Open ladislav-zezula opened 6 years ago
YARA never claims to validate signatures, nor do I think it should. The point is not to say if the signature is valid or not, but to give you the ability to inspect the signature metadata.
Oh ok. Would there be a chance of adding a function that would actually verify the signature?
Please don't ever do that
Didn't the recent updates make verification a thing? Please note, verification is very different from trusted, and @ladislav-zezula was very careful to make that distinction in the update.
Hi,
I found that YARA's
pe.number_of_signatures
ignores whether the signatures are valid (i.e. whether the hash matches). As a result, YARA doesn't have a way to check number of signatures that are actually valid.Sample: f5b56970f8bab4e0bc32c76485b4b3d6bb3f85ae202b19c4db1bfe2512458ca2 (clean, signed, valid)
Sample: 3f81d595816d8e334cdce4e13fe8ba6263d71679eac8597acae04a47780fae9e (clean, signed, signature corrupted)
Sample: 011001cce0953e554bcf064a991b6b9b14a1aa12a5459ca37e3d7cd9d9b5ec65 (clean, signed, file modified)
Sample: b47e34059f33cd8856eb1eb0407cfdd21d81b8eef36c03fa2f3bd8ae6c166890 (signed, infected by Expiro)