Open palkoc opened 1 year ago
The official response from Microsoft is, that this file is signed via catalog.
Do you have any more details on what that means? Is it related to this; https://learn.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files
Yes, This is what I have learned yesterday, but I hadn't chance to examine Windows directory for .cat file yet...
Ralph, I've done a small research:
\Winodws\system32\CatRoot
. sigcheck
from sysinternals that tells you the digital signature catalog location (if exists) for a given binary.PS C:\Users\aa> sigcheck -i 'C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe'
Sigcheck v2.90 - File version and signature viewer
Copyright (C) 2004-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\program files\common files\microsoft shared\msinfo\msinfo32.exe:
Verified: Signed
Link date: 3:34 20. 6. 1911
Signing date: 4:34 16. 4. 2023
Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package05~31bf3856ad364e35~amd64~~10.0.22621.1635.cat
Signers:
Microsoft Windows
Cert Status: Valid
Valid Usage: NT5 Crypto, Code Signing
Cert Issuer: Microsoft Windows Production PCA 2011
Serial Number: 33 00 00 04 13 31 BC 19 88 07 A9 07 74 00 00 00 00 04 13
Thumbprint: 58FD671E2D4D200CE92D6E799EC70DF96E6D2664
Algorithm: sha256RSA
Valid from: 2:05 3. 2. 2023
Valid to: 2:05 1. 2. 2024
Microsoft Windows Production PCA 2011
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 61 07 76 56 00 00 00 00 00 08
Thumbprint: 580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D
Algorithm: sha256RSA
Valid from: 20:41 19. 10. 2011
Valid to: 20:51 19. 10. 2026
Microsoft Root Certificate Authority 2010
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Algorithm: sha256RSA
Valid from: 23:57 23. 6. 2010
Valid to: 0:04 24. 6. 2035
Counter Signers:
Microsoft Time-Stamp Service
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: Microsoft Time-Stamp PCA 2010
Serial Number: 33 00 00 01 B4 FB 80 08 44 05 D2 2D FA 00 01 00 00 01 B4
Thumbprint: 659CD890F39B97F6737829126DFE01E4271E0908
Algorithm: sha256RSA
Valid from: 22:22 20. 9. 2022
Valid to: 22:22 14. 12. 2023
Microsoft Time-Stamp PCA 2010
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 33 00 00 00 15 C5 E7 6B 9E 02 9B 49 99 00 00 00 00 00 15
Thumbprint: 36056A5662DCADECF82CC14C8B80EC5E0BCC59A6
Algorithm: sha256RSA
Valid from: 20:22 30. 9. 2021
Valid to: 20:32 30. 9. 2030
Microsoft Root Certificate Authority 2010
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Algorithm: sha256RSA
Valid from: 23:57 23. 6. 2010
Valid to: 0:04 24. 6. 2035
Company: Microsoft Corporation
Description: System Information
Product: Microsoft« Windows« Operating System
Prod version: 10.0.22621.1635
File version: 10.0.22621.1635 (WinBuild.160101.0800)
MachineType: 64-bit
PS C:\Users\A9381774>
Thanks for figuring this out. This will need to be a new feature to identify the required file and provide it.
Validation with Get-AuthenticodeSignature:
Signify:
The reality is that there's no "Digital Signature" tab in the file Properties of this file, yet
Get-AuthenticodeSignature
declares a valid signature...:Sample file attached below. sample.zip