Chrome Version       : 68.0.3440.106
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
     Safari: OK
    Firefox: OK
       Edge: OK

What steps will reproduce the problem?
(1) Extract the PKCS7 signature block from GoogleUpdateSetup.exe. There's a python script that will do it on Linux - https://github.com/recvfrom/verify-sigs.  Invoke with 'python print_pe_certs.py /path/to/GoogleUpdateSetup.exe'.  The output file will be in /tmp.  Alternatively, I've attached the extracted file.
(2) Load the p7b file into a parser like https://lapo.it/asn1js/
(3) Viewing the ASN.1 section associated with the "Dummy Certificate", you can see it's missing the required ASN.1 NULL type in the AlgorithmIdentifier section

What is the expected result?

Each x509 certificate using sha-1WithRSAEncryption must have an ASN.1 NULL type following the OID to strictly conform with the RFCs.  

Reference:
 - https://tools.ietf.org/html/rfc5280#section-4.1.1.2
 - https://tools.ietf.org/html/rfc3279#section-2.2.1


What happens instead?

The "Dummy Certificate" doesn't have the required ASN.1 NULL type, though, which may break some parsers (for instance, it currently causes the ClamAV authenticode parser to stop signature verification).  It doesn't seem to interfere with signature validation on Windows, though.



Does this Dummy Certificate serve a purpose, and if not, can it be removed from the authenticode header?  Or can it be updated to include the NULL value?
 

Deleted: asn1_decoded.png 316 KB

	asn1_decoded.png 316 KB View Download

Deleted: GoogleUpdateSetup.exe_extracted_cert.p7b 18.8 KB

GoogleUpdateSetup.exe_extracted_cert.p7b 18.8 KB Download