Sunday, May 1, 2016

Digital signatures can be in catalogs too

Some digitally signed files (e.g. executables that produce a UAC prompt with a verified publisher) have a Digital Signatures tab in their Properties window. Others, however, do not, but still are treated as verified in the UAC dialog and by the Sysinternals sigcheck utility. Usually, the ones that don't are binaries that shipped with the OS.

The reason that some files don't get that tab is that their digital signatures are stored not in the files themselves, but in security catalogs, which are big lists of signed file hashes. Evidently, Explorer only checks the file itself for the signature. The -i parameter to sigcheck will tell you on the "Catalog" line where the signature for the target file is stored. If it does have a catalog, you'll get the path to the .cat file, stored under \Windows\System32\catroot.

No comments:

Post a Comment