pe icon indicating copy to clipboard operation
pe copied to clipboard
verified publisher icon saferwall

Signature should only be considered valid if cert is verified

Open cedws opened this issue 1 year ago • 2 comments

https://github.com/saferwall/pe/blob/17e522178cedf23638f283fb6f7f467272394721/security.go#L401-L409

As I understand, this code compares the actual Authenticode hash against the hash in the signed message. However, the check is performed independently of certificate validation. Therefore, an unverified certificate chain has no effect, and SignatureValid can still end up being true as long as the hashes match.

I think it would be a good idea to consider the signature valid as long as the certificate chain can be verified to prevent misuse of the API.

signatureValid = signatureValid && certValid

cedws avatar Nov 28 '24 22:11 cedws

Thanks a lot @cedws, that's a good catch ! I will make a patch soon.

ayoubfaouzi avatar Dec 24 '24 05:12 ayoubfaouzi

I would suggest using this fork of the pkcs7 library too, it seems to be more maintained: https://github.com/smallstep/pkcs7

cedws avatar Apr 20 '25 05:04 cedws