Signature checking in Wine
Richie Hindle
rjh at cyberscience.com
Fri Jul 25 03:45:18 CDT 2008
[Juan]
> 2. Wine doesn't actually verify that the signature in the file
> matches the file being checked. Any valid certificate could be put
> into a file, and Wine would accept it.
>
> I don't consider this a serious security flaw
I assume you don't ship signed software. If you did, you might see things
differently. Unless I've misunderstood, you've made this possible:
1. I release my software with my digital signature attached
2. A malware author downloads my software, extracts my certificate, and
applies it to his malware
3. His software infects a user's machine and damages it. The user
discovers the infection, looks at the signature, **Wine says that the
certificate is valid**, and the user blames me.
Please, either tell me I'm wrong, or make Wine honest about what it's
telling the user.
--
Richie Hindle (rjh at cyberscience.com)
Senior Software Engineer, Cyberscience Corporation
http://www.cyberscience.com/
Cyberscience User Forum 2008
Two full days of presentations and workshops to help you get more from Cyberquery
September 17-18 | Denver, Colorado | Denver Marriott Tech Center
Register at: http://www.cyberscience.com/forum-conference.html
Make your voice heard; complete the BI Survey 8 by Forum 2008 keynote
speaker Nigel Pendse: http://www.intelligence-partners.com/
More information about the wine-devel
mailing list