问题
I was able to sign a js file with PowerShell Set-AuthenticodeSignature. After that i can see signature appeared in file in form of:
// SIG // Begin signature block
// SIG // MIIKgAYJKoZIhvcNAQcCoIIKcTCCCm0CAQExCzAJBgUr
// SIG // ....
// SIG // End signature block
I can validate signature using Get-AuthenticodeSignature. It says that sig is valid, but I cant find a way to validate signature in C# code. All of those options failed:
- X509Certificate.CreateFromSignedFile
- X509Certificate object c# performance and memory issues alternative – fixed
- Used WinVerifyTrust from Wintrust.dll
- Ported part of Get-AuthenticodeSignature from PowerShell!
Maybe there are some specific apis to validate js signatures?
回答1:
I recently encountered similar problem and let me show what I did to solve this problem. Before I go , there are few assumptions I make now. Please correct me if I am wrong.
- wintrust is working for all other cases other than script files like .js or .vbs
- You might have attempted "wintrustverify" from an console application (C#)
I figured it out this happens only with script files as I have mentioned above because wintrust behaves wierdly when its methods are being executed from free-threaded apartment model (MTA). Once it's been wrapped inside a STA thread, it started working for me. Later I came to know it is a historical issue that we should have taken a precaution when we deal with any COM components interoperations from .Net application.
Here is the code snippet, you can replace the verifysignature with your wintrust code logic and try. I hope this helps.
public static void CheckSignature()
{
STAApartment apt = new STAApartment();
var result = apt.Invoke(() =>
{
return VerifySignature(@".\signedjsfile.js", false);
});
Console.WriteLine(result);
}
private static WinVerifyTrustResult VerifySignature(string filePath, bool verifySignatureOnly)
{
using (var wtd = new WinTrustData(new WinTrustFileInfo(filePath))
{
dwUIChoice = WintrustUIChoice.WTD_UI_NONE,
dwUIContext = WinTrustDataUIContext.WTD_DATA_UI_EXECUTE,
fdwRevocationChecks = WinTrustDataRevocationChecks.WTD_REVOCATION_CHECK_WHOLECHAIN,
dwStateAction = WintrustAction.WTD_STATEACTION_IGNORE,
dwProvFlags = verifySignatureOnly ? WintrustProviderFlags.WTD_HASH_ONLY_FLAG : WintrustProviderFlags.WTD_REVOCATION_CHECK_CHAIN
})
{
var result = WinTrust.WinVerifyTrust(
WinTrust.INVALID_HANDLE_VALUE, new Guid(WinTrust.WINTRUST_ACTION_GENERIC_VERIFY_V2), wtd
);
return result;
}
}
public class STAApartment
{
public T Invoke<T>(Func<T> func)
{
var tcs = new TaskCompletionSource<T>();
Thread thread = new Thread(() =>
{
try
{
tcs.SetResult(func());
}
catch (Exception e)
{
tcs.SetException(e);
}
});
thread.SetApartmentState(ApartmentState.STA);
thread.Start();
return tcs.Task.Result;
}
}
回答2:
WinVerifyTrust supports verifying files other than executables using the WTD_CHOICE_BLOB flag. Make sure you provide the WINTRUST_BLOB_INFO struct with the correct subject interface package (SIP). From what I can see, Get-AuthenticodeSignature command uses the PowerShell SIP {603bcc1f-4b59-4e08-b724-d2c6297ef351} to verify the signature. I assume Set-AuthenticodeSignature uses the same SIP to sign the script.
来源:https://stackoverflow.com/questions/41138445/how-to-validate-authenticode-for-javascript-in-c-sharp