Opened 6 years ago
Last modified 4 years ago
#17524 new enhancement
Various VBox binaries use a SHA1-timestamped SHA2 signature
Reported by: | Diggie_OC | Owned by: | |
---|---|---|---|
Component: | other | Version: | VirtualBox 5.2.6 |
Keywords: | digital signing signature certificate timestamp | Cc: | |
Guest type: | other | Host type: | other |
Description
When an app set a stronger SHA1 deprecation policy on my Windows 10 system than Microsoft currently sets themselves, I found myself unable to start any VM, nor able to re-install VirtualBox.
I tracked the issue down to a flag that deprecates SHA1 timestamp signatures. What I found is that when VirtualBox is being signed by the Oracle certs, when it comes to applying the SHA256 digest with the SHA256 certificate, that signature is being timestamped by the SHA1 Symantec timestamp server. This means that in future, if Microsoft were to roll out a more comprehensive SHA1 deprecation, VirtualBox would break.
Symantec provides a SHA256 timestamping resource that should be used to timestamp SHA256 signatures:
http://sha256timestamp.ws.symantec.com/sha256/timestamp
I'm not sure what tool VBox uses to sign with, but if it happens to be Microsoft's SignTool, you would want to use "/tr" instead of "/t", and add "/td SHA256".
I detailed the issue on the forum here: https://forums.virtualbox.org/viewtopic.php?f=6&t=86574
To reproduce, first record your current deprecation flags (from elevated CMD prompt):
certutil -getreg chain\Default\WeakSha1ThirdPartyFlags 0x84400000
Next set flags that include CERT_CHAIN_DISABLE_TIMESTAMP_WEAK_FLAG:
certutil -setreg chain\Default\WeakSha1ThirdPartyFlags 0x84400000
Now try to start a VM or install VirtualBox. Both will fail because (at minimum) VBoxDrv.sys has a SHA256 signature with a SHA1 timestamp.
Finally, restore your original deprecation policy. For most up-to-date systems, this should be as follows:
certutil -setreg chain\Default\WeakSha1ThirdPartyFlags 80040000
Change History (3)
comment:2 by , 6 years ago
Related discussion in the forums: https://forums.virtualbox.org/viewtopic.php?f=6&t=86574
comment:3 by , 4 years ago
Any reason why this can't be applied given low complexity from the sounds of things?
Slight c/p error. To get your current flags, please use:
To restore modern defaults (as shipping from MS at time of writing),