certificate_tag

command

v0.0.0-...-c3e428c Latest Latest Go to latest Published: Apr 11, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/omaha

Links

Open Source Insights

README ¶

certificate_tag.go is a tool for manipulating "tags" in Authenticode-signed,
Windows binaries.

Traditionally we have inserted tag data after the PKCS#7 blob in the file
(called an "appended tag" here). This area is not hashed in when checking
the signature so we can alter it at serving time without invalidating the
Authenticode signature.

However, Microsoft are changing the verification function to forbid that so
this tool also handles "superfluous certificate" tags. These are dummy
certificates, inserted into the PKCS#7 certificate chain, that can contain
arbitrary data in extensions. Since they are also not hashed when verifying
signatures, that data can also be changed without invalidating it.

More details are here: http://b/12236017

The tool was updated in 2020 to support MSI files: b/172261939, b/165818147.

The test file is integrated from google3, but is modified here to make it
easier to run outside of google3; see the comment near the beginning of
certificate_tag_test.go

Documentation ¶

Overview ¶

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ========================================================================

Program certificate_tag manipulates "tags" in Authenticode-signed Windows binaries.

Traditionally we have inserted tag data after the PKCS#7 blob in the file (called an "appended tag" here). This area is not hashed in when checking the signature so we can alter it at serving time without invalidating the Authenticode signature.

However, Microsoft are changing the verification function to forbid that so this tool also handles "superfluous certificate" tags. These are dummy certificates, inserted into the PKCS#7 certificate chain, that can contain arbitrary data in extensions. Since they are also not hashed when verifying signatures, that data can also be changed without invalidating it.

The tool supports PE32 exe files and MSI files.

Source Files ¶

View all Source files

certificate_tag.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL