-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
osslsigncode doesn't retrieve missing intermediate certificates #403
Comments
Where will Windows download those certificates from? |
Leaf certificate:
After downloading http:https://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt:
I then don't know what to do with http:https://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c |
Are you saying osslsigncode should download missing intermediate certificates from http:https://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt? Honestly, missing intermediate certificates cause an invalid signature, and IMHO osslsigncode should report it as such. |
If the goal of
It seems like Windows disagrees with this. |
Replicating the behavior of Windows is not a goal of this project. If you need the exact behavior of Windows then feel free to use Windows instead. |
Fair enough 👍 |
When validating the signature of an executable in Windows, Windows will automatically download missing intermediate certificates if needed and validate the binary.
osslsigncode verify
will however only accept a binary if all the intermediate certificates are included in it.Example
An exe is signed which only includes the leaf certificate and not the two intermediate certificates.
Windows will see the signature as valid by retrieving the intermediate certificate.
Before inspecting the exe:
![image](https://private-user-images.githubusercontent.com/568036/341774278-db8da8e4-0260-4f5f-bfb0-51a0a32f1b16.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIzODUyMjIsIm5iZiI6MTcyMjM4NDkyMiwicGF0aCI6Ii81NjgwMzYvMzQxNzc0Mjc4LWRiOGRhOGU0LTAyNjAtNGY1Zi1iZmIwLTUxYTBhMzJmMWIxNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzMxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDczMVQwMDE1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0wZDhiM2JjNzI3ZWNkYmE1YjcwOGJhMTM1Zjg3ZWI0NGRmYzk1YmEwYzQwMGQ2NzVlM2UwMTBhNmVhYTYwZTg2JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.51nNxn0v0Civ7c-u_MC3M1cuhXgv-dflbJ55eHhrUPQ)
After inspecting the exe:
![image](https://private-user-images.githubusercontent.com/568036/341774334-3339211a-10c7-4c2e-beee-e713a6103eb6.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIzODUyMjIsIm5iZiI6MTcyMjM4NDkyMiwicGF0aCI6Ii81NjgwMzYvMzQxNzc0MzM0LTMzMzkyMTFhLTEwYzctNGMyZS1iZWVlLWU3MTNhNjEwM2ViNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzMxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDczMVQwMDE1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT05MjlhZDIxZmViODNmOWY5ZjdjMDZhZTEwNGNmNmFmMTk0NzM5ZmZjZGFmYzBmOWRhMDQ3ODkxOGQ0ZmU4YmY1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.7NalqXFaY5URkGr1kxtTM3x2dIKQc14UuxngVU82y3o)
Retrieved certificate path of exe:
![image](https://private-user-images.githubusercontent.com/568036/341774370-03081454-68f5-41fc-a7a4-30a34444e2dd.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIzODUyMjIsIm5iZiI6MTcyMjM4NDkyMiwicGF0aCI6Ii81NjgwMzYvMzQxNzc0MzcwLTAzMDgxNDU0LTY4ZjUtNDFmYy1hN2E0LTMwYTM0NDQ0ZTJkZC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzMxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDczMVQwMDE1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0wMjA2MWJkNzAyYjE4ODYwMTZlZTMwYmYwZDJjZjMzMTBiM2QwOTQxZjk4Y2I2MTMwNDg5ZGQxY2U1ZmVmOWZlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.oczjAiQEywaOSq4w0BDQMgAFV7h-O6BvkkKQFnBrQxg)
Here is the certificate used:
And here are the two intermediate certificates:
The text was updated successfully, but these errors were encountered: