Collaborate Disseminate
I have had some binary executable files (.exe) for Windows signed, I have checked the signature of the signed files, but I would also like to check that the file that I sent for signing is indeed identical to the signed file that I got bac… Continue reading How do I compare a signed .exe file with the unsigned version of the same .exe file?
Alternatively, the question could be asked: Does issuing a checksum for a file we sign anyways just duplicate work?
Use case: Firmware sent to an IoT device. We sign it, and form a separate checksum for it.
My understanding is that this is… Continue reading Is signing a file better than issuing a checksum, and does it render a separate checksum useless?
How do GPG smart card devices (such as a Yubikey) handle large GPG operations? Such as signing binary programs.
My first 2 pet theories are:
There’s some way to chunk up GPG operations or use some magic to stream data into and out of the … Continue reading How do GPG smart card devices handle large GPG operations?
I’m doing a manual install on Linux of the .NET runtime which can be downloaded from dotnet.microsoft.com.
MS do provide a SHA512 checksum of the file on the site, but that can’t be use to verify the sincerity of the file.
So am I missing … Continue reading Are .NET runtime really not signed?
Taking into account a Root of Trust in a device using a TPM.
My understanding is that the bootloader, firmware, operating system, applications etc. are all verified on startup by validating signatures with the vendors public key.
The TPM E… Continue reading TPM Endorsement Key usage in secure and trusted boot
When a Windows .exe installer is code-signed, I thought that modifying a single byte (thus changing its SHA256 hash) would make the digital signature invalid, but surprisingly, this is not true.
Indeed, as reported two days ago in Each Fir… Continue reading How can a .exe be modified and still keep a valid digital signature?
My understanding is that secure boot works by verifying each stage in the boot process before proceeding. So first, UEFI or booting firmware will validate the signature of the bootloader, then kernel, applications etc. before loading.
When… Continue reading Secure boot after an OTA update confusion
It seems easy to sign kernel modules at compile time. Apparently, you just set CONFIG_MODULE_SIG_ALL=y in your .config file and then the compiler will perhaps give you the appropriate errors until you have installed acceptable certificates… Continue reading How To First Strip and Then Sign Kernel Modules at Complie Time
I have environmental constraints where the cyber and safety functions are segregated such that safety operations are handled by one unit and cyber operations such as firewall, HIDS, secure storage etc. are handled by another unit that is s… Continue reading double hashing for code signing and verification
Signing your applications with an OV code signing certificate enables them to build reputation together in Microsoft SmartScreen, rather than each binary building reputation separately. This allows developers to publish updated binaries wi… Continue reading Why does Microsoft SmartScreen require OV certificates to be signed by a trusted CA?