diff --git a/pkg/sys/trust.go b/pkg/sys/trust.go index fab5652be..7cabeafae 100644 --- a/pkg/sys/trust.go +++ b/pkg/sys/trust.go @@ -24,7 +24,6 @@ import ( "io" "os" "reflect" - "runtime" "sync" "time" "unsafe" @@ -310,8 +309,6 @@ func NewCatalog() Cat { // Open opens the catalog and acquires the hash for the given file. If the // file is catalog-signed, a valid catalog handle is stored internally. func (c *Cat) Open(filename string) error { - runtime.LockOSThread() - defer runtime.UnlockOSThread() // acquire handle to a catalog administrator context err := CryptCatalogAdminAcquireContext(&c.admin, nil, nil, 0, 0) if err != nil { @@ -350,8 +347,6 @@ func (c *Cat) IsCatalogSigned() bool { // Verify verifies the signature of the given file against the catalog. func (c *Cat) Verify(filename string) (SignatureStatus, error) { - runtime.LockOSThread() - defer runtime.UnlockOSThread() trust := NewWintrustData(WtdChoiceCatalog) defer trust.Close() if c.file == nil { @@ -428,8 +423,6 @@ func (c *Cat) ParseCertificate() (*Cert, error) { } func (c *Cat) Close() error { - runtime.LockOSThread() - defer runtime.UnlockOSThread() if c.admin != 0 { defer CryptCatalogAdminReleaseContext(c.admin, 0) } diff --git a/pkg/util/signature/signature.go b/pkg/util/signature/signature.go index 7bb68c1b2..6dae675fa 100644 --- a/pkg/util/signature/signature.go +++ b/pkg/util/signature/signature.go @@ -318,6 +318,11 @@ func (s *Signatures) getOrCheck(key Key) *Signature { } func (s *Signatures) runWorker() { + // pin this goroutine to its OS thread for the lifetime of the worker. + // WinVerifyTrust has COM STA thread affinity and all calls must happen + // on a thread where CoInitializeEx has been called. + runtime.LockOSThread() + defer runtime.UnlockOSThread() for { select { case req := <-s.requests: diff --git a/pkg/util/signature/types.go b/pkg/util/signature/types.go index 4c3b51e06..867fe90fa 100644 --- a/pkg/util/signature/types.go +++ b/pkg/util/signature/types.go @@ -21,7 +21,6 @@ package signature import ( "errors" "fmt" - "runtime" "sync/atomic" "time" @@ -262,8 +261,6 @@ func (s *Signature) HasCertificate() bool { // by passing the inquiry to a trust provider that supports the action // identifier. func (s *Signature) verifyFile() error { - runtime.LockOSThread() - defer runtime.UnlockOSThread() trust := sys.NewWintrustData(sys.WtdChoiceFile) defer trust.Close() status, err := trust.VerifyFile(s.Path)