signify icon indicating copy to clipboard operation
signify copied to clipboard

Published 20 hours ago verified publisher icon ralphje

The root Microsoft Root Certificate Authority is disallowed for certificate issued after

Open palkoc opened this issue 1 year ago • 8 comments

Hi Ralf, I'm trying to verify signed windows file and I'm getting certificate error for the file which is regularly signed I use. Here's the example of a verification via PowerShell Get-AuthenticodeSignature:

(venv) PS C:\Users\aa\Documents\Projects\PowerShell\PathHashCalc\src\python> Get-AuthenticodeSignature -FilePath 'C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe'

    Directory: C:\Program Files\Common Files\microsoft shared\VSTO\10.0

SignerCertificate                         Status                                StatusMessage                         Path
-----------------                         ------                                -------------                         ----
5EAD300DC7E4D637948ECB0ED829A072BD152E17  Valid                                 Signature verified.                   VSTOInstaller.exe

And here's the example of the signify verification: image

I also tried to use multi_verify_mode='all' on line https://github.com/ralphje/signify/blob/7a1b61446e53645b9725d690a83fa3d41d559137/examples/authenticode_info.py#L62

image

but I'm getting the same result with error:

    AuthenticodeVerificationResult.UNKNOWN_ERROR
    AuthenticodeSignedData.verify() got an unexpected keyword argument 'multi_verify_mode'

Please can you look at it? Thanks a lot.

BR, Pavol

palkoc avatar Jul 25 '23 15:07 palkoc

The multi_verify_mode argument is not yet supported in the live version, so that's why you see that error.

Regarding the certificate, this is actually a weird case, as the certificate trust list explicitly states that this certificate should not be valid, but in Windows it is explicitly trusted as per https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/trusted-root-certificates-are-required. Therefore it verifies the signature successfully.

I have no clue why this discrepancy exists, Microsoft could just as easily have just allowed the certificate to work in the STL as well

You could use the TRUSTED_CERTIFICATE_STORE_NO_CTL bundle to work around this issue for this specific case.

ralphje avatar Jul 25 '23 17:07 ralphje

The multi_verify_mode argument is not yet supported in the live version, so that's why you see that error.

I installed module directly from github

Regarding the certificate, this is actually a weird case, as the certificate trust list explicitly states that this certificate should not be valid, but in Windows it is explicitly trusted as per https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/trusted-root-certificates-are-required. Therefore it verifies the signature successfully.

I have no clue why this discrepancy exists, Microsoft could just as easily have just allowed the certificate to work in the STL as well

You could use the TRUSTED_CERTIFICATE_STORE_NO_CTL bundle to work around this issue for this specific case.

Can you elaborate a bit? How to use it in python?

palkoc avatar Jul 25 '23 17:07 palkoc

Sorry, you should change this line then for the multi verify mode: https://github.com/ralphje/signify/blob/7a1b61446e53645b9725d690a83fa3d41d559137/examples/authenticode_info.py#L68 However, it will not change the outcome of this issue.

You can pass the trusted_certificate_store=TRUSTED_CERTIFICATE_STORE_NO_CTL argument to both verify methods to ignore the certificate trust list conditions. Please note that this is a very broad approach and not correct in many other cases, but allows you to verify the signature in this case.

ralphje avatar Jul 25 '23 17:07 ralphje

Hi Ralph, I used the solution you proposed and it works, but I have another 2 cases, that according to Get-AuthenticodeSignature are valid signatures.... (issues split... as per Ralph's request down below...)

palkoc avatar Jul 26 '23 08:07 palkoc

Please try not to put too many issues in one issue.

The first error is because the certificate probably needs an intermediate certificate fetched through AIA. This is currently not supported, see #15. Perhaps a better error message regarding this would help a bit, as well as with your initial issue.

The second one, I'm not sure about that. Could you attach the file to this issue?

ralphje avatar Jul 26 '23 17:07 ralphje

Hi Ralph, thanks for the answer, I created separate issues for both my questions...

palkoc avatar Jul 26 '23 21:07 palkoc

Leaving this issue open to seek a better solution, perhaps adding the option back to include those certificates in a separate trust bundle.

We previously included some legacy certificates, but those were removed in https://github.com/ralphje/signify/commit/7ae796d24987c5e3aa1029b4365c1881b009beed#diff-36fa5162b487f337c88cf0ee8f7d5b4cc61f0d3988d1b769d5482c6bfdb1498d

These are not the same, but we might add the required certificates from the linked article as well, to allow checking against what Microsoft considers valid. At the very least, a better error message could help.

ralphje avatar Jul 27 '23 18:07 ralphje

Please can you add them too? Thanks. Pavol

palkoc avatar Jul 31 '23 12:07 palkoc