Can signed executables be tampered with while retaining the integrity of the signature?

Question

I was wondering to what degree I can rely on the digital signatures on files (aka Digital Certificates from Verisign, Simantec etc), when deciding if it's been tampered with or not.

Say I want download an application version that's no longer on the original developer's site but available on a third party sites like cnet, oldapps.com or filehippo. I usually resort to search for old forum entries with people listing the MD5 or SHA1 hash signature to see if they match the hash on the one I've downloaded. That only works with really big devs who's software is widespread.

I was wondering if verifying the file's digital signature is another reliable means of ensuring the file came from the dev and wasn't altered by a third party?

What I'm asking is: if a hacker injects an already signed DLL or EXE with a malcode, effectively changing the file's hash, will it break the digital signature because the signature embeds some kind of digest? Or will the signature be completely unaffected?

Answer 1

I decided to answer my own question using an empirical approach rather than taking the taking the Digital Certification authorities word for it.

I devised an experiment where I used a hex editor to modify copies of wdksetup.exe (a signed WDK web installer from Microsoft's website) and studied how the digital signature is affected. I substituted 1byte all the way to 25KB and made a new copy each time I made a substitution. I also used ResourceHacker to add an icon group to one the which added an extra 400KB to the file.

Results:

• Substituting 1 single byte will change the SHA1 digest of a file but also cause its Signature to fail checks. The signature will still be there but it will fail any checks. If you send the file to VirusTotal, if you go to properties and click on details on the signature or if you try to run it and look at the Publisher line, you will be notified that the signature is no good. 1 single byte. Brilliant!

• That being said, I emphasize that the signature wasn't lost (even when I made substitutions of up to 25KB), so when you go to File properties, there will still be a Digital Signatures tab and it will still say Microsoft. This is very misleading and you have to be careful not to end your inspection there because that tab will still be there whether the signature is valid or not. To ensure that you have a good signature, you have to select the signature and click on details. You will then get a dialogue that tells you if that signature is valid or not. This describes the behavior I observed in Windows 7, I didn't have a copy of 8 or 10 handy to see how the properties dialogues behave there.

• Making massive size changing modifications to a file will result in the signature being completely destroyed.

(edit: I was curious to see the impact of size. I repeated the 1byte substitution experiment on a 250mb file with the same results. I was also curious to see if size impacts the possibility of getting collisions in when calculating digests. I did a 1 byte substitution in 3.5GB DVD iso which resulted in both different MD5 and SHA1 hashes.)