vcsjones / authenticodelint Goto Github PK

Since C# supports deterministic builds now, we should enable that.

authlint.exe foo.exe displays an exception instead of showing help.

1. make a new MS-DOS stub that is 256 bytes long (we need more room). You will need 16 bit dev tools for this. Message to print should be https://yourdomain.com/phonehome$ and lots of zeros
2. link binary with /STUB to use alternate stub. You can use /emittoolversioninfo:no as well to get the space back.
3. sign binary
4. Watermark binary by appending ?nonce to the URL in the stub and correct PE checksum
5. Profit

Authenticode doesn't even notice something's wrong, nor does authenticode lint. Setting EnableCertPaddingCheck does nothing, as expected.

Incidentally, I find it hilarious from this thread https://developercommunity.visualstudio.com/t/add-linker-option-to-strip-rich-stamp-from-exe-hea/740443 that MS doesn't seem to know this would work.

Figure out a way to test this.

Some of the checks will be rather complicated. Simply return Pass / Fail does not give the user a good idea of why a check failed in cases where signatures are checked individually rather than looked at as a whole, such as time stamps.

• For the Timestamped Rule, add output clarifying which signature is missing a timestamp if it is missing, or if it has a bad hash algorithm.
• Weak File Digest should output which signature has a bad digest algorithm, and what the digest algorithm is.

Use WinVerifyTrustEx to do and end-to-end validation of all signatures.

A command line option should be considered for how revocation checking should be performed, something like -revocationchecktype with possible values of "Online", "Offline", "None". Online will be the default, for now.

• Online: use WTD_REVOCATION_CHECK_CHAIN to WinVerifyTrustEx.
• None: use WTD_REVOCATION_CHECK_NONE to WinVerifyTrustEx.
• Offline: use WTD_CACHE_ONLY_URL_RETRIEVAL | WTD_REVOCATION_CHECK_CHAIN to WinVerifyTrustEx.

Catalog files allow placing the authenticode signature outside of the file itself. Currently, the linter has no way of knowing where the catalog file is or validating a file against the catalog.

Catalogs are commonly used for driver packages and many of Windows' own components.

Currently, per-signature based checks "pass" when the binary is not Authenticode signed at all since there are no signatures to inspect.

The CheckEngine should just auto-fail every check without running them.

We need an ARM 32-bit and ARM 64-bit test binary to validate everything works.

The core inspection functionality in here was moved to https://github.com/vcsjones/AuthenticodeExaminer. Instead of duped code, we should take a dependency on that package.

Hello,

I am trying to use your tool but it doesn't output anything... I don't know what I'm missing.

I get absolutely nothing:

Installation seems good (it's in French, but it basically says it's successful).

I do have .Net Core 2.1 to 6 with its SDKs (it's a development machine).

$ dotnet --info
SDK .NET (reflétant tous les fichiers global.json) :
 Version:   6.0.200
 Commit:    4c30de7899

Environnement d'exécution :
 OS Name:     Windows
 OS Version:  10.0.19044
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.200\

Host (useful for support):
  Version: 6.0.2
  Commit:  839cdfb0ec

.NET SDKs installed:
  2.1.818 [C:\Program Files\dotnet\sdk]
  2.2.207 [C:\Program Files\dotnet\sdk]
  3.1.416 [C:\Program Files\dotnet\sdk]
  5.0.104 [C:\Program Files\dotnet\sdk]
  5.0.203 [C:\Program Files\dotnet\sdk]
  5.0.211 [C:\Program Files\dotnet\sdk]
  5.0.303 [C:\Program Files\dotnet\sdk]
  5.0.403 [C:\Program Files\dotnet\sdk]
  5.0.404 [C:\Program Files\dotnet\sdk]
  5.0.405 [C:\Program Files\dotnet\sdk]
  6.0.200 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.All 2.1.22 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.22 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.21 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.9 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 6.0.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.22 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.21 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.12 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 6.0.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.21 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.9 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.12 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.13 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.14 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 6.0.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

I'm not really sure what to try next. I've looked at previous issues without luck.

Can you help me? Thank you.

CAB files support authenticode signatures. Ensure checks are compatible, and disable checks that don't make sense.

If -in is specified more than once, currently the last one "wins". The desirable thing to do here is to just check all -in options.

This impacts two things. The exit code and the result collectors.

For the result collectors, the result collectors need to know what file they are currently collecting on.

For the exit code, the resulting code should be a safe aggregate. That is, return Success if all files succeed, and return ChecksFailed if any checks failed for any file. The outlier here is what to do with the NoSignature exit code. To simplify, this exit code should be removed. NoSignature we be treated as ChecksFailed.

Create a rule that validates that the information URL, if one exists, uses the HTTPS scheme.

-in should accept wild cards. For example, `-in "C:\path*.exe". This will result in all files that match the pattern to be linted.

We should go through subject interface packages to determine signature content.

There should be one (or more possibly) rules for checking that a signature has a time stamp countersigner.

• The time stamp digest algorithm should be SHA1 if the digest algorithm of the signature is SHA1.
• Time time stamp digest algorithm should be SHA2 if the digest algorithm of the signature is SHA2. Unsure if it's reasonable to say "time stamp digest algorithm == signature file digest algorithm".

The digest of the certificate used to sign should be SHA256 or stronger, regardless of the the file digest algorithm. Rule:

• MD2 / MD5 / SHA1 -> Fail
• SHA256 / SHA384 / SHA512 -> Pass

Check should look at the key size.

RSA must be >= 2048, ECC >= 256.

Consider upper limit of 4096 for RSA and 384 for ECC in a separate check.

Not being able to retrieve the certificate for counter signatures prevents examining the certificate quality on counter signatures.

An implementation of IRuleResultCollector should be created that create an XML document.

If the -report parameter is part of the command line arguments, the XML result collector should be added to the list of running collectors and written to the location that -report specifies.

Print the executable name, the version, copyright, etc in verbose mode.

Counter signatures are their own type because the .NET type SignerInfo is sealed and non-extendable.

Replace the usage of SignerInfo with our own signer info type and unify it with counter signatures so everything is just "a signature".

I'm in the process of adding Authenticode signing to Polly (App-vNext/Polly#1269) and I'd like to add a step to the workflow to validate things worked correctly.

This tool looks good for the job, but the current version in NuGet targets .NET Core 2.1. Could you publish the latest version targeting .NET 6 to NuGet.org please?

If not, I can just look to compile it from source and run it inline instead, but just installing the global tool would be easier 😃

• Extract the full signature, perhaps as a detached signature
• Export counter signatures and their certificates.