search

autopkg / hansen-m-recipes

My recipes for Autopkg - https://github.com/autopkg
27 stars 50 forks source link

Add WinCodeSignatureVerifier #169

Closed jgstew closed 1 year ago

jgstew commented 4 years ago

I did some digging, and it is possible to verify windows code signatures on Mac using osslsigncode

I'm looking into adding a processor to do this. It should work on MSIs, CABs, and EXEs. This is more of a long term enhancement.

brew install osslsigncode

osslsigncode verify -in Zoom.msi 
Message digest algorithm         : SHA256
Calculated DigitalSignature      : 0813444DF568A62C229C15B3C3FF4568E2DCF034947F283E194794A77E8308C2

Signature verification: ok

Number of signers: 1
    Signer #0:
        Subject : /jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=4969967/C=US/ST=California/L=San Jose/O=Zoom Video Communications, Inc./CN=Zoom Video Communications, Inc.
        Issuer  : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)

Number of certificates: 2
    Cert #0:
        Subject : /jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=4969967/C=US/ST=California/L=San Jose/O=Zoom Video Communications, Inc./CN=Zoom Video Communications, Inc.
        Issuer  : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
    Cert #1:
        Subject : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
        Issuer  : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

Succeeded

References:

jgstew commented 3 years ago

This is also interesting: https://github.com/ralphje/signify

I have an issue to track this in my own repo here: https://github.com/jgstew/jgstew-recipes/issues/12

jgstew commented 2 years ago

oh, I actually have a working processor for this, that works cross platform!

Should work for EXEs and DLL files. I have found a few cases where it cannot validate the signature even though windows does validate it, but those have only been a minority of cases, and I think it is due to the python library having a different set of valid root signing certs or something.