certificate_tag

command
v0.0.0-...-c3e428c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 11, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

README 

certificate_tag.go is a tool for manipulating "tags" in Authenticode-signed,
Windows binaries.

Traditionally we have inserted tag data after the PKCS#7 blob in the file
(called an "appended tag" here). This area is not hashed in when checking
the signature so we can alter it at serving time without invalidating the
Authenticode signature.

However, Microsoft are changing the verification function to forbid that so
this tool also handles "superfluous certificate" tags. These are dummy
certificates, inserted into the PKCS#7 certificate chain, that can contain
arbitrary data in extensions. Since they are also not hashed when verifying
signatures, that data can also be changed without invalidating it.

More details are here: http://b/12236017

The tool was updated in 2020 to support MSI files: b/172261939, b/165818147.

The test file is integrated from google3, but is modified here to make it
easier to run outside of google3; see the comment near the beginning of
certificate_tag_test.go

Documentation

Overview

Copyright 2015 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ========================================================================

Program certificate_tag manipulates "tags" in Authenticode-signed Windows binaries.

Traditionally we have inserted tag data after the PKCS#7 blob in the file (called an "appended tag" here). This area is not hashed in when checking the signature so we can alter it at serving time without invalidating the Authenticode signature.

However, Microsoft are changing the verification function to forbid that so this tool also handles "superfluous certificate" tags. These are dummy certificates, inserted into the PKCS#7 certificate chain, that can contain arbitrary data in extensions. Since they are also not hashed when verifying signatures, that data can also be changed without invalidating it.

The tool supports PE32 exe files and MSI files.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.