Re: Verifying a Signed Executable before running it on a remote machine.
From: Michel Gallant (neutron_at_istar.ca)
Date: 05/08/04
- Next message: Harsha: "Tool to add 32 hex-digit number as public key"
- Previous message: Johnny Sandaire: "Re: Verifying a Signed Executable before running it on a remote machine."
- In reply to: Johnny Sandaire: "Re: Verifying a Signed Executable before running it on a remote machine."
- Next in thread: Johnny Sandaire: "Re: Verifying a Signed Executable before running it on a remote machine."
- Reply: Johnny Sandaire: "Re: Verifying a Signed Executable before running it on a remote machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 8 May 2004 10:06:27 -0400
"Johnny Sandaire" <webzest@comcast.net> wrote in message
news:15baeecf.0405080507.514c314e@posting.google.com...
> Mitch,
--- snip ----
> Here then are my questions: Is there a way to verify the actual root
> CA?
> For Example, if Microsoft were to be its own Root CA and issued
> Certificates to its developers to sign their local code, how would
> Microsoft verify if an EXE came from within and allow the executable
> to run locally?
To ensure you trust the issuer, right up to the Root CA cert (which should
have been securely installed, either by Microsoft root update process, or
if you installed a root CA yourself, by checking the hash of that root CA by
out-of-band process (calling the root CA owner who you trust over the phone etc..).
CAPI of course supports getting the entire issuance trust ladder:
CertGetCertificateChain()
but CAPICOM makes this much easier via oCertificate.Verify() which has many verify status flags.
If there is only one issuer, you can simply look at cert issuer IssuerName, search in
your Root cert store, get the matching certs(S), use their public key(s) to verify the signature
on the cert embedded in your Authenticode signature, and then you determine if that was
the REAL issuer (based on cert-signature properly checking out).
- Mitch
- Next message: Harsha: "Tool to add 32 hex-digit number as public key"
- Previous message: Johnny Sandaire: "Re: Verifying a Signed Executable before running it on a remote machine."
- In reply to: Johnny Sandaire: "Re: Verifying a Signed Executable before running it on a remote machine."
- Next in thread: Johnny Sandaire: "Re: Verifying a Signed Executable before running it on a remote machine."
- Reply: Johnny Sandaire: "Re: Verifying a Signed Executable before running it on a remote machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
