when Microsoft certificates (MicrosoftRootCertificateAuthorityPCA2010.pem) are not installed on the system and I check with osslsigncode a time-stamped / expired Microsoft binary (memtest.exe), I naturally get a "certificate has expired" error with the option -ignore-timestamp :
# osslsigncode verify -in memtest.exe -CAfile MicrosoftRootCertificateAuthorityPCA2010.pem -ignore-timestamp
PE checksum : 001049D4
Message digest algorithm : SHA256
Current message digest : BDE7BD492B52C23E35BC4855B6791F70DA13515050C4947B4F81E8FE5DE832C5
Calculated message digest : BDE7BD492B52C23E35BC4855B6791F70DA13515050C4947B4F81E8FE5DE832C5
Signature Index: 0 (Primary Signature)
Signer's certificate:
Signer #0:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
Serial : 330000038DB0BFE1B0CA33B3D400000000038D
Certificate expiration date:
notBefore : May 5 19:23:15 2022 GMT
notAfter : May 4 19:23:15 2023 GMT
Number of certificates: 2
Signer #0:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
Serial : 330000038DB0BFE1B0CA33B3D400000000038D
Certificate expiration date:
notBefore : May 5 19:23:15 2022 GMT
notAfter : May 4 19:23:15 2023 GMT
------------------
Signer #1:
Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
Serial : 61077656000000000008
Certificate expiration date:
notBefore : Oct 19 18:41:42 2011 GMT
notAfter : Oct 19 18:51:42 2026 GMT
Message digest algorithm: SHA256
Authenticated attributes:
Microsoft Individual Code Signing purpose
Message digest: FB96762163716A51EA5E3C817861A07219482F9B8E7B1FC6058312B953B69407
URL description: http://www.microsoft.com/windows
Text description: Microsoft Windows
The signature is timestamped: Aug 11 04:31:44 2022 GMT
Hash Algorithm: sha256
Timestamp Verified by:
Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
Serial : 33000001A0E9BB8CBB0EA2D17A0001000001A0
CAfile: MicrosoftRootCertificateAuthorityPCA2010.pem
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt
Timestamp Server Signature verification is disabled
PKCS7_verify error
004EC755F37F0000:error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:../crypto/pkcs7/pk7_smime.c:293:Verify error: certificate has expired
Signature verification: failed
Number of verified signatures: 1
Failed
according to osslsigncode, the timestamp was issued by Microsoft Time-Stamp PCA 2010 but I couldn't find the corresponding certificate on Internet.
after a few tries, I finally succeeded in verifying using -TSA-CAfile MicrosoftRootCertificateAuthorityPCA2010.pem : how do I know which TSA-CAfile to provide ?
hi,
when Microsoft certificates (
MicrosoftRootCertificateAuthorityPCA2010.pem
) are not installed on the system and I check withosslsigncode
a time-stamped / expired Microsoft binary (memtest.exe
), I naturally get a "certificate has expired" error with the option-ignore-timestamp
:according to
osslsigncode
, the timestamp was issued byMicrosoft Time-Stamp PCA 2010
but I couldn't find the corresponding certificate on Internet.after a few tries, I finally succeeded in verifying using
-TSA-CAfile MicrosoftRootCertificateAuthorityPCA2010.pem
: how do I know which TSA-CAfile to provide ?regards, lacsaP.