code signing – Page 3 – WindowsTechs.com

How to deal with targeted attacks from publisher when verifying the integrity of native applications and validating their source code?

Posted on June 11, 2022 by tyhdev

I am trying to reason about how native apps can avoid the problems web apps have in dealing with the "Browser Cryptography Chicken and Egg" problem, which has been discussed numerous times on this site, perhaps most notably here:… Continue reading How to deal with targeted attacks from publisher when verifying the integrity of native applications and validating their source code?→

Can’t sign commit with yubikey, GPG missing something

Posted on June 2, 2022 by Rafaelo

I don’t know much about how yubikeys work, but I’m trying to sign a commit with one of them and I don’t even know how to debug the problem. I got:
gpg –list-keys
/home/lz/.gnupg/pubring.kbx
—————————
pub ed25519 2018-1… Continue reading Can’t sign commit with yubikey, GPG missing something→

Interaction of a Code Signature and a Timestamp token from a TSA

Posted on May 31, 2022 by Xershy

I’m currently in the process of writing a program that:

Reads a binary file (a C++ program) and creates a SHA256 hash of the data (like a checksum)
Use this calculated hash and a self signed CA certificate to create a CMS signature using … Continue reading Interaction of a Code Signature and a Timestamp token from a TSA→

How do I compare a signed .exe file with the unsigned version of the same .exe file?

Posted on May 25, 2022 by Rasmus B. Sorensen

I have had some binary executable files (.exe) for Windows signed, I have checked the signature of the signed files, but I would also like to check that the file that I sent for signing is indeed identical to the signed file that I got bac… Continue reading How do I compare a signed .exe file with the unsigned version of the same .exe file?→

Is signing a file better than issuing a checksum, and does it render a separate checksum useless?

Posted on May 5, 2022 by kmfsousa

Alternatively, the question could be asked: Does issuing a checksum for a file we sign anyways just duplicate work?
Use case: Firmware sent to an IoT device. We sign it, and form a separate checksum for it.
My understanding is that this is… Continue reading Is signing a file better than issuing a checksum, and does it render a separate checksum useless?→

How do GPG smart card devices handle large GPG operations?

Posted on April 11, 2022 by VixieTSQ

How do GPG smart card devices (such as a Yubikey) handle large GPG operations? Such as signing binary programs.
My first 2 pet theories are:

There’s some way to chunk up GPG operations or use some magic to stream data into and out of the … Continue reading How do GPG smart card devices handle large GPG operations?→

Are .NET runtime really not signed?

Posted on March 27, 2022 by MrCalvin

I’m doing a manual install on Linux of the .NET runtime which can be downloaded from dotnet.microsoft.com.
MS do provide a SHA512 checksum of the file on the site, but that can’t be use to verify the sincerity of the file.
So am I missing … Continue reading Are .NET runtime really not signed?→

TPM Endorsement Key usage in secure and trusted boot

Posted on March 22, 2022 by Engineer999

Taking into account a Root of Trust in a device using a TPM.
My understanding is that the bootloader, firmware, operating system, applications etc. are all verified on startup by validating signatures with the vendors public key.
The TPM E… Continue reading TPM Endorsement Key usage in secure and trusted boot→

How can a .exe be modified and still keep a valid digital signature?

Posted on March 19, 2022 by tree1234

When a Windows .exe installer is code-signed, I thought that modifying a single byte (thus changing its SHA256 hash) would make the digital signature invalid, but surprisingly, this is not true.
Indeed, as reported two days ago in Each Fir… Continue reading How can a .exe be modified and still keep a valid digital signature?→

Secure boot after an OTA update confusion

Posted on March 14, 2022 by Engineer999

My understanding is that secure boot works by verifying each stage in the boot process before proceeding. So first, UEFI or booting firmware will validate the signature of the bootloader, then kernel, applications etc. before loading.
When… Continue reading Secure boot after an OTA update confusion→