[mpeg-OTspec] Re: factual error in the DSIG description in the OT spec.

Cosimo Lupo cosimo.lupo at daltonmaag.com
Wed Apr 20 12:13:41 CEST 2016


Martin,

Here is the algorithm that Microsoft's signcode.exe and chktrust.exe use to
produce the digest to be signed/verified. The code snippet is just to
exemplify the hashing algorithm, but it's basically the same we (Dalto
nMaag) use for our internal signing tool:

https://gist.github.com/anthrotype/5687a131e08c43dc3d7d

Like Hin-Tak already said, the OT spec suggests that one should "Zero out
the file checksum in the head table", but that is factually not true. Or at
least, that is not what the only publicly available implementation from MS
does.

We still sign fonts at DaMa, mainly because we can (unlike small foundries,
we can afford a code-signing certificate).
Sometimes it's good to be able to know/ascertain whether a font truly comes
from us, and us only.

Cheers,

--

Cosimo Lupo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.aau.at/pipermail/mpeg-otspec/attachments/20160420/1a8b6a62/attachment.html>


More information about the mpeg-otspec mailing list