Signature checking in Wine

Richie Hindle rjh at cyberscience.com
Fri Jul 25 03:45:18 CDT 2008


[Juan]
> 2.  Wine doesn't actually verify that the signature in the file
> matches the file being checked.  Any valid certificate could be put
> into a file, and Wine would accept it.
> 
> I don't consider this a serious security flaw

I assume you don't ship signed software.  If you did, you might see things
differently.  Unless I've misunderstood, you've made this possible:

1. I release my software with my digital signature attached

2. A malware author downloads my software, extracts my certificate, and
   applies it to his malware

3. His software infects a user's machine and damages it.  The user
   discovers the infection, looks at the signature, **Wine says that the
   certificate is valid**, and the user blames me.

Please, either tell me I'm wrong, or make Wine honest about what it's
telling the user.

-- 
Richie Hindle (rjh at cyberscience.com)
Senior Software Engineer, Cyberscience Corporation
http://www.cyberscience.com/

Cyberscience User Forum 2008  
Two full days of presentations and workshops to help you get more from Cyberquery 
September 17-18 | Denver, Colorado | Denver Marriott Tech Center 
Register at: http://www.cyberscience.com/forum-conference.html

Make your voice heard; complete the BI Survey 8 by Forum 2008 keynote
speaker Nigel Pendse: http://www.intelligence-partners.com/



More information about the wine-devel mailing list