MSOffice2011Updates.download: Code signature check fails for Update 14.7.1

[peterkelm]

The code signature check in the MSOffice2011Updates.download recipe fails for Office 2011 update 14.7.1.

CodeSignatureVerifier: Verifying installer package signature...
CodeSignatureVerifier: Package "Office 2011 14.7.1 Update":
CodeSignatureVerifier:    Status: signed by a certificate trusted by Mac OS X
CodeSignatureVerifier:    Certificate Chain:
CodeSignatureVerifier:     1. Developer ID Installer: Microsoft Corporation
CodeSignatureVerifier:        SHA1 fingerprint: AE D0 A7 C5 31 01 2B 70 D7 FB 49 5A 23 30 3A 67 05 36 5A 11
CodeSignatureVerifier:        -----------------------------------------------------------------------------
CodeSignatureVerifier:     2. Developer ID Certification Authority
CodeSignatureVerifier:        SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
CodeSignatureVerifier:        -----------------------------------------------------------------------------
CodeSignatureVerifier:     3. Apple Root CA
CodeSignatureVerifier:        SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
CodeSignatureVerifier: 
CodeSignatureVerifier: Signature is valid
CodeSignatureVerifier: Mismatch in authority names
CodeSignatureVerifier: Expected: Developer ID Installer: Microsoft Corporation (UBF8T346G9) -> Developer ID Certification Authority -> Apple Root CA
CodeSignatureVerifier: Found:    Developer ID Installer: Microsoft Corporation -> Developer ID Certification Authority -> Apple Root CA
Mismatch in authority names. Note that all verification can be disabled by setting the variable DISABLE_CODE_SIGNATURE_VERIFICATION to a non-empty value.
Failed.

[gregneagle]

Can't replicate that here.

CodeSignatureVerifier
{'Input': {'expected_authority_names': (
    "Developer ID Installer: Microsoft Corporation (UBF8T346G9)",
    "Developer ID Certification Authority",
    "Apple Root CA"
),
           'input_path': u'/var/madmin/Library/AutoPkg/Cache/com.github.autopkg.download.Office2011Updates/downloads/Office2011-1471Update_EN-US.dmg/Office*.*pkg'}}
CodeSignatureVerifier: Mounted disk image /var/madmin/Library/AutoPkg/Cache/com.github.autopkg.download.Office2011Updates/downloads/Office2011-1471Update_EN-US.dmg
CodeSignatureVerifier: Using path '/private/tmp/dmg.uux1te/Office 2011 14.7.1 Update.pkg' matched from globbed '/private/tmp/dmg.uux1te/Office*.*pkg'.
CodeSignatureVerifier: Verifying installer package signature...
CodeSignatureVerifier: Package "Office 2011 14.7.1 Update":
CodeSignatureVerifier:    Status: signed by a certificate trusted by Mac OS X
CodeSignatureVerifier:    Certificate Chain:
CodeSignatureVerifier:     1. Developer ID Installer: Microsoft Corporation (UBF8T346G9)
CodeSignatureVerifier:        SHA1 fingerprint: 9B 6B 91 3B B1 3F 68 26 12 20 EC 72 11 F0 F2 0E 92 E4 B1 EB
CodeSignatureVerifier:        -----------------------------------------------------------------------------
CodeSignatureVerifier:     2. Developer ID Certification Authority
CodeSignatureVerifier:        SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
CodeSignatureVerifier:        -----------------------------------------------------------------------------
CodeSignatureVerifier:     3. Apple Root CA
CodeSignatureVerifier:        SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
CodeSignatureVerifier: 
CodeSignatureVerifier: Signature is valid
CodeSignatureVerifier: Authority name chain is valid

Microsoft seems to have multiple build machines signing packages and the Developer ID Installer cert seems to "oscillate".

Ultimately we might need to alter the CodeSignatureVerifier to be able to do a less-strict check of expected_authority_names... @hjuutilainen

[peterkelm]

Hmm, I used the German language update "Office2011-1471Update_DE-DE.dmg". So Microsoft does not use the same dev certificate across all languages...

[timsutton]

Somebody else reported this, I believe in the Macadmins Slack, a couple weeks ago. I notified Paul Bowden, a release manager on the Office for Mac Team.

The cause is that they have a farm of build machines doing the releases, and for a long time they have had different (but valid) Developer ID identities installed across the machines. We've raised the issue with them every time this happens, and they seem to have gotten closer to having the same identity on all build machines, but apparently not entirely so.