some options warnings

osslsigncode.c

@@ -2763,10 +2763,18 @@ int main(int argc, char **argv) {
 	BIO_set_md(hash, md);
 
 	if (type == FILE_TYPE_CAB) {
+		if (pagehash == 1)
+			fprintf(stderr, "Warning: -ph option is only valid for PE files\n");
+#ifdef WITH_GSF
+		if (add_msi_dse == 1)
+			fprintf(stderr, "Warning: -add-msi-dse option is only valid for MSI files\n");
+#endif
+		if (nest == 1)
+			fprintf(stderr, "Error: -nest option is only valid for PE/MSI files\n");
 		if (filesize < 44)
 			DO_EXIT_1("Corrupt cab file - too short: %s\n", infile);
 		if (indata[0x1e] != 0x00 || indata[0x1f] != 0x00)
-			DO_EXIT_0("Cannot sign cab files with flag bits set!\n"); /* XXX */
+			DO_EXIT_0("Cannot sign CAB files with flag bits set!\n"); /* FLAG_RESERVE_PRESENT */
 	} else if (type == FILE_TYPE_PE) {
 		if (filesize < 64)
 			DO_EXIT_1("Corrupt DOS file - too short: %s\n", infile);
@@ -2776,6 +2784,11 @@ int main(int argc, char **argv) {
 		if (memcmp(indata+peheader, "PE\0\0", 4))
 			DO_EXIT_1("Unrecognized DOS file type: %s\n", infile);
 	} else if (type == FILE_TYPE_MSI) {
+		if (pagehash == 1)
+			fprintf(stderr, "Warning: -ph option is only valid for PE files\n");
+		if (jp >= 0)
+			fprintf(stderr, "Warning: -jp option is only valid for CAB files\n");
+
 #ifdef WITH_GSF
 		GsfInput *src;
 		GsfInfile *ole;
@@ -2944,8 +2957,13 @@ int main(int argc, char **argv) {
 		PUT_UINT32_LE(tmp, buf+4);
 		BIO_write(hash, buf+4, 4);
 
+        /*
+         * FLAG_RESERVE_PRESENT is set if this cabinet file contains any reserved fields.
+         * When this bit is set, the cbCFHeader, cbCFFolder, and cbCFData fields are present in the CFHEADER.
+         * https://www.file-recovery.com/cab-signature-format.htm
+         */
 		memcpy(buf+4, indata+20, 14);
-		buf[4+10] = 0x04; /* RESERVE_PRESENT */
+		buf[4+10] = 0x04; /* FLAG_RESERVE_PRESENT */
 
 		BIO_write(hash, buf+4, 14);
 		BIO_write(outdata, indata+34, 2);
@@ -2972,7 +2990,10 @@ int main(int argc, char **argv) {
 
 		if (jp >= 0)
 			fprintf(stderr, "Warning: -jp option is only valid for CAB files\n");
-
+#ifdef WITH_GSF
+		if (add_msi_dse == 1)
+			fprintf(stderr, "Warning: -add-msi-dse option is only valid for MSI files\n");
+#endif
 		magic = GET_UINT16_LE(indata + peheader + 24);
 		if (magic == 0x20b) {
 			pe32plus = 1;

tests/recipes/09_sign_page_hashes

@@ -20,9 +20,9 @@ if [ -s "test.exe" ]
   fi
 
 # CAB file
-# Command is not supported for non-PE files
+# Warning: -ph option is only valid for PE files
 
 # MSI file
-# Command is not supported for non-PE files
+# Warning: -ph option is only valid for PE files
 
 exit 0

tests/recipes/11_sign_nest

@@ -25,27 +25,7 @@ if [ -s "test.exe" ]
   fi
 
 # CAB file
-# Error: Cannot sign cab files with flag bits set!
+# Error: -nest option is only valid for PE/MSI files
-# cfhead_Flags 0x1e is set here:
-# https://github.com/mtrojnar/osslsigncode/blob/0bea1ac8f6d61ed42dd154305a4d5b8c27478ad0/osslsigncode.c#L2936
-test_name="112. Signing a CAB file with the nest flag"
-printf "\n%s\n" "$test_name"
-if [ -s "test.ex_" ]
-  then
-    faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
-        script_path=$(pwd)
-        ../../osslsigncode sign -h sha256 \
-            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-            -in "test.ex_" -out "test_112_signed.ex_"
-        ../../osslsigncode sign -h sha512 \
-            -nest \
-            -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-            -in "test_112_signed.ex_" -out "test_112.ex_"'
-    verify_signature "$?" "112" "ex_" "UNUSED_PATTERN" "UNUSED_PATTERN" "ASCII" "SHA256" "SHA512"
-    test_result "$?" "$test_name"
-  else
-    printf "Test skipped\n"
-  fi
 
 # MSI file
 test_name="113. Signing a MSI file with the nest flag"

tests/recipes/31_extract_signature

@@ -22,7 +22,7 @@ if [ -s "test.exe" ]
   fi
 
 # CAB file
-# Command is not supported for non-PE
+# Command is not supported for non-PE/non-MSI files
 
 # MSI file
 test_name="312. Extracting the signature from the MSI file"

tests/recipes/32_attach_signature

@@ -19,7 +19,7 @@ if [ -s "test.exe" ]
   fi
 
 # CAB file
-# Command is not supported for non-PE
+# Command is not supported for non-PE/non-MSI files
 
 # MSI file
 test_name="322. Attaching the signature to the MSI file"

tests/recipes/33_remove_signature

@@ -22,7 +22,7 @@ if [ -s "test.exe" ]
   fi
 
 # CAB file
-# Command is not supported for non-PE
+# Command is not supported for non-PE/non-MSI files
 
 # MSI file
 test_name="332. Removing the signature from the MSI file"

tests/recipes/36_add_signature_blob

@@ -23,7 +23,7 @@ if [ -s "test.exe" ]
   fi
 
 # CAB file
-# Command is not supported for non-PE
+# Command is not supported for non-PE/non-MSI files
 
 # MSI file
 test_name="362. Adding an unauthenticated blob to the MSI file"

tests/recipes/37_add_signature_timestamp

@@ -23,7 +23,7 @@ if [ -s "test.exe" ]
   fi
 
 # CAB file
-# Command is not supported for non-PE
+# Command is not supported for non-PE/non-MSI files
 
 # MSI file
 test_name="372. Adding an authenticode timestamp to the MSI file"

tests/recipes/38_add_signature_rfc3161

@@ -23,7 +23,7 @@ if [ -s "test.exe" ]
   fi
 
 # CAB file
-# Command is not supported for non-PE
+# Command is not supported for non-PE/non-MSI files
 
 # MSI file
 test_name="382. Adding an RFC 3161 timestamp to the MSI file"

tests/recipes/40_verify_leaf_hash

@@ -25,7 +25,7 @@ if [ -s "test.exe" ]
   fi
 
 # CAB file
-# Command is not supported for non-PE
+# Command is not supported for non-PE/non-MSI files
 
 # MSI file
 test_name="402. Comparing the leaf certificate hash against specified SHA256 message digest for the MSI file"

tests/recipes/51_sign_jp_low

@@ -5,7 +5,7 @@
 . $(dirname $0)/../test_library
 
 # PE file
-#
+# Warning: -jp option is only valid for CAB files
 
 # CAB file
 test_name="511. Signing a CAB file with jp low option"
@@ -25,6 +25,6 @@ if [ -s "test.ex_" ]
   fi
 
 # MSI file
-#
+# Warning: -jp option is only valid for CAB files
 
 exit 0