<div dir="ltr">Hi,<div><br></div><div>The issue of the DSIG specification being not in agreement with the only publicly available implementation of it, recently came up on another thread:</div><div><br></div><div><a href="https://github.com/HinTak/Font-Validator/issues/23#issuecomment-268850752">https://github.com/HinTak/Font-Validator/issues/23#issuecomment-268850752</a><br></div><div><br></div><div>Now, I wonder. Could the spec owners make an effort and take a decision as to whether:</div><div><br></div><div>a) update the spec to match the implementation (i.e. remove the line "<span style="font-family:georgia;font-size:13px">Zero out the file checksum in the head table.", as it is <b>not</b> actually performed by signcode.exe + mssipotf.dll, as I and Hin-Tak have repeatedly explained);</span></div><div><span style="font-family:georgia;font-size:13px"><br></span></div><div><span style="font-family:georgia;font-size:13px">b) deprecate the DSIG table once for all, as it no longer serves any purpose besides signalling to Microsoft apps that the a *.ttf file is an OpenType TTF and not just a plain TrueType font?</span></div><div><span style="font-family:georgia;font-size:13px"><br></span></div><div>Thank you,</div><div><br></div><div>Cosimo Lupo</div><div class="gmail_extra"><br><div class="gmail_quote">On 20 November 2016 at 20:27, Hin-Tak Leung <a href="mailto:htl10@users.sourceforge.net">htl10@users.sourceforge.net</a> [mpeg-OTspec] <span dir="ltr"><<a href="mailto:mpeg-OTspec-noreply@yahoogroups.com" target="_blank">mpeg-OTspec-noreply@yahoogroups.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div style="background-color:#fff">
<span style="display:none"> </span>
<div id="m_-7109818172470533620ygrp-mlmsg">
<div id="m_-7109818172470533620ygrp-msg">
<div id="m_-7109818172470533620ygrp-text">
<p>Hi Ali,<br>
<br>
No. Referring to this section in from <a href="http://www.microsoft.com/typography/otspec/dsig.htm" target="_blank">http://www.microsoft.com/<wbr>typography/otspec/dsig.htm</a> .<br>
The anomaly is that the microsoft signing code (nor the verifying code in verifying) does not perform<br>
step 1.4 - " Zero out the file checksum in the head table. ".<br>
<br>
Format 1: For whole fonts, with either TrueType outlines and/or CFF data<br>
<br>
PKCS#7 or PKCS#9. The signed content digest is created as follows:<br>
1. If there is an existing DSIG table in the font,<br>
1. Remove DSIG table from font.<br>
2. Remove DSIG table entry from sfnt Table Directory.<br>
3. Adjust table offsets as necessary.<br>
4. Zero out the file checksum in the head table.<br>
5. Add the usFlag (reserved, set at 1 for now) to the stream of bytes<br>
<br>
I am asking that somebody at Microsoft who has access to the source code of mssipotf.dll (which AFAIK contains Microsoft's implementation of both font signing and verifying), and sufficient programming/technical know-how, to confirm that step 1.4 is not performed. If a Microsoft folk can confirm this, I propose that the OpenType spec to adjust to match, since for a long time the Microsoft implementation is the major one one uses, if not the only one. <br>
<br>
Hin-Tak<br>
<br>
------------------------------<wbr>--------------<br>
On Thu, 22/9/16, Basit Ali <<a href="mailto:alib@microsoft.com" target="_blank">alib@microsoft.com</a>> wrote:<br>
<br>
Hi Hin-Tak, <br>
<br>
Sorry for not getting back to<br>
you. The anomaly you are talking about is that in practice<br>
we have a v2 header even though the version stated is 1?<br>
<br>
Ali<br></p></div></div></div></div></blockquote></div>
</div></div>