Developer ID Installer cert seems to "oscillate".

Ultimately we might need to alter the CodeSignatureVerifier to be able to do a less-strict check of expected_authority_names... @hjuutilainen

@peterkelm
Copy link
Author

Hmm, I used the German language update "Office2011-1471Update_DE-DE.dmg". So Microsoft does not use the same dev certificate across all languages...

@timsutton
Copy link
Member

Somebody else reported this, I believe in the Macadmins Slack, a couple weeks ago. I notified Paul Bowden, a release manager on the Office for Mac Team.

The cause is that they have a farm of build machines doing the releases, and for a long time they have had different (but valid) Developer ID identities installed across the machines. We've raised the issue with them every time this happens, and they seem to have gotten closer to having the same identity on all build machines, but apparently not entirely so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timsutton @gregneagle @peterkelm