-
Notifications
You must be signed in to change notification settings - Fork 7.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get-AuthenticodeSignature: Add embedded cert opt #23821
base: master
Are you sure you want to change the base?
Conversation
{ | ||
Signature signature = null; | ||
|
||
if (fileContent == null) | ||
if (!embeddedSignatureOnly && fileContent == null) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer simplify logic:
if (!embeddedSignatureOnly && fileContent == null) | |
if (embeddedSignatureOnly) | |
{ | |
// WinVerifyTrust APIs | |
return GetSignatureFromWinVerifyTrust(fileName, fileContent); | |
} | |
if (fileContent == null) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would mean calling GetSignatureFromWinVerifyTrust
in multiple locations. While this approach is indeed more streamlined, I believe that using a negated boolean check is still quite comprehensible.
I've tried adding tests but I cannot get Windows to see the newly installed - Function: Wintrust.dll!WinVerifyTrust
Time: 2024-05-21T13:18:30.6104744+10:00
ThreadId: 14220
Arguments:
Hwdn: 0xFFFFFFFFFFFFFFFF - HWND
ActionId:
Raw: 0xAB341EF5C0 - PGUID
Value: f750e6c3-38ee-11d1-85e5-00c04fc295ee
ID: DRIVER_ACTION_VERIFY
Data:
Raw: 0xAB341EF0C0 - PWINTRUST_DATA
CBStruct: 88
PolicyCallbackData: 0xAB341EF170 - Pointer
SIPClientData: 0x00000000 - Pointer
UIChoice: 0x00000002 - WTD_UI_NONE
RevocationChecks: 0x00000000 - WTD_REVOKE_NONE
UnionChoice: 0x00000002 - WTD_CHOICE_CATALOG
UnionData:
Raw: 0xAB341EF120 - PWINTRUST_CATALOG_INFO
CBStruct: 72
CatalogVersion: 0
CatalogFilePath:
Raw: 0xAB341EF5D4 - Pointer
Value: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PowerShell-AuthenticodeTest-8472624b-d66e-43ef-bfe4-e81ce9095fd4.cat
MemberTag:
Raw: 0xAB341EFA70 - Pointer
Value: '\\?\C:\Users\vagrant-domain\AppData\Local\Temp\script-with-cat.ps1'
MemberFilePath:
Raw: 0x00000000 - Pointer
Value: null
MemberFile: 0x00000000 - HANDLE
CalculatedFileHash:
Size: 20
Raw: 0x296B7D41730 - Pointer
Value: B24D16D1E0B673B610A8C641E8AAB74F9E357E86
CatalogContext: 0x00000000 - PCCTL_CONTEXT
CatAdmin: 0x00000000 - HCATADMIN
StateAction: 0x00000001 - WTD_STATEACTION_VERIFY
WVTStateData: 0x00000000 - HANDLE
URLReference:
Raw: 0x00000000 - Pointer
Value: null
ProvFlags: 0x00001080 - WTD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, WTD_CACHE_ONLY_URL_RETRIEVAL
UIContext: 0x00000000 - WTD_UICONTEXT_EXECUTE
SignatureSettings: 0x00000000 - PWINTRUST_SIGNATURE_SETTINGS
- Function: Wintrust.dll!WinVerifyTrust
Time: 2024-05-21T13:18:30.6241246+10:00
ThreadId: 14220
Result: -2146762487
Info:
ErrorCode: CERT_E_UNTRUSTEDROOT The cat filepath, member path, and hash are all correct, it just seems like I'm missing something where it's considering the root is untrusted. My guess is that only WHQL or EV signed files are trusted in the context of Unfortunately unless someone knows more info as to why this fails and whether there is a workaround I'm not sure there is a good way to test this new functionality. Relying on builtin files will probably be brittle as they are updated/removed in the future so I don't think that's a good idea to add as a test here. I probably shouldn't spend much more time on this but happy to have another look if anyone has any recommendations. |
0ac9b91
to
28c6167
Compare
Added the ability to retrieve an embedded authenticode signture of a file that ignores any certificates inside a .cat file. This is done through a new switch parameter -EmbeddedOnly on the Get-AuthenticodeSignature cmdlet.
📣 Hey @jborean93, how did we do? We would love to hear your feedback with the link below! 🗣️ 🔗 https://aka.ms/PSRepoFeedback |
This pull request has been automatically marked as Review Needed because it has been there has not been any activity for 7 days. |
PR Summary
Added the ability to retrieve an embedded authenticode signture of a file that ignores any certificates inside a .cat file. This is done through a new switch parameter
-EmbeddedSignature
on the Get-AuthenticodeSignature cmdlet.This is a WIP until I find some time to add some tests.Edit: see #23821 (comment) as to why I cannot add testsPR Context
Fixes: #23820
PR Checklist
.h
,.cpp
,.cs
,.ps1
and.psm1
files have the correct copyright headerWIP:
or[ WIP ]
to the beginning of the title (theWIP
bot will keep its status check atPending
while the prefix is present) and remove the prefix when the PR is ready.(which runs in a different PS Host).