Check validity of package file signatures, if they are signed

ferventcoder commented 8 years ago

During the installation phase of a package, we should check to see if the binaries to be 'installed', and the scripts being used for that installation, are signed. If they are signed then we should check their signatures to ensure it is valid and stop installation if they are not.

One can do this now in the automation scripts (it's just PowerShell), but adding a facility to easily add the ability to verify the authenticode scripts would be awesome!

We may be able to look at binaries and build some of this into Chocolatey itself. To do this within Chocolatey itself, we may need to expand the scope so it does differencing against things like Program Files to see things installed.

Some possible resources:

ferventcoder commented 8 years ago

Thanks @ericlaw1979 for the suggestion!

ericlaw1979 commented 8 years ago

If you're in .NET, it's a pretty straightforward process.

Use WinVerifyTrust(WINTRUST_ACTION_GENERIC_VERIFY_V2) to verify the signature on the file.
Optionally: Display the Certificate's owner to the user to confirm; for .EXEs this is as simple as doing X509Certificate2 cert = new X509Certificate2(sFilename); and then grabbing the .Subject field.

Note, you don't want to call cert.Verify() because it's ignorant of the fact that the file's Authenticode Signature may be timestamped and thus valid even if the cert is now expired. Also WinVerifyTrust just checked the signature's validity which included validation of the certificate.

ferventcoder commented 3 months ago

This appears completed. #501

ferventcoder commented 3 months ago

Not a duplicate. I'm sorry - this is about validating digital signatures in powershell scripts (if things are signed) and in binaries.

ferventcoder commented 2 months ago

Just a note, this is pointed to from https://docs.chocolatey.org/en-us/roadmap

chocolatey / choco

Check validity of package file signatures, if they are signed #643