Signature checking in Wine

Juan Lang juan.lang at gmail.com
Thu Jul 24 12:08:26 CDT 2008


Folks, now that there's a bit more code in Wine that "verifies" file
signatures, I wanted to make sure everyone understands its current
limitations.

1.  It's only implemented for PE files and .cab files.  Windows
supports more formats, of course, notably MSI files (see bug 11759,
http://bugs.winehq.org/show_bug.cgi?id=11759 )

2.  Wine doesn't actually verify that the signature in the file
matches the file being checked.  Any valid certificate could be put
into a file, and Wine would accept it.

I don't consider this a serious security flaw, because I think the
concept of a signature validating anything useful about a binary is
flawed.  Hence I'm not terribly motivated to fix it.

Flame away,
--Juan



More information about the wine-devel mailing list