Currently, if a binary enrolled by hash in MokList or MokListX (or db/dbx/etc), but it is not signed, and the Data Directory is not padded out to the correct alignment, a different Authenticode hash is produced than would be produced for a signed binary.
This seems like an easy fix, but it isn't, because padding it out ourselves would break existing entries - and thus in some cases un-ban an executable.
So we need to extend the authenticode implementation to compute two hashes for comparison in this case, and also compute both hashes on binaries that are correctly padded.
Currently, if a binary enrolled by hash in MokList or MokListX (or db/dbx/etc), but it is not signed, and the Data Directory is not padded out to the correct alignment, a different Authenticode hash is produced than would be produced for a signed binary.
This seems like an easy fix, but it isn't, because padding it out ourselves would break existing entries - and thus in some cases un-ban an executable.
So we need to extend the authenticode implementation to compute two hashes for comparison in this case, and also compute both hashes on binaries that are correctly padded.