Hi all,

A customer of mine tried my SignerSignEx sample in How to sign EXE files with an Authenticode certificate (part 2), and it worked just fine when signing EXEs, DLLs, OCXs, CABs... but not when signing certain MSI files. When signing those type of files, he got error 0x800b0003 / -2146762749 / TRUST_E_SUBJECT_FORM_UNKNOWN / "The form specified for the subject is not one supported or known by the specified trust provider".

Check this piece of code from my sample:

// Prepare SIGNER_FILE_INFO struct
signerFileInfo.cbSize = sizeof(SIGNER_FILE_INFO);
signerFileInfo.pwszFileName = pwszFileName;
signerFileInfo.hFile = hFile; 

When we provide a valid file handle to the API, SignerSignEx ignores the file name passed to pwszFileName and uses the handle passed to hFile.

SIGNER_FILE_INFO Structure
"
hFile
An open handle to the file specified by the pwszFileName member. If this member contains a valid handle, this handle is used to access the file. This member can be set to NULL.
"

The API then uses the handle to find out i.e. the file type that it's dealing with. PE files (EXE , DLL, OCX...), CABs and Catalog/CTLs are checked in a very specific way. All other files are checked differently, including MSIs. For the problematic MSIs, I've seen that the API is just not able to find out which type they are, and it returns the error we saw above.

If we forget about the file handle (and get rid of the CreateFile call that I used in my sample to get the handle) and just pass the file name to the API, it should be able to sign all type of files, including problematic MSIs:

// Prepare SIGNER_FILE_INFO struct
signerFileInfo.cbSize = sizeof(SIGNER_FILE_INFO);
signerFileInfo.pwszFileName = pwszFileName;
signerFileInfo.hFile = NULL; 

I hope this helps.

Cheers,

 

Alex (Alejandro Campos Magencio)