search

mtrojnar / osslsigncode

OpenSSL based Authenticode signing for PE/MSI/Java CAB files
Other
801 stars 131 forks source link

osslsigncode doesn't retrieve missing intermediate certificates #403

Closed tyilo closed 4 months ago

tyilo commented 5 months ago

When validating the signature of an executable in Windows, Windows will automatically download missing intermediate certificates if needed and validate the binary.

osslsigncode verify will however only accept a binary if all the intermediate certificates are included in it.

Example

An exe is signed which only includes the leaf certificate and not the two intermediate certificates.

Windows will see the signature as valid by retrieving the intermediate certificate.

Before inspecting the exe: image

After inspecting the exe: image

Retrieved certificate path of exe: image

Here is the certificate used:

-----BEGIN CERTIFICATE-----
MIIGNjCCBJ6gAwIBAgIQaLu4wdK6fi+ui8BwQQPg/zANBgkqhkiG9w0BAQwFADBU
MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSswKQYDVQQD
EyJTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgUjM2MB4XDTI0MDUxNDAw
MDAwMFoXDTI3MDUxNDIzNTk1OVowTTELMAkGA1UEBhMCREsxFDASBgNVBAgMC01p
ZHRqeWxsYW5kMRMwEQYDVQQKDApQcmluY2ggQS9TMRMwEQYDVQQDDApQcmluY2gg
QS9TMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAreBLuHypUBWv0tJy
X9CY1AGUcft67hvqVcJLGLjXe+HcmP21DllHShNRsai5xFVSVX4OeTypD2xVLzfb
Q9XLYdA/U24KaNNNKgv9qe/j1Vr+g8BMOlcLLnja12InSDUlKxoAB8cR4AR3By0N
pnOydVQzcXzi+8l9wi9LlvxIFZ2BYDzgjgGsDj3qbHE8wTPgh10wdHyAt30IlIOt
9gW9S9kuSh0DUWWnC0tmyCvevGtLlD8iSO329SMtgov7A0PK9HwTI6SKBseyugue
LFLh2h+Q5JujMi1NXHiJ9C6G+tQ//5MVoo/TWhMfH33u7mXu6V0rstrct3vMU2SY
8UwkPJZ32JkDz8wCZJgu6MNDJ6r7uUFV71/7PBSygHIbWxSgAPas6AReOj27W++r
LA0ATTlITLnfveMuPskIkbMgRocVxmepJmiqK6aqG6fGszFA4GLEMnEcoimqMVcN
Z25JOdDaoGdy1dt+Lmgl6wspGNnxGlRMH+CF+pR4oGgEHhRr4DM1cbfqN2IKbAxc
3PnWPQ3dNT45gu1L0q2YcNQ22NM+WlGjYKDvvZb7cf8htuEQkaaOSIriQfuOzIoF
3g6YRpp+Yp9LwtmXmFly4LrTSJGV/6zacPqlcUE50VqBk6xmdXr52bQ0532dlrgx
DBLATFb/6ZmJUupPNWC9PHx9wykCAwEAAaOCAYkwggGFMB8GA1UdIwQYMBaAFA8q
yyCHKLjsb0iuK1SmKaoXpM0MMB0GA1UdDgQWBBT/ndXVXjWpFhZ3dd9E9DE+mcWc
szAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEF
BQcDAzBKBgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDAjAlMCMGCCsGAQUFBwIBFhdo
dHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBBAEwSQYDVR0fBEIwQDA+oDyg
OoY4aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25p
bmdDQVIzNi5jcmwweQYIKwYBBQUHAQEEbTBrMEQGCCsGAQUFBzAChjhodHRwOi8v
Y3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNy
dDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wDQYJKoZIhvcN
AQEMBQADggGBAFeB8+xhm5+SRss9kTOZM+w8XDj6DueWMkLJcEY5X9QMdVxESnfD
aBx/P9y7Lp57eT3qMYjwzIbF6vzqPx3qH7OP+391mlLY365lPCT8/4S3IagVAtNI
HU9n6cSd94HfrrJZp0W21WjIpBjCvijL0h2dNJgDIheAPSdZ9CxJeoGre8k6BfL/
IAhYmS1RLFacaxdI0JV38FG1+tbQdEYGjhso1eo+TQyZlYwsZDlqSjbbWXVQah0x
mozuAwSwWHjpnBptdeNgy21/RR/7kFOxr1AH+Wvo0UTR8cF89yCgtDKyAvY5DtYi
dN+x79XoZc5ahGucv4b7wGI1m05ir3tHe5xWoY2dqTo7cvEnqojRb38N/BsR6o+u
i24TaBtQ6ROAyzXA5+Fab4hkJFHwSSeFyOkQczkpx/YQGBqRTSccu1EEBAirFgWp
kYqg/tjzrzwA8pErCv1Nt8dyb86oJTDpY5IbofF1mdFr6A1pBrf6L5N9UTuj1cEU
mJz0OkyYNmtSrA==
-----END CERTIFICATE-----

And here are the two intermediate certificates:

-----BEGIN CERTIFICATE-----
MIIFbzCCBFegAwIBAgIQSPyTtGBVlI02p8mKidaUFjANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTIxMDUyNTAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowVjELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGlt
aXRlZDEtMCsGA1UEAxMkU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIFJvb3Qg
UjQ2MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjeeUEiIEJHQu/xYj
ApKKtq42haxH1CORKz7cfeIxoFFvrISR41KKteKW3tCHYySJiv/vEpM7fbu2ir29
BX8nm2tl06UMabG8STma8W1uquSggyfamg0rUOlLW7O4ZDakfko9qXGrYbNzszwL
DO/bM1flvjQ345cbXf0fEj2CA3bm+z9m0pQxafptszSswXp43JJQ8mTHqi0Eq8Nq
6uAvp6fcbtfo/9ohq0C/ue4NnsbZnpnvxt4fqQx2sycgoda6/YDnAdLv64IplXCN
/7sVz/7RDzaiLk8ykHRGa0c1E3cFM09jLrgt4b9lpwRrGNhx+swI8m2JmRCxrds+
LOSqGLDGBwF1Z95t6WNjHjZ/aYm+qkU+blpfj6Fby50whjDoA7NAxg0POM1nqFOI
+rgwZfpvx+cdsYN0aT6sxGg7seZnM5q2COCABUhA7vaCZEao9XOwBpXybGWfv1Vb
HJxXGsd4RnxwqpQbghesh+m2yQ6BHEDWFhcp/FycGCvqRfXvvdVnTyheBe6QTHrn
xvTQ/PrNPjJGEyA2igTqt6oHRpwNkzoJZplYXCmjuQymMDg80EY2NXycuu7D1fkK
dvp+BRtAypI16dV60bV/AK6pkKrFfwGcELEW/MxuGNxvYv6mUKe4e7idFT/+IAx1
yCJaE5UZkADpGtXChvHjjuxf9OUCAwEAAaOCARIwggEOMB8GA1UdIwQYMBaAFKAR
CiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQy65Ka/zWWSC8oQEJwIDaRXBeF
5jAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zATBgNVHSUEDDAKBggr
BgEFBQcDAzAbBgNVHSAEFDASMAYGBFUdIAAwCAYGZ4EMAQQBMEMGA1UdHwQ8MDow
OKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0FBQUNlcnRpZmljYXRlU2Vy
dmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29j
c3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4IBAQASv6Hvi3SamES4aUa1
qyQKDKSKZ7g6gb9Fin1SB6iNH04hhTmja14tIIa/ELiueTtTzbT72ES+BtlcY2fU
QBaHRIZyKtYyFfUSg8L54V0RQGf2QidyxSPiAjgaTCDi2wH3zUZPJqJ8ZsBRNraJ
AlTH/Fj7bADu/pimLpWhDFMpH2/YGaZPnvesCepdgsaLr4CnvYFIUoQx2jLsFeSm
TD1sOXPUC4U5IOCFGmjhp0g4qdE2JXfBjRkWxYhMZn0vY86Y6GnfrDyoXZ3JHFuu
2PMvdM+4fvbXg50RlmKarkUT2n/cR/vfw1Kf5gZV6Z2M8jpiUbzsJA8p1FiAhORF
e1rY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGGjCCBAKgAwIBAgIQYh1tDFIBnjuQeRUgiSEcCjANBgkqhkiG9w0BAQwFADBW
MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS0wKwYDVQQD
EyRTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgUm9vdCBSNDYwHhcNMjEwMzIy
MDAwMDAwWhcNMzYwMzIxMjM1OTU5WjBUMQswCQYDVQQGEwJHQjEYMBYGA1UEChMP
U2VjdGlnbyBMaW1pdGVkMSswKQYDVQQDEyJTZWN0aWdvIFB1YmxpYyBDb2RlIFNp
Z25pbmcgQ0EgUjM2MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAmyud
U/o1P45gBkNqwM/1f/bIU1MYyM7TbH78WAeVF3llMwsRHgBGRmxDeEDIArCS2VCo
Vk4Y/8j6stIkmYV5Gej4NgNjVQ4BYoDjGMwdjioXan1hlaGFt4Wk9vT0k2oWJMJj
L9G//N523hAm4jF4UjrW2pvv9+hdPX8tbbAfI3v0VdJiJPFy/7XwiunD7mBxNtec
M6ytIdUlh08T2z7mJEXZD9OWcJkZk5wDuf2q52PN43jc4T9OkoXZ0arWZVeffvMr
/iiIROSCzKoDmWABDRzV/UiQ5vqsaeFaqQdzFf4ed8peNWh1OaZXnYvZQgWx/SXi
JDRSAolRzZEZquE6cbcH747FHncs/Kzcn0Ccv2jrOW+LPmnOyB+tAfiWu01TPhCr
9VrkxsHC5qFNxaThTG5j4/Kc+ODD2dX/fmBECELcvzUHf9shoFvrn35XGf2RPaNT
O2uSZ6n9otv7jElspkfK9qEATHZcodp+R4q2OIypxR//YEb3fkDn3UayWW9bAgMB
AAGjggFkMIIBYDAfBgNVHSMEGDAWgBQy65Ka/zWWSC8oQEJwIDaRXBeF5jAdBgNV
HQ4EFgQUDyrLIIcouOxvSK4rVKYpqhekzQwwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwGwYDVR0gBBQwEjAG
BgRVHSAAMAgGBmeBDAEEATBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsLnNl
Y3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ1Jvb3RSNDYuY3JsMHsG
CCsGAQUFBwEBBG8wbTBGBggrBgEFBQcwAoY6aHR0cDovL2NydC5zZWN0aWdvLmNv
bS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdSb290UjQ2LnA3YzAjBggrBgEFBQcw
AYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wDQYJKoZIhvcNAQEMBQADggIBAAb/
guF3YzZue6EVIJsT/wT+mHVEYcNWlXHRkT+FoetAQLHI1uBy/YXKZDk8+Y1LoNqH
rp22AKMGxQtgCivnDHFyAQ9GXTmlk7MjcgQbDCx6mn7yIawsppWkvfPkKaAQsiqa
T9DnMWBHVNIabGqgQSGTrQWo43MOfsPynhbz2Hyxf5XWKZpRvr3dMapandPfYgoZ
8iDL2OR3sYztgJrbG6VZ9DoTXFm1g0Rf97Aaen1l4c+w3DC+IkwFkvjFV3jS49ZS
c4lShKK6BrPTJYs4NG1DGzmpToTnwoqZ8fAmi2XlZnuchC4NPSZaPATHvNIzt+z1
PHo35D/f7j2pO1S8BCysQDHCbM5Mnomnq5aYcKCsdbh0czchOm8bkinLrYrKpii+
Tk7pwL7TjRKLXkomm5D1Umds++pip8wH2cQpf93at3VDcOK4N7EwoIJB0kak6pSz
Eu4I64U6gZs7tS/dGNSljf2OSSnRr7KWzq03zl8l75jy+hOds9TWSenLbjBQUGR9
6cFr6lEUfAIEHVC1L68Y1GGxx4/eRI82ut83axHMViw1+sVpbPxg51Tbnio1lB93
079WPFnYaOvfGAA0e0zcfF/M9gXr+korwQTh2Prqooq2bYNMvUoUKD85gnJ+t0sm
rWrb8dee2CvYZXD5laGtaAxOfy/VKNmwuWuAh9kc
-----END CERTIFICATE-----
mtrojnar commented 5 months ago

When validating the signature of an executable in Windows, Windows will automatically download missing intermediate certificates if needed and validate the binary.

Where will Windows download those certificates from?

tyilo commented 5 months ago

Leaf certificate:

$ openssl x509 -noout -text -in princh.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            68:bb:b8:c1:d2:ba:7e:2f:ae:8b:c0:70:41:03:e0:ff
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36
        Validity
            Not Before: May 14 00:00:00 2024 GMT
            Not After : May 14 23:59:59 2027 GMT
        Subject: C=DK, ST=Midtjylland, O=Princh A/S, CN=Princh A/S
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ad:e0:4b:b8:7c:a9:50:15:af:d2:d2:72:5f:d0:
                    98:d4:01:94:71:fb:7a:ee:1b:ea:55:c2:4b:18:b8:
                    d7:7b:e1:dc:98:fd:b5:0e:59:47:4a:13:51:b1:a8:
                    b9:c4:55:52:55:7e:0e:79:3c:a9:0f:6c:55:2f:37:
                    db:43:d5:cb:61:d0:3f:53:6e:0a:68:d3:4d:2a:0b:
                    fd:a9:ef:e3:d5:5a:fe:83:c0:4c:3a:57:0b:2e:78:
                    da:d7:62:27:48:35:25:2b:1a:00:07:c7:11:e0:04:
                    77:07:2d:0d:a6:73:b2:75:54:33:71:7c:e2:fb:c9:
                    7d:c2:2f:4b:96:fc:48:15:9d:81:60:3c:e0:8e:01:
                    ac:0e:3d:ea:6c:71:3c:c1:33:e0:87:5d:30:74:7c:
                    80:b7:7d:08:94:83:ad:f6:05:bd:4b:d9:2e:4a:1d:
                    03:51:65:a7:0b:4b:66:c8:2b:de:bc:6b:4b:94:3f:
                    22:48:ed:f6:f5:23:2d:82:8b:fb:03:43:ca:f4:7c:
                    13:23:a4:8a:06:c7:b2:ba:0b:9e:2c:52:e1:da:1f:
                    90:e4:9b:a3:32:2d:4d:5c:78:89:f4:2e:86:fa:d4:
                    3f:ff:93:15:a2:8f:d3:5a:13:1f:1f:7d:ee:ee:65:
                    ee:e9:5d:2b:b2:da:dc:b7:7b:cc:53:64:98:f1:4c:
                    24:3c:96:77:d8:99:03:cf:cc:02:64:98:2e:e8:c3:
                    43:27:aa:fb:b9:41:55:ef:5f:fb:3c:14:b2:80:72:
                    1b:5b:14:a0:00:f6:ac:e8:04:5e:3a:3d:bb:5b:ef:
                    ab:2c:0d:00:4d:39:48:4c:b9:df:bd:e3:2e:3e:c9:
                    08:91:b3:20:46:87:15:c6:67:a9:26:68:aa:2b:a6:
                    aa:1b:a7:c6:b3:31:40:e0:62:c4:32:71:1c:a2:29:
                    aa:31:57:0d:67:6e:49:39:d0:da:a0:67:72:d5:db:
                    7e:2e:68:25:eb:0b:29:18:d9:f1:1a:54:4c:1f:e0:
                    85:fa:94:78:a0:68:04:1e:14:6b:e0:33:35:71:b7:
                    ea:37:62:0a:6c:0c:5c:dc:f9:d6:3d:0d:dd:35:3e:
                    39:82:ed:4b:d2:ad:98:70:d4:36:d8:d3:3e:5a:51:
                    a3:60:a0:ef:bd:96:fb:71:ff:21:b6:e1:10:91:a6:
                    8e:48:8a:e2:41:fb:8e:cc:8a:05:de:0e:98:46:9a:
                    7e:62:9f:4b:c2:d9:97:98:59:72:e0:ba:d3:48:91:
                    95:ff:ac:da:70:fa:a5:71:41:39:d1:5a:81:93:ac:
                    66:75:7a:f9:d9:b4:34:e7:7d:9d:96:b8:31:0c:12:
                    c0:4c:56:ff:e9:99:89:52:ea:4f:35:60:bd:3c:7c:
                    7d:c3:29
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                0F:2A:CB:20:87:28:B8:EC:6F:48:AE:2B:54:A6:29:AA:17:A4:CD:0C
            X509v3 Subject Key Identifier: 
                FF:9D:D5:D5:5E:35:A9:16:16:77:75:DF:44:F4:31:3E:99:C5:9C:B3
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.1.3.2
                  CPS: https://sectigo.com/CPS
                Policy: 2.23.140.1.4.1
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl
            Authority Information Access: 
                CA Issuers - URI:http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt
                OCSP - URI:http://ocsp.sectigo.com
    Signature Algorithm: sha384WithRSAEncryption
    Signature Value:
        57:81:f3:ec:61:9b:9f:92:46:cb:3d:91:33:99:33:ec:3c:5c:
        38:fa:0e:e7:96:32:42:c9:70:46:39:5f:d4:0c:75:5c:44:4a:
        77:c3:68:1c:7f:3f:dc:bb:2e:9e:7b:79:3d:ea:31:88:f0:cc:
        86:c5:ea:fc:ea:3f:1d:ea:1f:b3:8f:fb:7f:75:9a:52:d8:df:
        ae:65:3c:24:fc:ff:84:b7:21:a8:15:02:d3:48:1d:4f:67:e9:
        c4:9d:f7:81:df:ae:b2:59:a7:45:b6:d5:68:c8:a4:18:c2:be:
        28:cb:d2:1d:9d:34:98:03:22:17:80:3d:27:59:f4:2c:49:7a:
        81:ab:7b:c9:3a:05:f2:ff:20:08:58:99:2d:51:2c:56:9c:6b:
        17:48:d0:95:77:f0:51:b5:fa:d6:d0:74:46:06:8e:1b:28:d5:
        ea:3e:4d:0c:99:95:8c:2c:64:39:6a:4a:36:db:59:75:50:6a:
        1d:31:9a:8c:ee:03:04:b0:58:78:e9:9c:1a:6d:75:e3:60:cb:
        6d:7f:45:1f:fb:90:53:b1:af:50:07:f9:6b:e8:d1:44:d1:f1:
        c1:7c:f7:20:a0:b4:32:b2:02:f6:39:0e:d6:22:74:df:b1:ef:
        d5:e8:65:ce:5a:84:6b:9c:bf:86:fb:c0:62:35:9b:4e:62:af:
        7b:47:7b:9c:56:a1:8d:9d:a9:3a:3b:72:f1:27:aa:88:d1:6f:
        7f:0d:fc:1b:11:ea:8f:ae:8b:6e:13:68:1b:50:e9:13:80:cb:
        35:c0:e7:e1:5a:6f:88:64:24:51:f0:49:27:85:c8:e9:10:73:
        39:29:c7:f6:10:18:1a:91:4d:27:1c:bb:51:04:04:08:ab:16:
        05:a9:91:8a:a0:fe:d8:f3:af:3c:00:f2:91:2b:0a:fd:4d:b7:
        c7:72:6f:ce:a8:25:30:e9:63:92:1b:a1:f1:75:99:d1:6b:e8:
        0d:69:06:b7:fa:2f:93:7d:51:3b:a3:d5:c1:14:98:9c:f4:3a:
        4c:98:36:6b:52:ac

After downloading http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt:

$ openssl x509 -noout -text -in SectigoPublicCodeSigningCAR36.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root R46
        Validity
            Not Before: Mar 22 00:00:00 2021 GMT
            Not After : Mar 21 23:59:59 2036 GMT
        Subject: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:9b:2b:9d:53:fa:35:3f:8e:60:06:43:6a:c0:cf:
                    f5:7f:f6:c8:53:53:18:c8:ce:d3:6c:7e:fc:58:07:
                    95:17:79:65:33:0b:11:1e:00:46:46:6c:43:78:40:
                    c8:02:b0:92:d9:50:a8:56:4e:18:ff:c8:fa:b2:d2:
                    24:99:85:79:19:e8:f8:36:03:63:55:0e:01:62:80:
                    e3:18:cc:1d:8e:2a:17:6a:7d:61:95:a1:85:b7:85:
                    a4:f6:f4:f4:93:6a:16:24:c2:63:2f:d1:bf:fc:de:
                    76:de:10:26:e2:31:78:52:3a:d6:da:9b:ef:f7:e8:
                    5d:3d:7f:2d:6d:b0:1f:23:7b:f4:55:d2:62:24:f1:
                    72:ff:b5:f0:8a:e9:c3:ee:60:71:36:d7:9c:33:ac:
                    ad:21:d5:25:87:4f:13:db:3e:e6:24:45:d9:0f:d3:
                    96:70:99:19:93:9c:03:b9:fd:aa:e7:63:cd:e3:78:
                    dc:e1:3f:4e:92:85:d9:d1:aa:d6:65:57:9f:7e:f3:
                    2b:fe:28:88:44:e4:82:cc:aa:03:99:60:01:0d:1c:
                    d5:fd:48:90:e6:fa:ac:69:e1:5a:a9:07:73:15:fe:
                    1e:77:ca:5e:35:68:75:39:a6:57:9d:8b:d9:42:05:
                    b1:fd:25:e2:24:34:52:02:89:51:cd:91:19:aa:e1:
                    3a:71:b7:07:ef:8e:c5:1e:77:2c:fc:ac:dc:9f:40:
                    9c:bf:68:eb:39:6f:8b:3e:69:ce:c8:1f:ad:01:f8:
                    96:bb:4d:53:3e:10:ab:f5:5a:e4:c6:c1:c2:e6:a1:
                    4d:c5:a4:e1:4c:6e:63:e3:f2:9c:f8:e0:c3:d9:d5:
                    ff:7e:60:44:08:42:dc:bf:35:07:7f:db:21:a0:5b:
                    eb:9f:7e:57:19:fd:91:3d:a3:53:3b:6b:92:67:a9:
                    fd:a2:db:fb:8c:49:6c:a6:47:ca:f6:a1:00:4c:76:
                    5c:a1:da:7e:47:8a:b6:38:8c:a9:c5:1f:ff:60:46:
                    f7:7e:40:e7:dd:46:b2:59:6f:5b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                32:EB:92:9A:FF:35:96:48:2F:28:40:42:70:20:36:91:5C:17:85:E6
            X509v3 Subject Key Identifier: 
                0F:2A:CB:20:87:28:B8:EC:6F:48:AE:2B:54:A6:29:AA:17:A4:CD:0C
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Certificate Policies: 
                Policy: X509v3 Any Policy
                Policy: 2.23.140.1.4.1
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl
            Authority Information Access: 
                CA Issuers - URI:http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c
                OCSP - URI:http://ocsp.sectigo.com
    Signature Algorithm: sha384WithRSAEncryption
    Signature Value:
        06:ff:82:e1:77:63:36:6e:7b:a1:15:20:9b:13:ff:04:fe:98:
        75:44:61:c3:56:95:71:d1:91:3f:85:a1:eb:40:40:b1:c8:d6:
        e0:72:fd:85:ca:64:39:3c:f9:8d:4b:a0:da:87:ae:9d:b6:00:
        a3:06:c5:0b:60:0a:2b:e7:0c:71:72:01:0f:46:5d:39:a5:93:
        b3:23:72:04:1b:0c:2c:7a:9a:7e:f2:21:ac:2c:a6:95:a4:bd:
        f3:e4:29:a0:10:b2:2a:9a:4f:d0:e7:31:60:47:54:d2:1a:6c:
        6a:a0:41:21:93:ad:05:a8:e3:73:0e:7e:c3:f2:9e:16:f3:d8:
        7c:b1:7f:95:d6:29:9a:51:be:bd:dd:31:aa:5a:9d:d3:df:62:
        0a:19:f2:20:cb:d8:e4:77:b1:8c:ed:80:9a:db:1b:a5:59:f4:
        3a:13:5c:59:b5:83:44:5f:f7:b0:1a:7a:7d:65:e1:cf:b0:dc:
        30:be:22:4c:05:92:f8:c5:57:78:d2:e3:d6:52:73:89:52:84:
        a2:ba:06:b3:d3:25:8b:38:34:6d:43:1b:39:a9:4e:84:e7:c2:
        8a:99:f1:f0:26:8b:65:e5:66:7b:9c:84:2e:0d:3d:26:5a:3c:
        04:c7:bc:d2:33:b7:ec:f5:3c:7a:37:e4:3f:df:ee:3d:a9:3b:
        54:bc:04:2c:ac:40:31:c2:6c:ce:4c:9e:89:a7:ab:96:98:70:
        a0:ac:75:b8:74:73:37:21:3a:6f:1b:92:29:cb:ad:8a:ca:a6:
        28:be:4e:4e:e9:c0:be:d3:8d:12:8b:5e:4a:26:9b:90:f5:52:
        67:6c:fb:ea:62:a7:cc:07:d9:c4:29:7f:dd:da:b7:75:43:70:
        e2:b8:37:b1:30:a0:82:41:d2:46:a4:ea:94:b3:12:ee:08:eb:
        85:3a:81:9b:3b:b5:2f:dd:18:d4:a5:8d:fd:8e:49:29:d1:af:
        b2:96:ce:ad:37:ce:5f:25:ef:98:f2:fa:13:9d:b3:d4:d6:49:
        e9:cb:6e:30:50:50:64:7d:e9:c1:6b:ea:51:14:7c:02:04:1d:
        50:b5:2f:af:18:d4:61:b1:c7:8f:de:44:8f:36:ba:df:37:6b:
        11:cc:56:2c:35:fa:c5:69:6c:fc:60:e7:54:db:9e:2a:35:94:
        1f:77:d3:bf:56:3c:59:d8:68:eb:df:18:00:34:7b:4c:dc:7c:
        5f:cc:f6:05:eb:fa:4a:2b:c1:04:e1:d8:fa:ea:a2:8a:b6:6d:
        83:4c:bd:4a:14:28:3f:39:82:72:7e:b7:4b:26:ad:6a:db:f1:
        d7:9e:d8:2b:d8:65:70:f9:95:a1:ad:68:0c:4e:7f:2f:d5:28:
        d9:b0:b9:6b:80:87:d9:1c

I then don't know what to do with http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c

mtrojnar commented 4 months ago

Are you saying osslsigncode should download missing intermediate certificates from http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt?

Honestly, missing intermediate certificates cause an invalid signature, and IMHO osslsigncode should report it as such.

tyilo commented 4 months ago

Are you saying osslsigncode should download missing intermediate certificates from http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt?

If the goal of osslsigncode verify is to be as compatible with Windows as possible then yes.

Honestly, missing intermediate certificates cause an invalid signature, and IMHO osslsigncode should report it as such.

It seems like Windows disagrees with this.

mtrojnar commented 4 months ago

Replicating the behavior of Windows is not a goal of this project. If you need the exact behavior of Windows then feel free to use Windows instead.

tyilo commented 4 months ago

Replicating the behavior of Windows is not a goal of this project. If you need the exact behavior of Windows then feel free to use Windows instead.

Fair enough :+1: