goverify does not verify the file content

Question

goverify does not verify the file content

werwurm opened this issue 2 years ago · 2 comments

Hi,

I noticed that the goverify tool only checks if the file has a signature that verifies against the provided certificate, but it does not compute the digest over the file's content, and therefore, also does not check if the file's content matches the digest in the indirect section of the signature.

This could be considered a vulnerability if anyone relies on goverify to assert the authenticity of an executable. It should be possible to freely modify the sections of the file without tripping up goverify.

This can be fixed fairly easily. But at the very least I would suggest a warning in the docs or even the output of the tool, that it only checks the signature but may not be relied upon for security.

Answer 1 · 2022-12-06T22:24:13.000Z

Yo,

Yes, I think I reflected on that while writing it but the current checksum and pecoff API is quite terrible so I never really implemented it properly.

The cmd/ directory should probably be considered examples and not indicative of proper usage, and a comment saying as much should probably be written.

Answer 2 · 2023-12-03T22:15:26.000Z

I have no clue if this is of interest to you, but I've rewritten parts of the old pkcs7/authenticode API into something more sane which can hopefully be more useful and secure.

Feel free to take a look: 1b4504c