if (!embeddedSignatureOnly && fileContent == null)
            if (embeddedSignatureOnly)
            {
                // WinVerifyTrust APIs
                return GetSignatureFromWinVerifyTrust(fileName, fileContent);
            }

            if (fileContent == null)

PR Summary

Added the ability to retrieve an embedded authenticode signture of a file that ignores any certificates inside a .cat file. This is done through a new switch parameter -EmbeddedSignature on the Get-AuthenticodeSignature cmdlet.

This is a WIP until I find some time to add some tests. Edit: see #23821 (comment) as to why I cannot add tests

PR Context

Fixes: #23820

PR Checklist

• PR has a meaningful title
  • Use the present tense and imperative mood when describing your changes
• Summarized changes
• Make sure all .h, .cpp, .cs, .ps1 and .psm1 files have the correct copyright header
• This PR is ready to merge and is not Work in Progress.
  • If the PR is work in progress, please add the prefix WIP: or [ WIP ] to the beginning of the title (the WIP bot will keep its status check at Pending while the prefix is present) and remove the prefix when the PR is ready.
• Breaking changes
  • None
  • OR
  • Experimental feature(s) needed
    • Experimental feature name(s):
• User-facing changes
  • Not Applicable
  • OR
  • Documentation needed
    • Issue filed:
• Testing - New and feature
  • N/A or can only be tested interactively - Get-AuthenticodeSignature: Add embedded cert opt #23821 (comment)
  • OR
  • Make sure you've added a new test if existing tests do not effectively test the code changed
• Tooling
  • I have considered the user experience from a tooling perspective and don't believe tooling will be impacted.
  • OR
  • I have considered the user experience from a tooling perspective and opened an issue in the relevant tool repository. This may include:
    • Impact on PowerShell Editor Services which is used in the PowerShell extension for VSCode
      (which runs in a different PS Host).
      • Issue filed:
    • Impact on Completions (both in the console and in editors) - one of PowerShell's most powerful features.
      • Issue filed:
    • Impact on PSScriptAnalyzer (which provides linting & formatting in the editor extensions).
      • Issue filed:
    • Impact on EditorSyntax (which provides syntax highlighting with in VSCode, GitHub, and many other editors).
      • Issue filed:

I'd prefer simplify logic:

Suggested change

	if (!embeddedSignatureOnly && fileContent == null)
	if (embeddedSignatureOnly)
	{
	// WinVerifyTrust APIs
	return GetSignatureFromWinVerifyTrust(fileName, fileContent);
	}
	if (fileContent == null)

This would mean calling GetSignatureFromWinVerifyTrust in multiple locations. While this approach is indeed more streamlined, I believe that using a negated boolean check is still quite comprehensible.

I've tried adding tests but I cannot get Windows to see the newly installed .cat file generated in the test as valid. I followed this guide on adding the .cat file to the Windows caroot store and that was able to add the file successfully. I was able to verify that both the embedded signature of my test file and the .cat signature were valid and trusted according to Windows Explorer. Unfortunately it seems like the call to WinVerifyTrust that the catalog extension method calls fails with CERT_E_UNTRUSTEDROOT. Adding a trace for this call I can see it is called with the following data:

- Function: Wintrust.dll!WinVerifyTrust
  Time: 2024-05-21T13:18:30.6104744+10:00
  ThreadId: 14220
  Arguments:
    Hwdn: 0xFFFFFFFFFFFFFFFF - HWND
    ActionId:
      Raw: 0xAB341EF5C0 - PGUID
      Value: f750e6c3-38ee-11d1-85e5-00c04fc295ee
      ID: DRIVER_ACTION_VERIFY
    Data:
      Raw: 0xAB341EF0C0 - PWINTRUST_DATA
      CBStruct: 88
      PolicyCallbackData: 0xAB341EF170 - Pointer
      SIPClientData: 0x00000000 - Pointer
      UIChoice: 0x00000002 - WTD_UI_NONE
      RevocationChecks: 0x00000000 - WTD_REVOKE_NONE
      UnionChoice: 0x00000002 - WTD_CHOICE_CATALOG
      UnionData:
        Raw: 0xAB341EF120 - PWINTRUST_CATALOG_INFO
        CBStruct: 72
        CatalogVersion: 0
        CatalogFilePath:
          Raw: 0xAB341EF5D4 - Pointer
          Value: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PowerShell-AuthenticodeTest-8472624b-d66e-43ef-bfe4-e81ce9095fd4.cat
        MemberTag:
          Raw: 0xAB341EFA70 - Pointer
          Value: '\\?\C:\Users\vagrant-domain\AppData\Local\Temp\script-with-cat.ps1'
        MemberFilePath:
          Raw: 0x00000000 - Pointer
          Value: null
        MemberFile: 0x00000000 - HANDLE
        CalculatedFileHash:
          Size: 20
          Raw: 0x296B7D41730 - Pointer
          Value: B24D16D1E0B673B610A8C641E8AAB74F9E357E86
        CatalogContext: 0x00000000 - PCCTL_CONTEXT
        CatAdmin: 0x00000000 - HCATADMIN
      StateAction: 0x00000001 - WTD_STATEACTION_VERIFY
      WVTStateData: 0x00000000 - HANDLE
      URLReference:
        Raw: 0x00000000 - Pointer
        Value: null
      ProvFlags: 0x00001080 - WTD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, WTD_CACHE_ONLY_URL_RETRIEVAL
      UIContext: 0x00000000 - WTD_UICONTEXT_EXECUTE
      SignatureSettings: 0x00000000 - PWINTRUST_SIGNATURE_SETTINGS
- Function: Wintrust.dll!WinVerifyTrust
  Time: 2024-05-21T13:18:30.6241246+10:00
  ThreadId: 14220
  Result: -2146762487
  Info:
    ErrorCode: CERT_E_UNTRUSTEDROOT

The cat filepath, member path, and hash are all correct, it just seems like I'm missing something where it's considering the root is untrusted. My guess is that only WHQL or EV signed files are trusted in the context of WINTRUST_CATALOG_INFO but that is just a guess.

Unfortunately unless someone knows more info as to why this fails and whether there is a workaround I'm not sure there is a good way to test this new functionality. Relying on builtin files will probably be brittle as they are updated/removed in the future so I don't think that's a good idea to add as a test here. I probably shouldn't spend much more time on this but happy to have another look if anyone has any recommendations.

📣 Hey @jborean93, how did we do? We would love to hear your feedback with the link below! 🗣️

🔗 https://aka.ms/PSRepoFeedback

Microsoft Forms

This pull request has been automatically marked as Review Needed because it has been there has not been any activity for 7 days.
Maintainer, please provide feedback and/or mark it as Waiting on Author