[mpeg-OTspec] RE: that discrepancy between spec & implementation of DSIG hashing (RE: First draft of the ballot comments on the new amendment)

Cosimo Lupo cosimo.lupo at daltonmaag.com
Thu Dec 22 18:57:39 CET 2016


The issue of the DSIG specification being not in agreement with the only
publicly available implementation of it, recently came up on another thread:


Now, I wonder. Could the spec owners make an effort and take a decision as
to whether:

a) update the spec to match the implementation (i.e. remove the line "Zero
out the file checksum in the head table.", as it is *not* actually
performed by signcode.exe + mssipotf.dll, as I and Hin-Tak have repeatedly

b) deprecate the DSIG table once for all, as it no longer serves any
purpose besides signalling to Microsoft apps that the a *.ttf file is an
OpenType TTF and not just a plain TrueType font?

Thank you,

Cosimo Lupo

On 20 November 2016 at 20:27, Hin-Tak Leung htl10 at users.sourceforge.net
[mpeg-OTspec] <mpeg-OTspec-noreply at yahoogroups.com> wrote:

> Hi Ali,
> No. Referring to this section in from http://www.microsoft.com/
> typography/otspec/dsig.htm .
> The anomaly is that the microsoft signing code (nor the verifying code in
> verifying) does not perform
> step 1.4 - " Zero out the file checksum in the head table. ".
> Format 1: For whole fonts, with either TrueType outlines and/or CFF data
> PKCS#7 or PKCS#9. The signed content digest is created as follows:
> 1. If there is an existing DSIG table in the font,
> 1. Remove DSIG table from font.
> 2. Remove DSIG table entry from sfnt Table Directory.
> 3. Adjust table offsets as necessary.
> 4. Zero out the file checksum in the head table.
> 5. Add the usFlag (reserved, set at 1 for now) to the stream of bytes
> I am asking that somebody at Microsoft who has access to the source code
> of mssipotf.dll (which AFAIK contains Microsoft's implementation of both
> font signing and verifying), and sufficient programming/technical know-how,
> to confirm that step 1.4 is not performed. If a Microsoft folk can confirm
> this, I propose that the OpenType spec to adjust to match, since for a long
> time the Microsoft implementation is the major one one uses, if not the
> only one.
> Hin-Tak
> --------------------------------------------
> On Thu, 22/9/16, Basit Ali <alib at microsoft.com> wrote:
> Hi Hin-Tak,
> Sorry for not getting back to
> you. The anomaly you are talking about is that in practice
> we have a v2 header even though the version stated is 1?
> Ali
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.aau.at/pipermail/mpeg-otspec/attachments/20161222/3b2b0053/attachment.html>

More information about the mpeg-otspec mailing list