GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → trailofbits → uthenticode

trailofbits / uthenticode

Licence: MIT license
A cross-platform library for verifying Authenticode signatures

Programming Languages

C++
36643 projects - #6 most used programming language
CMake
9771 projects
Makefile
30231 projects
shell
77523 projects
Dockerfile
14818 projects

Labels

authenticodehacktoberfestcode-signing

Projects that are alternatives of or similar to uthenticode

AzureSignTool
SignTool Library and Azure Key Vault Support
Stars: ✭ 157 (+67.02%)
Mutual labels:  authenticode
valist
Web3-native software distribution. Publish and install executables, Docker images, WebAssembly, and more. Powered by Ethereum, IPFS, and Filecoin.
Stars: ✭ 107 (+13.83%)
Mutual labels:  code-signing
pamplejuce
A JUCE Plugin CI template. JUCE 7 & Catch2 with macOS notarization and Windows EV code signing on Github Actions
Stars: ✭ 115 (+22.34%)
Mutual labels:  code-signing
powershell-codesigning
Create and use code signing certificates with PowerShell
Stars: ✭ 16 (-82.98%)
Mutual labels:  authenticode
cas
Codenotary Community Attestation Service (CAS) for notarization and authentication of digital artifacts
Stars: ✭ 137 (+45.74%)
Mutual labels:  code-signing

uthenticode

Build Status

uthenticode (stylized as μthenticode) is a small cross-platform library for verifying Authenticode digital signatures.

Read our blog post on verifying Windows binaries without Windows!

What?

Authenticode is Microsoft's code signing technology, designed to allow signing and verification of programs.

μthenticode is a cross-platform reimplementation of the verification side of Authenticode. It doesn't attempt to provide the signing side.

Why?

Because the official APIs (namely, the Wintrust API) for interacting with Authenticode signatures are baked deeply into Windows, making it difficult to verify signed Windows executables on non-Windows hosts.

Other available solutions are deficient:

  • WINE implements most of Wintrust, but is a massive (and arguably non-native) dependency for a single task.
  • osslsigncode can add signatures and check timestamps, but is CLI-focused.

Beware!

μthenticode is not identical to the Wintrust API. Crucially, it cannot perform full-chain verifications of Authenticode signatures, as it lacks access to the Trusted Publishers store.

You should use μthenticode to verify the embedded chain. You should not assume that a "verified" binary from μthenticode's perspective will run on an unmodified Windows system.

Building

μthenticode depends on pe-parse and OpenSSL 1.1.0.

pe-parse (and OpenSSL, if you don't already have it) can be installed via vcpkg:

$ vcpkg install pe-parse

The rest of the build is standard CMake:

$ mkdir build && cd build
$ cmake ..
$ cmake --build .
# the default install prefix is the build directory;
# use CMAKE_INSTALL_PREFIX to modify it
$ cmake --build . --target install

If you have doxygen installed, you can build μthenticode's documentation with the top-level Makefile:

$ make doc

Pre-built (master) documentation is hosted here.

You can build the (gtest-based) unit tests with -DBUILD_TESTS=1.

Usage

μthenticode's public API is documented in uthenticode.h and in the Doxygen documentation (see above).

The svcli utility also provides a small example of using μthenticode's APIs. You can build it by passing -DBUILD_SVCLI=1 to cmake:

$ cmake -DBUILD_SVCLI=1 ..
$ cmake --build .
$ ./src/svcli/svcli /path/to/some.exe

Resources

The following resources were essential to uthenticode's development:

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].