search

mtrojnar / osslsigncode

OpenSSL based Authenticode signing for PE/MSI/Java CAB files
Other
806 stars 131 forks source link

[Usage-Help] Verfication fails on Windows every time #258

Closed NtWriteCode closed 1 year ago

NtWriteCode commented 1 year ago

It may be just me, but I couldn't find an example how to verify digital signature of a PE using the tool. The command lines seem straightforward, but when I try use it intuitively, like: osslsigncode.exe verify -in C:\Windows\explorer.exe osslsigncode just fails.

The error message is the following:

CAfile: (null)
CRL distribution point: http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
Use the "-TSA-CAfile" option to add the Time-Stamp Authority certificates bundle to verify the Timestamp Server.
Timestamp Server Signature verification: failed
Failed to add store lookup file
Signature verification: failed

Number of verified signatures: 1
Failed

I kind of get it that I'm not providing some parameters & files that I should have, but I don't want anything custom, just use all the built-in things that the OS would use as well to verify the digital signature. Is it possible to do without any hacking, like exporting all the system certs first or things like this?

I tried both the latest Release & the latest build from CI and both on Windows 10 & 11, but the output is the very same. Is it just me misusing the tool?

olszomal commented 1 year ago

Download CA certificate file Microsoft Root Certificate Authority 2010 from PKI Repository - Microsoft PKI Services

Convert it from DER to PEM format:

openssl x509 -inform DER -in MicRooCerAut_2010-06-23.crt -outform PEM -out MicRooCerAut_2010-06-23.pem

It works:

osslsigncode.exe verify -in C:\Windows\explorer.exe -CAfile MicRooCerAut_2010-06-23.pem
(...)
CAfile: MicRooCerAut_2010-06-23.pem
CRL distribution point: http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
Use the "-TSA-CAfile" option to add the Time-Stamp Authority certificates bundle to verify the Timestamp Server.
Timestamp Server Signature verification: failed
Signature verification: ok

Number of verified signatures: 1
Succeeded

More precisely:

osslsigncode.exe verify -in C:\Windows\explorer.exe -CAfile MicRooCerAut_2010-06-23.pem -TSA-CAfile MicRooCerAut_2010-06-23.pem
(...)
CAfile: MicRooCerAut_2010-06-23.pem
TSA's certificates file: MicRooCerAut_2010-06-23.pem
CRL distribution point: http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
TSA's CRL distribution point: http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl

Timestamp Server Signature verification: ok
Signature verification time: Mar  9 11:50:20 2023 GMT
Signature verification: ok

Number of verified signatures: 1
Succeeded