search

secana / PeNet

Portable Executable (PE) library written in .Net
Apache License 2.0
592 stars 113 forks source link

IsAuthenticodeSigned is true, but IsTrustedAuthenticodeSignature is false #288

Open BerndK opened 1 year ago

BerndK commented 1 year ago

I had problems when testing Authenticode, the issue is that IsTrustedAuthenticodeSignature is most times false (on my files). I was able to reproduce this with your test files: (the firefox tests fails 2 out of 5): see PeFileTest.cs - add last line to test also IsTrustedAuthenticodeSignature (when using explorer the signatures are reported as valid)

        [SkippableTheory]
        [InlineData(@"../../../Binaries/firefox_x86.exe", true)]
        [InlineData(@"../../../Binaries/firefox_x64.exe", true)]
        [InlineData(@"C:\Windows\System32\kernel32.dll", true)]
        [InlineData(@"C:\Windows\explorer.exe", true)]
        [InlineData(@"../../../Binaries/TLSCallback_x86.exe", false)]
        public void IsSigned_PathToSignedBinary_ReturnsSignedOrNot(string file, bool expected)
        {
            Skip.IfNot(RuntimeInformation.IsOSPlatform(OSPlatform.Windows));

            var peFile = new PeFile(file);
            Assert.Equal(expected, peFile.IsAuthenticodeSigned);
            Assert.Equal(expected, peFile.IsTrustedAuthenticodeSignature);
        }

obviously signedCms.CheckSignature(true); fails Forgot to mention that I'm working on Windows, using .net 7

BerndK commented 1 year ago

Update: This works on Framework 4.8, but not on .net 7.0! So it might still be the issue discussed here https://github.com/dotnet/runtime/issues/28252 !? If this is the case, I think it is hard to fix.

However IsTrustedAuthenticodeSignature fails on both systems! perhaps here https://github.com/dotnet/runtime/issues/83478 or https://www.sysadmins.lv/blog-en/retrieve-timestamp-attribute-from-digital-signature.aspx are some additional infos, not sure.

Some suggestions: