Closed bitman694 closed 1 year ago
mtrojnar
commented
1 year ago Yes, osslsigncode does not automatically download CRLs for certificates. You need to download the CRL file first, and then make osslsigncode use that CRL file.
I think we should implement this feature.
bitman694
commented
1 year ago @mtrojnar I think you should also consider adding OCSP ways to check the revocation status. I find the revocation status for some certificates can only be checked by OCSP means. I can't find specific records in their CRL files. This is a known problem that has been reported at least in 2018. But I still find the problem exists recently.
I use osslsigncode v2.5, verify a sample (SHA-256 3fb0b3f177baaaa4a26b6def74c5b548e4dea309a7ad6c3f966279c93c40c614), Windows system shows the signature is invalid, because a certificate was explicitly revoked by its issuer. But osslsigncode shows its signatures are valid. I think osslsigncode misses the revocation information. osslsigncode shows the CRL distribution point is http://sv.symcb.com/sv.crl and I also can't find the revocation record according to this link. I guess maybe osslsigncode omits to find the right CRL distribution point? I'm trying to analyze this problem. I will continue to report more details if possible.