Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an API for full-chain verification #42

Open
woodruffw opened this issue Jan 14, 2021 · 9 comments
Open

Add an API for full-chain verification #42

woodruffw opened this issue Jan 14, 2021 · 9 comments
Assignees
Labels
C:uthenticode The core uthenticode library

Comments

@woodruffw
Copy link
Member

We'll never support verification against the trusted publishers store, but we could support verification against a particular user-supplied certificate. That way, users could at least do full-chain verification of binaries that they control.

@woodruffw woodruffw added the C:uthenticode The core uthenticode library label Jan 14, 2021
@woodruffw
Copy link
Member Author

Thinking about this more, maybe we could support verification against the trusted publishers store: we could have another repo that automatically extracts it from a GitHub Actions Windows runner on a periodic basis, and then consume that repo's output here.

@woodruffw
Copy link
Member Author

woodruffw commented Dec 14, 2022

This looks like the right URL: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

And maybe this for revocations: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

(Maybe. It might be for an older version of Windows.)

@woodruffw
Copy link
Member Author

https://unmitigatedrisk.com/?p=259 has a description of how to take the authrootstl.cab and actually retrieve the certs it references.

@woodruffw
Copy link
Member Author

https://github.com/PeculiarVentures/tl-create is a tool that already does this (apparently by the same author of that blog).

Looks like this is what we want:

node src/bin/tl-create.js --microsoft --for 'CODE_SIGNING' --format pem roots.pem

@woodruffw
Copy link
Member Author

https://github.com/robstradling/authroot.stl also containing a rolling update of the trusted certificate store.

@woodruffw
Copy link
Member Author

https://github.com/trailofbits/windows-ctl gives us the ability to bundle the Trusted Publishers store. So this is no longer blocked; just needs attention.

@woodruffw
Copy link
Member Author

https://www.ccadb.org/resources also has links for the code signing roots.

@woodruffw
Copy link
Member Author

Got sufficiently annoyed at this: https://github.com/woodruffw/ms-codesigning-roots

@woodruffw woodruffw self-assigned this Dec 25, 2023
@ralphje
Copy link

ralphje commented Jun 9, 2024

I came across this issue by accident, and wanted to point you to my repository that I've built and auto-updates: https://github.com/ralphje/mscerts

I'm also performing Authenticode checks in https://github.com/ralphje/signify and have been properly parsing CTLs for a while now (in particular here: https://github.com/ralphje/signify/blob/master/signify/authenticode/authroot.py).

The thing is, Microsoft creates a relatively complex ruleset for when a certificate is valid, in our case for code signing and time stamping. Not sure if you're willing to create this ruleset in your library as well, but just wanted to point you towards these.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C:uthenticode The core uthenticode library
Projects
None yet
Development

No branches or pull requests

2 participants