Signature checking in Wine

Richie Hindle rjh at
Fri Jul 25 03:45:18 CDT 2008

> 2.  Wine doesn't actually verify that the signature in the file
> matches the file being checked.  Any valid certificate could be put
> into a file, and Wine would accept it.
> I don't consider this a serious security flaw

I assume you don't ship signed software.  If you did, you might see things
differently.  Unless I've misunderstood, you've made this possible:

1. I release my software with my digital signature attached

2. A malware author downloads my software, extracts my certificate, and
   applies it to his malware

3. His software infects a user's machine and damages it.  The user
   discovers the infection, looks at the signature, **Wine says that the
   certificate is valid**, and the user blames me.

Please, either tell me I'm wrong, or make Wine honest about what it's
telling the user.

Richie Hindle (rjh at
Senior Software Engineer, Cyberscience Corporation

Cyberscience User Forum 2008  
Two full days of presentations and workshops to help you get more from Cyberquery 
September 17-18 | Denver, Colorado | Denver Marriott Tech Center 
Register at:

Make your voice heard; complete the BI Survey 8 by Forum 2008 keynote
speaker Nigel Pendse:

More information about the wine-devel mailing list