uthenticode icon indicating copy to clipboard operation
uthenticode copied to clipboard

Published 20 hours ago verified publisher icon trailofbits

Add an API for full-chain verification

Open woodruffw opened this issue 4 years ago • 9 comments

We'll never support verification against the trusted publishers store, but we could support verification against a particular user-supplied certificate. That way, users could at least do full-chain verification of binaries that they control.

woodruffw avatar Jan 14 '21 15:01 woodruffw

Thinking about this more, maybe we could support verification against the trusted publishers store: we could have another repo that automatically extracts it from a GitHub Actions Windows runner on a periodic basis, and then consume that repo's output here.

woodruffw avatar Dec 13 '22 22:12 woodruffw

This looks like the right URL: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

And maybe this for revocations: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

(Maybe. It might be for an older version of Windows.)

woodruffw avatar Dec 14 '22 22:12 woodruffw

https://unmitigatedrisk.com/?p=259 has a description of how to take the authrootstl.cab and actually retrieve the certs it references.

woodruffw avatar Dec 14 '22 22:12 woodruffw

https://github.com/PeculiarVentures/tl-create is a tool that already does this (apparently by the same author of that blog).

Looks like this is what we want:

node src/bin/tl-create.js --microsoft --for 'CODE_SIGNING' --format pem roots.pem

woodruffw avatar Dec 15 '22 17:12 woodruffw

https://github.com/robstradling/authroot.stl also containing a rolling update of the trusted certificate store.

woodruffw avatar Dec 22 '22 21:12 woodruffw

https://github.com/trailofbits/windows-ctl gives us the ability to bundle the Trusted Publishers store. So this is no longer blocked; just needs attention.

woodruffw avatar Feb 14 '23 21:02 woodruffw

https://www.ccadb.org/resources also has links for the code signing roots.

woodruffw avatar Dec 02 '23 19:12 woodruffw

Got sufficiently annoyed at this: https://github.com/woodruffw/ms-codesigning-roots

woodruffw avatar Dec 25 '23 20:12 woodruffw

I came across this issue by accident, and wanted to point you to my repository that I've built and auto-updates: https://github.com/ralphje/mscerts

I'm also performing Authenticode checks in https://github.com/ralphje/signify and have been properly parsing CTLs for a while now (in particular here: https://github.com/ralphje/signify/blob/master/signify/authenticode/authroot.py).

The thing is, Microsoft creates a relatively complex ruleset for when a certificate is valid, in our case for code signing and time stamping. Not sure if you're willing to create this ruleset in your library as well, but just wanted to point you towards these.

ralphje avatar Jun 09 '24 12:06 ralphje