Add an API for full-chain verification

[woodruffw]

We'll never support verification against the trusted publishers store, but we could support verification against a particular user-supplied certificate. That way, users could at least do full-chain verification of binaries that they control.

[woodruffw]

Thinking about this more, maybe we could support verification against the trusted publishers store: we could have another repo that automatically extracts it from a GitHub Actions Windows runner on a periodic basis, and then consume that repo's output here.

[woodruffw]

This looks like the right URL: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

And maybe this for revocations: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

(Maybe. It might be for an older version of Windows.)

[woodruffw]

https://unmitigatedrisk.com/?p=259 has a description of how to take the authrootstl.cab and actually retrieve the certs it references.

[woodruffw]

https://github.com/PeculiarVentures/tl-create is a tool that already does this (apparently by the same author of that blog).

Looks like this is what we want:

node src/bin/tl-create.js --microsoft --for 'CODE_SIGNING' --format pem roots.pem

[woodruffw]

https://github.com/robstradling/authroot.stl also containing a rolling update of the trusted certificate store.

[woodruffw]

https://github.com/trailofbits/windows-ctl gives us the ability to bundle the Trusted Publishers store. So this is no longer blocked; just needs attention.

[woodruffw]

https://www.ccadb.org/resources also has links for the code signing roots.

[woodruffw]

Got sufficiently annoyed at this: https://github.com/woodruffw/ms-codesigning-roots

[ralphje]

I came across this issue by accident, and wanted to point you to my repository that I've built and auto-updates: https://github.com/ralphje/mscerts

I'm also performing Authenticode checks in https://github.com/ralphje/signify and have been properly parsing CTLs for a while now (in particular here: https://github.com/ralphje/signify/blob/master/signify/authenticode/authroot.py).

The thing is, Microsoft creates a relatively complex ruleset for when a certificate is valid, in our case for code signing and time stamping. Not sure if you're willing to create this ruleset in your library as well, but just wanted to point you towards these.