oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Best practices for signature verifcation

From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 5 Jan 2026 08:01:40 -0500
On Mon, Jan 5, 2026 at 7:54 AM Valtteri Vuorikoski <vuori () notcom org> wrote:


On Sun, Jan 04, 2026 at 11:56:06AM +0000, Peter Gutmann wrote:

As an aside, is anyone aware of a single-source design document for what
Authenticode does?   There's a million web pages related to the business of
selling signing certs, and less than a million on using it, but I can't find a
single-source design doc, just lots of stuff in various places that I've
picked up over the years.  By "single-source doc" I mean something that
addresses all of the above issues and related ones in one place.


Are you looking for something more detailed than the Microsoft document titled
"Windows Authenticode Portable Executable Signature Format" from 2008?

Download from the horse's mouth:
<https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/authenticode_pe.docx>)


Nice find.  I remember the document, but I could not find it in my
collection of old documents.

Also of interest may be some entries from the Wayback machine of
Microsoft's site at
<https://web.archive.org/web/20030210220956/http://msdn.microsoft.com/workshop/security/authcode/authenticode_ovw_entry.asp>.
The original page was titled "Authenticode Overviews and Tutorials".

Jeff
Previous By Date Next
Previous By Thread Next

Current thread: