BUG - Calibre 2.52.0 (and some earlier) installers fail digital signature check

Andrew S. · 02-28-2016, 03:35 AM

I downloaded the .msi installer file for Calibre 2.52.0 for win32 (running Vista).

This file from the primary download link contains a digital signature (as all proper software should these days), but the signature does not validate.

I tried downloading the same .msi from the alternate download links, and these also have invalid digital signatures. However, each of these three alternatives give the same message digest hash when I manually compute one, so they are each confirmed to be the same file.

The file offered on fosshub came in a list which offered a link to see the file's hash, but no hash value was ever actually presented for any of the calibre files there (also there is the related problem of whether such a hash, if it was presented, was just the hash of the file as ingested into fosshub's system, or the intended official hash value of the software as officially published).

In this new era of ever-clever malware and ransomware, users need to be especially careful about the software they download to run on their computers. Ensuring you've received an unmodified and valid copy as the publisher intended, through the use of officially posted hash values and/or platform-specific digital signatures is one good way of accomplishing this.

I imagine the software packaged in the 2.52.0.msi file for win32 system is probably okay, otherwise I'm sure there would be other reports here and elsewhere about it, just the same I request/require either a valid signed installer or an officially published hash value for comparison before I will agree to make use of this version.

For comparison, the last time I updated was back at 2.40.0, and my archive of the .msi file for that version contains a proper and validated digital signature.

I tried downloading older versions and stopped after 2.48.0.msi. All of these had invalid digital signatures. I haven't checked any further back.

Please forward this or direct me to the most appropriate place to lodge this notice, if a better one than here exists. Thanks!

BetterRed · 02-28-2016, 04:14 AM

@Andrew S. - If you had done a search you could have saved yourself some time ==>> Calibre 2.48.0 and 2.49.0 "unsafe"

BR

Andrew S. · 02-28-2016, 05:00 AM

@BetterRed Thanks for that link. I had done some searches, but none surfaced that thread. I tried permutations including keywords which appeared in the body of that thread... oh well.

So the issue is SHA256 and some platforms' lack of support, e.g. Vista. Fair enough.

What mechanisms are used to assure the validity of the distributed software on other platforms?

Officially published hashes or detached signatures (e.g. gnupg) would provide a multiplatform means of validating untampered distributions.

I'm no expert in code signing for Windows; perhaps it's impossible or too inconvenient to sign both SHA1 and SHA256. Nevertheless, I think it's important that all supported platforms are afforded /some/ means to validate their download. I believe the issue is important enough that failing this, one should go so far as to consider such platforms as something like "working--but not officially supported (see reasons *)" at that point.

kovidgoyal · 02-28-2016, 05:05 AM

There is only one platform where signature validation fails -- vista. And if you care about it, you should be bugging microsoft to add support for validating sha256 to vista. IIRC there is already an unofficial patch that does it. If you cant get Microsoft to listen, and you want to validate the signature, then feel free to install that patch.

chaley · 02-28-2016, 05:25 AM

See You cannot run an application that is signed with a SHA-256 certificate on a computer that is running Windows Vista SP2 or Windows Server 2008 SP2 for Microsoft-supplied patches.

eschwartz · 02-28-2016, 10:40 AM

Quote:

Originally Posted by Andrew S.

@BetterRed Thanks for that link. I had done some searches, but none surfaced that thread. I tried permutations including keywords which appeared in the body of that thread... oh well.

So the issue is SHA256 and some platforms' lack of support, e.g. Vista. Fair enough.

What mechanisms are used to assure the validity of the distributed software on other platforms?

Officially published hashes or detached signatures (e.g. gnupg) would provide a multiplatform means of validating untampered distributions.

The downloads are served over HTTPS directly from the calibre website.

Windows validation works fine on post-Vista OSes, as said above.
Apple has their standard code-signing thing.
And on linux, the hashes for the binary tarball are downloaded (also over HTTPS, since forever via an embedded private cacert) with the tarball and checked before the installation.

Alternatively, you can always build from source on linux (or rely on your distro's out-of-date version).
The git tags are signed by @Kovid's GPG key.
(Hmm, I wouldn't mind if the release tarballs were also signed -- always a good thing and even more so before the relatively recent HTTPS downloads courtesy of LetsEncrypt.)

kovidgoyal · 02-28-2016, 11:06 AM

Quote:

Originally Posted by eschwartz

(Hmm, I wouldn't mind if the release tarballs were also signed -- always a good thing and even more so before the relatively recent HTTPS downloads courtesy of LetsEncrypt.)

The reason I dont sign tarballs is because there is no way to embed the signature in the tarball and have it be verified seamlessly (that I know of).

That means only the very paranoid will ever end up downloading the separate signature, and verifying it. Given that the vast majority of linux users should be using the binary installers, which are already verified via a securely downloaded sha512 hash, and the git sources are already signed, that means that signing source tarballs is effort for relatively little gain.

eschwartz · 02-28-2016, 11:29 AM

It mostly won't help, that's why I said it would be a nice-to-have as opposed to a big deal. (That being said, it shouldn't be a lot of work either, so hey, if you find the time I won't complain.

)

And I'm sure the distros are happy enough that the source tarballs are now available over HTTPS. It's not as though there isn't a lot of other software that doesn't come with GPG signing either...

kovidgoyal · 02-29-2016, 05:01 AM

Oh and note that fosshub, which is one of the mirrors that hosts the calibre downloads, also has file hashes: http://www.fosshub.com/Calibre.html

02-28-2016, 03:35 AM	#1
Andrew S. Junior Member Posts: 2 Karma: 10 Join Date: Feb 2016 Device: Kindle Paperwhite	BUG - Calibre 2.52.0 (and some earlier) installers fail digital signature check I downloaded the .msi installer file for Calibre 2.52.0 for win32 (running Vista). This file from the primary download link contains a digital signature (as all proper software should these days), but the signature does not validate. I tried downloading the same .msi from the alternate download links, and these also have invalid digital signatures. However, each of these three alternatives give the same message digest hash when I manually compute one, so they are each confirmed to be the same file. The file offered on fosshub came in a list which offered a link to see the file's hash, but no hash value was ever actually presented for any of the calibre files there (also there is the related problem of whether such a hash, if it was presented, was just the hash of the file as ingested into fosshub's system, or the intended official hash value of the software as officially published). In this new era of ever-clever malware and ransomware, users need to be especially careful about the software they download to run on their computers. Ensuring you've received an unmodified and valid copy as the publisher intended, through the use of officially posted hash values and/or platform-specific digital signatures is one good way of accomplishing this. I imagine the software packaged in the 2.52.0.msi file for win32 system is probably okay, otherwise I'm sure there would be other reports here and elsewhere about it, just the same I request/require either a valid signed installer or an officially published hash value for comparison before I will agree to make use of this version. For comparison, the last time I updated was back at 2.40.0, and my archive of the .msi file for that version contains a proper and validated digital signature. I tried downloading older versions and stopped after 2.48.0.msi. All of these had invalid digital signatures. I haven't checked any further back. Please forward this or direct me to the most appropriate place to lodge this notice, if a better one than here exists. Thanks!

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Bug- Windows fail-close program	mrmikel	Editor	4	04-02-2014 07:38 AM
Adobe Digital Editions Nav Bar FAIL	Mike Reid	PDF	3	06-29-2012 05:15 PM
failed the epub check 100%. help! i'm too pretty to fail!	alinvenice	Upload Help	2	07-06-2011 08:33 AM
[BUG] all news downloads fail after update to 0.7.6	the_eye	Calibre	7	06-30-2010 07:39 AM

02-28-2016, 04:14 AM	#2
BetterRed null operator (he/him) Posts: 21,722 Karma: 29711016 Join Date: Mar 2012 Location: Sydney Australia Device: none	@Andrew S. - If you had done a search you could have saved yourself some time ==>> Calibre 2.48.0 and 2.49.0 "unsafe" BR

02-28-2016, 05:00 AM	#3
Andrew S. Junior Member Posts: 2 Karma: 10 Join Date: Feb 2016 Device: Kindle Paperwhite	@BetterRed Thanks for that link. I had done some searches, but none surfaced that thread. I tried permutations including keywords which appeared in the body of that thread... oh well. So the issue is SHA256 and some platforms' lack of support, e.g. Vista. Fair enough. What mechanisms are used to assure the validity of the distributed software on other platforms? Officially published hashes or detached signatures (e.g. gnupg) would provide a multiplatform means of validating untampered distributions. I'm no expert in code signing for Windows; perhaps it's impossible or too inconvenient to sign both SHA1 and SHA256. Nevertheless, I think it's important that all supported platforms are afforded /some/ means to validate their download. I believe the issue is important enough that failing this, one should go so far as to consider such platforms as something like "working--but not officially supported (see reasons *)" at that point.

02-28-2016, 05:05 AM	#4
kovidgoyal creator of calibre Posts: 45,345 Karma: 27182818 Join Date: Oct 2006 Location: Mumbai, India Device: Various	There is only one platform where signature validation fails -- vista. And if you care about it, you should be bugging microsoft to add support for validating sha256 to vista. IIRC there is already an unofficial patch that does it. If you cant get Microsoft to listen, and you want to validate the signature, then feel free to install that patch.

02-28-2016, 05:25 AM	#5
chaley Grand Sorcerer Posts: 12,445 Karma: 8012886 Join Date: Jan 2010 Location: Notts, England Device: Kobo Libra 2	See You cannot run an application that is signed with a SHA-256 certificate on a computer that is running Windows Vista SP2 or Windows Server 2008 SP2 for Microsoft-supplied patches.

02-28-2016, 11:29 AM	#8
eschwartz Ex-Helpdesk Junkie Posts: 19,421 Karma: 85400180 Join Date: Nov 2012 Location: The Beaten Path, USA, Roundworld, This Side of Infinity Device: Kindle Touch fw5.3.7 (Wifi only)	It mostly won't help, that's why I said it would be a nice-to-have as opposed to a big deal. (That being said, it shouldn't be a lot of work either, so hey, if you find the time I won't complain. ) And I'm sure the distros are happy enough that the source tarballs are now available over HTTPS. It's not as though there isn't a lot of other software that doesn't come with GPG signing either...

02-29-2016, 05:01 AM	#9
kovidgoyal creator of calibre Posts: 45,345 Karma: 27182818 Join Date: Oct 2006 Location: Mumbai, India Device: Various	Oh and note that fosshub, which is one of the mirrors that hosts the calibre downloads, also has file hashes: http://www.fosshub.com/Calibre.html

Advert

Advert