oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Best practices for signature verifcation

From: Morten Linderud <morten () linderud pw>
Date: Mon, 5 Jan 2026 17:17:31 +0100
On Mon, Jan 05, 2026 at 08:01:40AM -0500, Jeffrey Walton wrote:

On Mon, Jan 5, 2026 at 7:54 AM Valtteri Vuorikoski <vuori () notcom org> wrote:


On Sun, Jan 04, 2026 at 11:56:06AM +0000, Peter Gutmann wrote:

As an aside, is anyone aware of a single-source design document for what
Authenticode does?   There's a million web pages related to the business of
selling signing certs, and less than a million on using it, but I can't find a
single-source design doc, just lots of stuff in various places that I've
picked up over the years.  By "single-source doc" I mean something that
addresses all of the above issues and related ones in one place.


Are you looking for something more detailed than the Microsoft document titled
"Windows Authenticode Portable Executable Signature Format" from 2008?

Download from the horse's mouth:
<https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/authenticode_pe.docx>)


Nice find.  I remember the document, but I could not find it in my
collection of old documents.

Also of interest may be some entries from the Wayback machine of
Microsoft's site at
<https://web.archive.org/web/20030210220956/http://msdn.microsoft.com/workshop/security/authcode/authenticode_ovw_entry.asp>.
The original page was titled "Authenticode Overviews and Tutorials".

Jeff


This is the latest edition of Microsoft Authenticode specification.

https://aka.ms/AuthenticodeSpec

-- 
Morten Linderud
PGP: 9C02FF419FECBE16

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: