How can I validate digital signatures for Microsoft's Portable Executable format in portable code? [closed]

Answer 1

You could check at WINE's WinVerifyTrust implementation for a full programmatic way.

And, actually, here is a good link How to verify executable digital signatures under Linux? that complains about WINE implementation (that was back in 2008), and thus, explains the process in a quite "portable" way, provided you have something similar to OpenSSL available in your platform.

Answer 2

There is no general answer to this, especially as you have not specified on how far do you want to port it. Linux on x86 with open source libraries will be easier, uCos running on MIPS32 or Arduino will be next to impossible ..

First, you obviously have to be able to read and parse the PE format itself, in particular you have to be able to get contents of individual sections and hash them, like .text, .data etc. For in depth look at how its put together, look here:

http://msdn.microsoft.com/en-us/magazine/cc301805.aspx http://msdn.microsoft.com/en-us/magazine/ms809762.aspx

Now you want this to be portable, so you can either roll your own PE reader/limited writer, or look around in some of the open source projects that already do this. Try ReactOS or Mono. Or if you are happy running python, try this http://code.google.com/p/pefile/

Second, as you are dealing with cryptography, digital signatures, and X.509 certificates, you pretty much need a full blown portable crypto library to perform signing, certificate chain validation and so on. If you are happy with GPL, try OpenSSL or CyaSSL, or Botan if you want BSD license.

The precise format of Authenticode signatures, the signing process and the validations process is desribed here: http://www.microsoft.com/whdc/winlogo/drvsign/Authenticode_PE.mspx ( Authenticode_PE.docx )

It will require quite a bit of code to pull everything together.

Answer 3

The question is rather old, but I put my answer for those who's still facing the same problem.

You can use osslsigncode tool to verify MS Authenticode signatures on Linux or other *nix systems. However the tool just verifies the signature itself and doesn't checks certificate revocation, timestamp validity etc. though you can extract the data from the signature and do it manually.

Answer 4

Microsoft Authenticode is certainly not a big hush-hush secret and you can download technical specs and more about how Authenticode works. You can also download technical information about Windows PE file format. Since you did not clearly state weather you wanted something for Linux, Mac, or a smartphone, I can not provide you with an adequate solution. However, with the information I provided you above, along with OpenSSL, you should be able to create your own program to do this in the language and OS of your choice.