admin管理员组文章数量:1406036
I have a Windows application (written in Rust, but the language isn't the key point here) that periodically checks online for new versions of itself, downloads an .msi installer if an update is available, and executes it to update the app.
These .msi installers are signed using Azure Trusted Signing, which differs from traditional code signing because it does not expose public certificates (since they rotate frequently). This makes it unclear how to properly validate the signature of the downloaded MSI before executing it.
So far, I can check the signature status If I used PowerShell, it would be something like:
Get-AuthenticodeSignature -FilePath "C:\path\to\binary.msi"
Then, with the result, I can check that the signature is valid and verify the issuer and subject of the signing certificate.
However, I’m unsure what additional checks I should implement to ensure the MSI was truly signed by my trusted Azure Trusted Signing setup.
Is there a way to validate the thumbprint?
Should I be checking EKU (Enhanced Key Usage)?
Is there a reliable way to enforce certificate chain validation programmatically?
I haven’t found a clear answer in the documentation or elsewhere. What is the recommended approach for verifying Azure Trusted Signing signatures in an auto-update system?
I have a Windows application (written in Rust, but the language isn't the key point here) that periodically checks online for new versions of itself, downloads an .msi installer if an update is available, and executes it to update the app.
These .msi installers are signed using Azure Trusted Signing, which differs from traditional code signing because it does not expose public certificates (since they rotate frequently). This makes it unclear how to properly validate the signature of the downloaded MSI before executing it.
So far, I can check the signature status If I used PowerShell, it would be something like:
Get-AuthenticodeSignature -FilePath "C:\path\to\binary.msi"
Then, with the result, I can check that the signature is valid and verify the issuer and subject of the signing certificate.
However, I’m unsure what additional checks I should implement to ensure the MSI was truly signed by my trusted Azure Trusted Signing setup.
Is there a way to validate the thumbprint?
Should I be checking EKU (Enhanced Key Usage)?
Is there a reliable way to enforce certificate chain validation programmatically?
I haven’t found a clear answer in the documentation or elsewhere. What is the recommended approach for verifying Azure Trusted Signing signatures in an auto-update system?
- Is the issuer of the signing cert a CA? Then you could parse the signing certificate and check the validity + if it is from the correct CA. – Robert Commented Mar 7 at 18:32
1 Answer
Reset to default 1In theory, if you want to do this programmatically, you do have a way to download the certificate chain from trusted signing, you could use the Azure.Codesigning.Sdk to download the certificate chain:
var response = await _client.GetSignCertificateChainAsync(_accountName, _certificateProfileName, cancellationToken: cancellationToken);
using (response.Value)
{
byte[] rawData = new byte[response.Value.Length];
response.Value.Read(rawData, 0, rawData.Length);
X509Certificate2Collection collection = [];
collection.Import(rawData);
// This should contain the certificate chain in root->leaf order.
_certificate = collection[collection.Count - 1];
}
A couple of notes though:
- You could verify against the thumbprint, but it changes daily, so you will need to retrieve the certificate chain at the same time as you signed the file.
- The EKU will not change on each certificate renewal.
- You can always verify against the issuer and subject.
本文标签: How to verify files signed by Azure Trusted Signing on WindowsStack Overflow
版权声明:本文标题:How to verify files signed by Azure Trusted Signing on Windows - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744964365a2634851.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论