search

mtrojnar / osslsigncode

OpenSSL based Authenticode signing for PE/MSI/Java CAB files
Other
778 stars 131 forks source link

PKCS7_verify_error #344

Closed patatetom closed 7 months ago

patatetom commented 7 months ago

hi,

I only use osslsigncode to check binaries signed by Microsoft.

I got the right certificates from the internet and converted them to PEM format so that I could use them with osslsigncode.

when I do this manually, osslsigncode terminates successfully :

# osslsigncode verify -in test/msedge.exe -ignore-timestamp -CAfile test/MicrosoftRootCertificateAuthority2011.crt.pem
PE checksum   : 003B0CC8

Message digest algorithm  : SHA256
Current message digest    : 14A774CA6D60838FC153C0876743EBE7386BF07E560C1B7886189229B78AA8B9 
Calculated message digest : 14A774CA6D60838FC153C0876743EBE7386BF07E560C1B7886189229B78AA8B9 

Signature Index: 0  (Primary Signature)
Signer's certificate:
    Signer #0:
        Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
        Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
        Serial : 33000003A54111E8F07FBE0B750000000003A5
        Certificate expiration date:
            notBefore : Oct 19 19:51:56 2023 GMT
            notAfter : Oct 16 19:51:56 2024 GMT

Number of certificates: 2
    Signer #0:
        Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
        Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
        Serial : 33000003A54111E8F07FBE0B750000000003A5
        Certificate expiration date:
            notBefore : Oct 19 19:51:56 2023 GMT
            notAfter : Oct 16 19:51:56 2024 GMT
    ------------------
    Signer #1:
        Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
        Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
        Serial : 610E90D2000000000003
        Certificate expiration date:
            notBefore : Jul  8 20:59:09 2011 GMT
            notAfter : Jul  8 21:09:09 2026 GMT

Message digest algorithm: SHA256

Authenticated attributes:
    Microsoft Individual Code Signing purpose
    Message digest: 96913A53034462F001A9CAB361BA6E3CECC633B1AA8A38C72559B86855208C03 
    URL description: https://www.microsoft.com 
    Text description: Microsoft Edge

The signature is timestamped: Jan 17 07:52:36 2024 GMT
Hash Algorithm: sha256
Timestamp Verified by:
        Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
        Serial : 33000001D5A902CFC5A7C9E95A0001000001D5

CAfile: test/MicrosoftRootCertificateAuthority2011.crt.pem
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt

Timestamp Server Signature verification is disabled

CRL distribution point: http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
Connecting to http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
Signature CRL verification: ok
Signature verification: ok

Number of verified signatures: 1
Succeeded

however, when I install the certificates on my system (archlinux), osslsigncode terminates with an error :

# trust anchor test/MicrosoftRootCertificateAuthority2011.crt.pem && update-ca-trust

# osslsigncode verify -in test/msedge.exe -ignore-timestamp
PE checksum   : 003B0CC8

Message digest algorithm  : SHA256
Current message digest    : 14A774CA6D60838FC153C0876743EBE7386BF07E560C1B7886189229B78AA8B9 
Calculated message digest : 14A774CA6D60838FC153C0876743EBE7386BF07E560C1B7886189229B78AA8B9 

Signature Index: 0  (Primary Signature)
Signer's certificate:
    Signer #0:
        Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
        Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
        Serial : 33000003A54111E8F07FBE0B750000000003A5
        Certificate expiration date:
            notBefore : Oct 19 19:51:56 2023 GMT
            notAfter : Oct 16 19:51:56 2024 GMT

Number of certificates: 2
    Signer #0:
        Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
        Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
        Serial : 33000003A54111E8F07FBE0B750000000003A5
        Certificate expiration date:
            notBefore : Oct 19 19:51:56 2023 GMT
            notAfter : Oct 16 19:51:56 2024 GMT
    ------------------
    Signer #1:
        Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
        Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
        Serial : 610E90D2000000000003
        Certificate expiration date:
            notBefore : Jul  8 20:59:09 2011 GMT
            notAfter : Jul  8 21:09:09 2026 GMT

Message digest algorithm: SHA256

Authenticated attributes:
    Microsoft Individual Code Signing purpose
    Message digest: 96913A53034462F001A9CAB361BA6E3CECC633B1AA8A38C72559B86855208C03 
    URL description: https://www.microsoft.com 
    Text description: Microsoft Edge

The signature is timestamped: Jan 17 07:52:36 2024 GMT
Hash Algorithm: sha256
Timestamp Verified by:
        Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
        Serial : 33000001D5A902CFC5A7C9E95A0001000001D5

CAfile: /etc/ssl/certs/ca-certificates.crt
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt

Timestamp Server Signature verification is disabled

PKCS7_verify error
4027E59B18780000:error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: unable to get local issuer certificate
Signature verification: failed

Number of verified signatures: 1
Failed

the certificates seem to be correctly installed on the system side :

# openssl x509 -in test/MicrosoftRootCertificateAuthority2011.crt.pem -noout -subject
subject=C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2011

# trust list | grep --color=never -B2 -A2 "Microsoft Root Certificate Authority 2011"
pkcs11:id=%72%2D%3A%02%31%90%43%B9%14%05%4E%E1%EA%A7%C7%31%D1%23%89%34;type=cert
    type: certificate
    label: Microsoft Root Certificate Authority 2011
    trust: anchor
    category: authority

# openssl version -d
OPENSSLDIR: "/etc/ssl"

# find /etc/ssl/ | grep --color=never "Microsoft.*2011"
/etc/ssl/certs/Microsoft_Root_Certificate_Authority_2011.pem

# sha1sum /etc/ssl/certs/Microsoft_Root_Certificate_Authority_2011.pem test/MicrosoftRootCertificateAuthority2011.crt.pem
4e61f9fcc506b310ac3ce7ed2738da9d49786102  /etc/ssl/certs/Microsoft_Root_Certificate_Authority_2011.pem
4e61f9fcc506b310ac3ce7ed2738da9d49786102  test/MicrosoftRootCertificateAuthority2011.crt.pem

# wc -l test/MicrosoftRootCertificateAuthority2011.crt.pem
34 test/MicrosoftRootCertificateAuthority2011.crt.pem

# grep -A34 "Microsoft Root Certificate Authority 2011" /etc/ssl/cert.pem
# Microsoft Root Certificate Authority 2011
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMp
TWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEw
MzIyMjIwNTI4WhcNMzYwMzIyMjIxMzA0WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5IDIwMTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCygEGqNThNE3IyaCJNuLLx/9VSvGzH9dJKjDbu0cJcfoyKrq8TKG/Ac+M6
ztAlqFo6be+ouFmrEyNozQwph9FvgFyPRH9dkAFSWKxRxV8qh9zc2AodwQO5e7BW
6KPeZGHCnvjzfLnsDbVU/ky2ZU+I8JxImQxCCwl8MVkXeQZ4KI2JOkwDJb5xalwL
54RgpJki49KvhKSn+9GY7Qyp3pSJ4Q6g3MDOmT3qCFK7VnnkH4S6Hri0xElcTzFL
h93dBWcmmYDgcRGjuKVB4qRTufcyKYMME782XgSzS0NHL2vikR7TmE/dQgfI6B0S
/Jmpaz6SfsjWaTr8ZL22CZ3K/QwLopt3YEsDlKQwaRLWQi3BQUzK3Kr9j1uDRprZ
/LHR47PJf0h6zSTwQY9cdNCssBAgBkm3xy0hyFfj0IbzA2j70M5xwYmZSmQBbP3s
MJHPQTySx+W6hh1hhMdfgzlirrSSL0fzC/hV66AfWdC7dJse0Hbm8ukG1xDo+mTe
acY1logC8Ea4PyeZb8txiSk190gWAjWP1Xl8TQLPX+uKg09FcYj5qQ1OcunCnAfP
SRtOBA5jUYxe2ADBVSy2xuDCZU7JNDn1nLPEfuhhbhNfFcRf2X7tHc7uROzLLoax
7Dj2cO2rXBPB2Q8Nx4CyVe0096yb5MPa50c8prWPMd/FS6/r8QIDAQABo1EwTzAL
BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUci06AjGQQ7kU
BU7h6qfHMdEjiTQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggIB
AH9yzw+3xRXbm8BJyiZb/p4T5tPw0tuXX/JLP02zrhmu7deXoKzvqTqjwkGw5biR
nhOBJAPmCf0/V0A5ISRW0RAvS0CpNoZLtFNXmvvxfomPEf4YbFGq6O0JlbXlccmh
6Yd1phV/yX43VF50k8XDZ8wNT2uoFwxtCJJ+i92Bqi1wIcM9BhS7vyRep4TXPw8h
Ir1LAAbblxzYXtTFC1yHblCk6MM4pPvLLMWSZpuFXst6bJN8gClYW1e1QGm6CHmm
ZGIVnYeWRbVmIyADixxzoNOieTPgUFmG2y/lAiXqcyqfABTINseSO+lOAOzYVgm5
M0kS0lQLAausR7aRKX1MtHWAUgHoyoL2n8ysnI8X6i8msKtyrAv+nlEex0NVZ09R
s1fWtuzuUrc66U7h14GIvE+OdbtLqPA1qibUZ2dJsnBMO5PcHd94kIZysjik0dyS
TclY6ysSXNQ7roxrsIPlAT/4CTL2kzU0Iq/dNw13CYArzUgA8YyZGUcFAenRv9FO
0OYoQzeZpApKCNmacXPSqs0xE2N2oTdvkjgefRI8ZjLny23h/FKJ3crWZgWalmG+
oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQ
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----

# grep -A34 "Microsoft Root Certificate Authority 2011" /etc/ssl/cert.pem | sed 1d | sha1sum
4e61f9fcc506b310ac3ce7ed2738da9d49786102  -

osslsigncode is 2.7 :

# osslsigncode --version
osslsigncode 2.7, using:
    OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
    libcurl/8.5.0 OpenSSL/3.2.0 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0

Please send bug-reports to Michal.Trojnara@stunnel.org

where could the problem come from ?

regards, lacsaP.

patatetom commented 7 months ago

hi,

I've just tested the same thing under ubuntu 22.04 lts and osslsigncode works as expected after adding the certificates to the system.

the problem would be more on the side of archlinux or openssl which is not at the same version level :

osslsigncode --version
osslsigncode 2.7, using:
    OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
    libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16

Please send bug-reports to Michal.Trojnara@stunnel.org

regards, lacsaP.

olszomal commented 7 months ago

osslsigncode considers the following list of CA files:

    "/etc/ssl/certs/ca-certificates.crt",
    "/etc/pki/tls/certs/ca-bundle.crt",
    "/usr/share/ssl/certs/ca-bundle.crt",
    "/usr/local/share/certs/ca-root-nss.crt",
    "/etc/ssl/cert.pem"

It searches through this list until it finds the first valid CA file.

In your archlinux system, it uses /etc/ssl/certs/ca-certificates.crt. Additionally, the command:

# trust anchor test/MicrosoftRootCertificateAuthority2011.crt.pem && update-ca-trust

stores this certificate in the /etc/ssl/cert.pem file.

In this case use the -CAfile option.

patatetom commented 7 months ago

hi,

after a few more tries, I think there's a little problem somewhere else...

# ll /etc/ssl/cert.pem 
lrwxrwxrwx 1 root root 46  5 sept.  2022 /etc/ssl/cert.pem -> ../ca-certificates/extracted/tls-ca-bundle.pem

# ll /etc/ssl/certs/ca-certificates.crt 
lrwxrwxrwx 1 root root 49  5 sept.  2022 /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem

## osslsigncode says/uses "CAfile: /etc/ssl/certs/ca-certificates.crt"
# cp /etc/ssl/certs/ca-certificates.crt /tmp/system.crt

# osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/MicrosoftRootCertificateAuthority2011.crt.pem
…
CAfile: test/MicrosoftRootCertificateAuthority2011.crt.pem
…
Number of verified signatures: 1
✅ Succeeded

## add certificate to system store with archlinux tools
# trust anchor test/MicrosoftRootCertificateAuthority2011.crt.pem && update-ca-trust

# osslsigncode verify -ignore-timestamp -in test/msedge.exe
…
CAfile: /etc/ssl/certs/ca-certificates.crt
…
Number of verified signatures: 1
❌ Failed

## add certificate to system store manually
# cat test/MicrosoftRootCertificateAuthority2011.crt.pem /tmp/system.crt > /etc/ssl/certs/ca-certificates.crt

# osslsigncode verify -ignore-timestamp -in test/msedge.exe
…
CAfile: /etc/ssl/certs/ca-certificates.crt
…
Number of verified signatures: 1
❌ Failed

## just certificate to system store (manually)
# cat test/MicrosoftRootCertificateAuthority2011.crt.pem > /etc/ssl/certs/ca-certificates.crt

# ll /etc/ssl/certs/ca-certificates.crt 
lrwxrwxrwx 1 root root 49  5 sept.  2022 /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem

# cat !$
cat /etc/ssl/certs/ca-certificates.crt
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMp
TWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEw
MzIyMjIwNTI4WhcNMzYwMzIyMjIxMzA0WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5IDIwMTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCygEGqNThNE3IyaCJNuLLx/9VSvGzH9dJKjDbu0cJcfoyKrq8TKG/Ac+M6
ztAlqFo6be+ouFmrEyNozQwph9FvgFyPRH9dkAFSWKxRxV8qh9zc2AodwQO5e7BW
6KPeZGHCnvjzfLnsDbVU/ky2ZU+I8JxImQxCCwl8MVkXeQZ4KI2JOkwDJb5xalwL
54RgpJki49KvhKSn+9GY7Qyp3pSJ4Q6g3MDOmT3qCFK7VnnkH4S6Hri0xElcTzFL
h93dBWcmmYDgcRGjuKVB4qRTufcyKYMME782XgSzS0NHL2vikR7TmE/dQgfI6B0S
/Jmpaz6SfsjWaTr8ZL22CZ3K/QwLopt3YEsDlKQwaRLWQi3BQUzK3Kr9j1uDRprZ
/LHR47PJf0h6zSTwQY9cdNCssBAgBkm3xy0hyFfj0IbzA2j70M5xwYmZSmQBbP3s
MJHPQTySx+W6hh1hhMdfgzlirrSSL0fzC/hV66AfWdC7dJse0Hbm8ukG1xDo+mTe
acY1logC8Ea4PyeZb8txiSk190gWAjWP1Xl8TQLPX+uKg09FcYj5qQ1OcunCnAfP
SRtOBA5jUYxe2ADBVSy2xuDCZU7JNDn1nLPEfuhhbhNfFcRf2X7tHc7uROzLLoax
7Dj2cO2rXBPB2Q8Nx4CyVe0096yb5MPa50c8prWPMd/FS6/r8QIDAQABo1EwTzAL
BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUci06AjGQQ7kU
BU7h6qfHMdEjiTQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggIB
AH9yzw+3xRXbm8BJyiZb/p4T5tPw0tuXX/JLP02zrhmu7deXoKzvqTqjwkGw5biR
nhOBJAPmCf0/V0A5ISRW0RAvS0CpNoZLtFNXmvvxfomPEf4YbFGq6O0JlbXlccmh
6Yd1phV/yX43VF50k8XDZ8wNT2uoFwxtCJJ+i92Bqi1wIcM9BhS7vyRep4TXPw8h
Ir1LAAbblxzYXtTFC1yHblCk6MM4pPvLLMWSZpuFXst6bJN8gClYW1e1QGm6CHmm
ZGIVnYeWRbVmIyADixxzoNOieTPgUFmG2y/lAiXqcyqfABTINseSO+lOAOzYVgm5
M0kS0lQLAausR7aRKX1MtHWAUgHoyoL2n8ysnI8X6i8msKtyrAv+nlEex0NVZ09R
s1fWtuzuUrc66U7h14GIvE+OdbtLqPA1qibUZ2dJsnBMO5PcHd94kIZysjik0dyS
TclY6ysSXNQ7roxrsIPlAT/4CTL2kzU0Iq/dNw13CYArzUgA8YyZGUcFAenRv9FO
0OYoQzeZpApKCNmacXPSqs0xE2N2oTdvkjgefRI8ZjLny23h/FKJ3crWZgWalmG+
oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQ
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----

# osslsigncode verify -ignore-timestamp -in test/msedge.exe
…
CAfile: /etc/ssl/certs/ca-certificates.crt
…
Number of verified signatures: 1
✅ Succeeded

regards, lacsaP.

mtrojnar commented 7 months ago

@patatetom How do you think osslsigncode should address this issue?

patatetom commented 7 months ago

@mtrojnar I don't know, maybe it's linked to the (lib)openssl version (3.2.0 for Archlinux and 3.0.2 for Ubuntu)... I'll do a few more tests after lunch.

patatetom commented 7 months ago

the problem arises from the presence of several certificates in the CAfile used (as in the system store /etc/ssl/certs/ca-certificates.crt) :

# osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/MicrosoftRootCertificateAuthority2011.crt.pem
…
Number of verified signatures: 1
✅ Succeeded

# (
echo "# MicrosoftRootCertificateAuthority2011"
cat test/MicrosoftRootCertificateAuthority2011.crt.pem
) > test/test.pem

# cat test/test.pem 
# MicrosoftRootCertificateAuthority2011
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
…
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----

# osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem
…
Number of verified signatures: 1
✅ Succeeded

# (
echo "# MicrosoftRootCertificateAuthority2011"
cat test/MicrosoftRootCertificateAuthority2011.crt.pem
echo "# MicrosoftRootCertificateAuthority2010"
cat test/MicrosoftRootCertificateAuthority2010.crt.pem
) > test/test.pem 

# cat test/test.pem 
# MicrosoftRootCertificateAuthority2011
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
…
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----
# MicrosoftRootCertificateAuthority2010
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQKMw6Jb+6RKxEmptYa0M5qjANBgkqhkiG9w0BAQsFADCB
…
ZIKRBBLgq28ey1AFYbRA/1mGcdHVM2l8qXOKONdkDPFp
-----END CERTIFICATE-----

# osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem
…
Number of verified signatures: 1
❌ Failed