authenticode

问题 We publish an update patch to our software package in a single executable file. The file is signed with an Authenticode digital signature, using the certificate issued to us. The file is downloaded to Windows XP or Vista systems that our customers operate, where they run it in order to update our software. Our PCI compliance auditor has asked us to protect against the following situation: After downloading our executable file, a malicious person alters the file. An observant person would be

问题 When using Set-AuthenticodeSignature , there is an option called IncludeChain . While there is documentation about what each of the options are, I haven't been able to uncover much guidance surrounding the advantages/disadvantages of each setting (when you would pick one setting over another). Everywhere I see IncludeChain in examples, it is always set to All . I think All is likely the best answer, but I'd like to understand the benefits and disadvantages of each of the settings. Signer

问题 I purchased an authenticode certificate from a well known provider. Now I want to strong name an assembly and later on digitally sign it. This is what I've done so far: Extracted public key from pfx by running sn.exe -p keypair.pfx key.snk Checked both "Sign the assembly" and "Delay sign only" checkboxes on project properties signing tab Provided key.snk as keyfile to sign with Extracted public key token by running sn.exe -tP key.snk Disabled strong name verification on my devbox by running

问题 I developed a free personal finance application. It is a hobby for me. I have it on my website for download. http://moneyble.com/download/ I frequently (once a month or so) release a new version. So the file's hash changes. When the file is downloaded from my website the browser displays a warning that the file is not commonly downloaded and can be dangerous. Also on Windows 8 machines SmartScreen warning pops up. Both these warnings are killing any new users who try to download my software.

问题 Having read about strong names in .NET here, for example, I have the following question: We have an Authenticode code signing certificate with which we sign all our EXE, DLL and MSI files. The benefit of that is that Windows knows the MSI comes from a trusted source, and also that the authenticity of each file can be verified if required. We currently do not use .NET strong names . I have read that strong-naming a file essentially means that it is digitally signed with a self-signed

问题 I have two code signing certificates (one SHA-1, one SHA-256) which I'd like to apply to the same file. I tried to append the SHA-256 certificate, but this fails: :: Signs with the SHA-1 certificate signtool sign /sha1 8f52fa9db30525dfabb35b08bd1966693a30eccf /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe :: Signs with the SHA-2 certificate signtool sign /sha1 8b0026ecbe5bf245993b26e164f02e1313579e47 /as /t http://timestamp.verisign.com/scripts/timestamp.dll my_app

问题 I'm writing a function for an installer DLL to verify the Authenticode signature of EXE files already installed on the system. The function needs to: A) verify that the signature is valid. B) verify that the signer is our organization. Because this is in an installer, and because this needs to run on older Win2k installations, I don't want to rely on CAPICOM.dll, as it may not be on the target system. The WinVerifyTrust API works great to solve (A). I need to find a way to compare a known

问题 I created an application which comprises a number of *.exe files. I've packaged these up into an NSIS installer which I hosted on my website. When I try to download it Chrome reports it as potentially malicious. At first I thought it could be the URL/site I was hosting on not being recognized so I signed up for Amazon S3 storage and moved the file there. Same problem. I then thought that packing the executables might cause this, so I tried without. Same issue. After some more reading I

问题 I was able to sign a js file with PowerShell Set-AuthenticodeSignature. After that i can see signature appeared in file in form of: // SIG // Begin signature block // SIG // MIIKgAYJKoZIhvcNAQcCoIIKcTCCCm0CAQExCzAJBgUr // SIG // .... // SIG // End signature block I can validate signature using Get-AuthenticodeSignature. It says that sig is valid, but I cant find a way to validate signature in C# code. All of those options failed: X509Certificate.CreateFromSignedFile X509Certificate object c#

问题 I do not want to verify the certificate. I want to use this on a build server to check all files and list the one that we may have forgot to sign. 回答1: How about using the Get-AuthenticodeSignature PowerShell cmdlet? The description says: If the file is not signed, the information is retrieved, but the fields are blank. 回答2: There is a way: The WinVerifyTrust API can be used to verify the signature of a portable executable file. (source) 回答3: Also you can use node implementation of