mercredi 11 février 2015

Does a valid code signing certificate mean that an installer has not been tampered with in transit?



Several dominant software vendors distribute updates over HTTP or over HTTPS with bad certificates. In general, it doesn't seem like I can expect to rely on a secure channel to ensure that an installer is not tampered with in transit.


It looks like all of the installers have valid signatures. This is a typical screen when I check the properties of an installer file:


enter image description here


The operative part of the dialog box is "This digital signature is OK." What is not clear is what portion of the file the signature is attesting to. You would expect this to be all of the file, but I haven't found a statement from Microsoft confirming that. I also vaguely recall a tweet rumoring that only parts of a file are attested to by a code signing signature.




  1. What parts of a file are checked by windows when checking whether a code signing signature is "OK"?




  2. Are there known third-party attacks that use correctly-signed installers from a trusted second party as a vector?







Aucun commentaire:

Enregistrer un commentaire