]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
sbsign: write unaligned signature size into WIN_CERTIFICATE header
authorVsevolod Kozlov <zaba@mm.st>
Mon, 6 Jul 2026 10:40:53 +0000 (13:40 +0300)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 7 Jul 2026 16:45:14 +0000 (18:45 +0200)
The inclusion of padding bytes in the signature size can lead to the signature
being rejected by strict PKCS7 parsers. Meanwhile, according to [1], the parser
of the WIN_CERTIFICATE structure is expected to round up the value of dwLength
to an 8-byte multiple. This also matches the behaviour of the sbsign tool from
sbsigntools.

Fixes #42884

[1] https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only

Signed-off-by: Vsevolod Kozlov <zaba@mm.st>
src/sbsign/sbsign.c

index 5408ffc61526e38583d08c072f06a1610a9a22b5..e7a519404c8a8308b4584c699b45a9cae1d3cdb2 100644 (file)
@@ -633,7 +633,7 @@ static int verb_sign(int argc, char *argv[], uintptr_t _data, void *userdata) {
                    &(WIN_CERTIFICATE_HEADER) {
                            .wRevision = htole16(0x200),
                            .wCertificateType = htole16(0x0002), /* PKCS7 signedData */
-                           .dwLength = htole32(ROUND_UP(certsz, 8)),
+                           .dwLength = htole32(certsz),
                    },
                    sizeof(WIN_CERTIFICATE_HEADER),
                    end);