Hi,
I have the following problem:
Take a file such as signtool.exe (shipped with some part of the windows sdk). If you right click the file, you can view its digital signature, and the countersignatures, which include a timestamp.
If you attempt to inspect this code using the following command:
Get-AuthenticodeSignature "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" | format-list
You get the following result:
SignerCertificate : [Subject]
CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Issuer]
CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Serial Number]
330000010A2C79AED7797BA6AC00010000010A
[Not Before]
6/4/2015 10:42:45 AM
[Not After]
9/4/2016 10:42:45 AM
[Thumbprint]
3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
TimeStamperCertificate :
Status : Valid
StatusMessage : Signature verified.
Path : C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe
SignatureType : Authenticode
IsOSBinary : False
I do not have access to a file which has a malformed timestamp signature in order to determine whether or not the timestamp signature is still being taken into account to determine the status, or whether it is being completely ignored.
Regardless, the fact that it doesn't show up under TimeStamperCertificate makes it extremely difficult to verify that powershell scripts have a valid timestamp on them (programatically).
[System.Environment]::OSVersion.Version
Major Minor Build Revision
----- ----- ----- --------
10 0 14393 0
Major Minor Build Revision
----- ----- ----- --------
5 1 14393 1198
I currently have a C# application that relies on this functionality to verify some of its components. I have explored many workarounds, and have been unable to find anything that works. What is my best option, apart from using a different technology to sign
the files? I am unable to use signtool to verify the files, as I cannot ship my application with it.