-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an API for full-chain verification #42
Comments
Thinking about this more, maybe we could support verification against the trusted publishers store: we could have another repo that automatically extracts it from a GitHub Actions Windows runner on a periodic basis, and then consume that repo's output here. |
This looks like the right URL: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab And maybe this for revocations: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab (Maybe. It might be for an older version of Windows.) |
https://unmitigatedrisk.com/?p=259 has a description of how to take the |
https://github.com/PeculiarVentures/tl-create is a tool that already does this (apparently by the same author of that blog). Looks like this is what we want: node src/bin/tl-create.js --microsoft --for 'CODE_SIGNING' --format pem roots.pem |
https://github.com/robstradling/authroot.stl also containing a rolling update of the trusted certificate store. |
https://github.com/trailofbits/windows-ctl gives us the ability to bundle the Trusted Publishers store. So this is no longer blocked; just needs attention. |
https://www.ccadb.org/resources also has links for the code signing roots. |
Got sufficiently annoyed at this: https://github.com/woodruffw/ms-codesigning-roots |
I came across this issue by accident, and wanted to point you to my repository that I've built and auto-updates: https://github.com/ralphje/mscerts I'm also performing Authenticode checks in https://github.com/ralphje/signify and have been properly parsing CTLs for a while now (in particular here: https://github.com/ralphje/signify/blob/master/signify/authenticode/authroot.py). The thing is, Microsoft creates a relatively complex ruleset for when a certificate is valid, in our case for code signing and time stamping. Not sure if you're willing to create this ruleset in your library as well, but just wanted to point you towards these. |
We'll never support verification against the trusted publishers store, but we could support verification against a particular user-supplied certificate. That way, users could at least do full-chain verification of binaries that they control.
The text was updated successfully, but these errors were encountered: