oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Best practices for signature verifcation

From: Peter Gutmann <pgut001 () cs auckland ac nz>
Date: Tue, 6 Jan 2026 02:22:47 +0000
Valtteri Vuorikoski <vuori () notcom org> writes:

On Sun, Jan 04, 2026 at 11:56:06AM +0000, Peter Gutmann wrote:

As an aside, is anyone aware of a single-source design document for what
Authenticode does?

Are you looking for something more detailed than the Microsoft document titled
"Windows Authenticode Portable Executable Signature Format" from 2008?


Not more detailed, but something that talks about the "keys and signatures
fall from the sky and the timestamping fairy blesses them" issue.  The
referenced doc just covers Microsoft's additions to PKCS #7 and what gets
hashed for the signature, it's just another big-bagging format doc along the
lines of RFC 9580 for the OpenPGP equivalent.

I'll try pinging an exmsft security person, it may be that such a doc doesn't
actually exist, or is internal-only.

Peter.
Previous By Date Next
Previous By Thread Next

Current thread: