choco icon indicating copy to clipboard operation
choco copied to clipboard
verified publisher icon chocolatey

Check validity of package file signatures, if they are signed

Open ferventcoder opened this issue 10 years ago • 5 comments

During the installation phase of a package, we should check to see if the binaries to be 'installed', and the scripts being used for that installation, are signed. If they are signed then we should check their signatures to ensure it is valid and stop installation if they are not.

One can do this now in the automation scripts (it's just PowerShell), but adding a facility to easily add the ability to verify the authenticode scripts would be awesome!

We may be able to look at binaries and build some of this into Chocolatey itself. To do this within Chocolatey itself, we may need to expand the scope so it does differencing against things like Program Files to see things installed.

Some possible resources:

  • http://stackoverflow.com/q/7622732/18475
  • http://stackoverflow.com/q/3281057/18475
  • http://stackoverflow.com/q/7780324/18475
  • http://stackoverflow.com/q/31879886/18475
  • http://stackoverflow.com/q/6596327/18475
  • http://certhelp.ksoftware.net/support/solutions/articles/50357-how-do-i-verify-a-digital-signature-in-c-
  • http://geekswithblogs.net/robp/archive/2007/05/04/112250.aspx
  • http://security.stackexchange.com/q/26485
  • https://support.microsoft.com/en-us/kb/323809

ferventcoder avatar Feb 22 '16 16:02 ferventcoder

Thanks @ericlaw1979 for the suggestion!

ferventcoder avatar Feb 22 '16 16:02 ferventcoder

If you're in .NET, it's a pretty straightforward process.

  1. Use WinVerifyTrust(WINTRUST_ACTION_GENERIC_VERIFY_V2) to verify the signature on the file.
  2. Optionally: Display the Certificate's owner to the user to confirm; for .EXEs this is as simple as doing X509Certificate2 cert = new X509Certificate2(sFilename); and then grabbing the .Subject field.

Note, you don't want to call cert.Verify() because it's ignorant of the fact that the file's Authenticode Signature may be timestamped and thus valid even if the cert is now expired. Also WinVerifyTrust just checked the signature's validity which included validation of the certificate.

ericlaw1979 avatar Feb 22 '16 20:02 ericlaw1979

This appears completed. #501

ferventcoder avatar Aug 28 '24 18:08 ferventcoder

Not a duplicate. I'm sorry - this is about validating digital signatures in powershell scripts (if things are signed) and in binaries.

ferventcoder avatar Aug 28 '24 18:08 ferventcoder

Just a note, this is pointed to from https://docs.chocolatey.org/en-us/roadmap

ferventcoder avatar Oct 02 '24 18:10 ferventcoder