Documentation ¶
Overview ¶
Program exetag-tool manipulates "tags" in Authenticode-signed Windows binaries.
Traditionally we have inserted tag data after the PKCS#7 blob in the file (called an "appended tag" here). This area is not hashed in when checking the signature so we can alter it at serving time without invalidating the Authenticode signature.
However, Microsoft are changing the verification function to forbid that so this tool also handles "superfluous certificate" tags. These are dummy certificates, inserted into the PKCS#7 certificate chain, that can contain arbitrary data in extensions. Since they are also not hashed when verifying signatures, that data can also be changed without invalidating it.
The tool supports PE32 exe files and MSI files.