ghost
commented
3 years ago Not important anymore, closing. If you want to be chaotic, go for. I don't care now.
I made my own independent implementation for verification, replicating what "extract-signature" and "verify" in stable 1.7.1 did. It verifies PE and EXE SHA1/SHA256 from a file's signature. The hardest part was actually understand what to cut, ,thankfully Python Signify's "get_authenticode_omit_sections()" helped here.
If you are annoyed by the lack of CLI stability too, like me, then: To do PE, use Python PEfile; For metadata on subjects/etc, the signature is at the end, you can figure out its Base64/HEX by looking on the current tool PEM output, then can read it using OpenSSL's PKCS7 option; For the signature calculation, skip 4 bytes after 344 first bytes, then skip 8 after 408, then skip all the bytes of its DER signature at the end: This is what need to calculate.
Maybe nobody can change those devs mind and respect compatibility between versions, not break stuff for verification, but at least you can do this part on your own now when the trick is public.
[DELETED]