Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Verify Authenticode signature as being from our company for automatic updater

Tags:

c

windows

cryptography

digital-signature

authenticode

I am implementing an automatic update feature and need some advice on how to do this securely using best practices. I would like to use the downloaded file's Authenticode signature to verify that it is safe to run (i.e. originates from our company and hasn't been tampered with). My question is very similar to question #2008519.

The bottom-line question: what's the best, most secure way to check Authenticode signatures for an automatic update feature? What fields in the certificate should be checked? Requirements being: (1) check signature is valid, (2) check it's my signature, (3) old clients can still update when my certificate expires and I get a new one.

Here's some background information / ideas from my research: I believe this could be broken into two steps:

  1. Verify that the signature is valid. I believe this should be easy using WinVerifyTrust as outlined in http://msdn.microsoft.com/en-us/library/aa382384(VS.85).aspx - I don't expect problems here.

  2. Verify that the signature corresponds to our company, and not another company. This seems to be a more difficult question to answer:

One possibility is to check some of the strings in the signature. Could be obtained via code at MS KB article #323809, but this article doesn't make recommendations on what fields should be checked for this type of application (or any other, for that matter). Question #1072540 also illustrates how to get some certificate info, but again doesn't recommend what fields to actually check. My concern is that the strings might not be the best check: what if another person is able to obtain a certificate with the same name, for example? Or if there's a valid reason for us to change the strings in the future?

The person at question #2008519 has a very similar requirement. His need for a "TrustedByUs" function is identical to mine. However, he goes about doing the check by comparing public keys. While this would work in the short-term, it seems like it won't work for an automatic update feature. This is because code signing certificates are only valid for 2 - 3 years max. Therefore, in the future, when we buy a new certificate in 2 years, the old clients wouldn't be able to update any more due to the change in public key.

like image 343
James Johnston Avatar asked Jan 04 '11 15:01

James Johnston

People also ask

What is an authenticode signature?

Authenticode is a Microsoft code-signing technology that identifies the publisher of Authenticode-signed software. Authenticode also verifies that the software has not been tampered with since it was signed and published. Authenticode uses cryptographic techniques to verify publisher identity and code integrity.

How do I verify a signature code?

Right click the .exe of the program in question and select Properties. Select Digital Signatures. Under Signature List, select the Signature, and click Details. You will see information regarding the Code Signing certificate that was used to sign the executable.

What is Windows code signing certificate?

A Windows code signing certificate is a digital certificate to authenticate the executable programs specifically designed for Microsoft platforms. The certificate establishes the authenticity of the programmer and ensures the user that it has not been tampered with.

1 Answers

The person at question #2008519 has a very similar requirement. His need for a "TrustedByUs" function is identical to mine. However, he goes about doing the check by comparing public keys. While this would work in the short-term, it seems like it won't work for an automatic update feature. This is because code signing certificates are only valid for 2 - 3 years max. Therefore, in the future, when we buy a new certificate in 2 years, the old clients wouldn't be able to update any more due to the change in public key.

Since the concern is that the application trusts you rather than that a person trusts you, you could just use self-signing and embed any public keys needed in the applications themselves. This gives you much more control over the process. This is inappropriate when asking a user or application not under your control to give trust, but in this case the application is under your control, so it will work fine. This allows you to very easily avoid the concern of mistaking someone else's similar-looking certificate for your own.

like image 200
Brian Avatar answered Oct 21 '22 09:10

Brian
Sign in to Comment

Related questions

Do bank conflicts occur on non-GPU hardware?
What values are pushed onto stack during a function call?
How to listen to new forks in kernel
does avro C implementation support streaming rather than file output?
Matrix Multiplication With Multiple Threads in C
Configure Parameters of LED Trigger from Kernel Space
Why >>24 causes -Wconversion but >>23 doesn't?
Why does some functions in stdio have the stream as last argument? [closed]
How do one use `offsetof` to access a field in a standard conforming way?
Can open small ASCII file, but not large binary file?
How to Send/Receive in MPI using all processors
-Wtype-limits on attempt to limit an unsigned integer
How are multiple prior declarations resolved for a new declaration with extern?
How to reliably reproduce curl_multi timeout while testing public proxies
What does POSIX mean when it says stderr is expected to be open for reading and writing?
Why is gcc's right-shift code different in C and C++ mode?
ctypes memory management: how and when free the allocated resources?
C - Starting a big project. File/Directory structure and names. Good example required [closed]
HAT-trie in ANSI C implementation?
How are POSIX cancellation points supposed to behave?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!