I'm writing a function for an installer DLL to verify the Authenticode signature of EXE files already installed on the system.
The function needs to:
A) verify that the signature is valid.
B) verify that the signer is our organization.
Because this is in an installer, and because this needs to run on older Win2k installations, I don't want to rely on CAPICOM.dll, as it may not be on the target system.
The WinVerifyTrust API works great to solve (A).
I need to find a way to compare a known certificate (or properties therein) to the one that signed the EXE in question.
You should use CryptQueryObject.
This KB-article demonstrates the use: How To Get Information from Authenticode Signed Executables.
To the commenter that asked about how to do it without the Windows-APIs, I am not aware of any library that can do it, but the format is documented here: Windows Authenticode Portable Executable Signature Format
If the signature is valid, its certificate chain will contain your certificate. CertGetCertificateChain will get that chain.
Related
I'm developing an open source project and I have been working on making the builds reproducible so that my users can compare the checksums of the binaries that I distribute with their own builds (if they were to build the project with/from the source code).
Unfortunately, new versions of Windows and MacOS use code signing in order to check binaries and prevent their execution if they aren't signed (I'm aware that there are ways to override this and execute the binary anyways, but this is not user friendly).
I'd like to sign the binaries that I distribute so that my users can run them without any problems. But I'm not sure if that is possible to do while also keeping the reproducible builds.
For a build to be reproducible, the end user must have all the tools / source code required to build the project and, once compiled, the end result should be the same bit-a-bit binary compared to the one that I'm distributing. But that would mean that I'd have to distribute the private key / cert used to sign the binary, which is not a good idea for multiple reasons.
Is there a way to have both reproducible builds and signed binaries?
Here is a general approach for creating reproducible signed builds for open source.
Create your "sign binaries" script as follows:
Compile project
Make a checksum of the project's signing preimage
Compare the checksum to the file SIGNING_CHECKSUM
If there is a match:
Use the signature in SIGNING_SIGNATURE to build the package
Verify that SIGNING_SIGNATURE was signed by SIGNING_PUBLIC_KEY
If there is not a match:
Save the checksum to the file SIGNING_CHECKSUM
Use the local signing key to sign the binary
Save the signature to the file SIGNING_SIGNATURE
Verify that SIGNING_SIGNATURE was signed by SIGNING_PUBLIC_KEY
End result is that anybody can reproducibly build the untampered source code. Anybody can edit the source code and reproducibly build the binary so long as the modifications to not modify the signing preimage. And only the developer with access to the signing key is able to sign new releases.
To set CAINFO option on CURL* currently I am including the CACert.pem file downloaded from https://curl.haxx.se/ca/cacert.pem with the binary.
Is there a way to have that file included within project so that its within binary and there is no need to explicitly specify CAINFO option?
I believe there is some way, because the same calls without setting CAINFO work on OSX where I am using system curl library.
It depends!
libcurl itself can get built to use a large number of different TLS libraries and they all have their own little differences. The devil is really in the details as usual.
mac
The "native" libcurl on macOS is built to use the internal "secure transport" TLS library and by default it uses the internal "trust store" that Apple ships. Most applications thus won't need to provide any CA certs.
Many people are however opting to use their own custom build on mac as well and then it may use nother TLS library (mostly done since the native mac one is fairly limited in functionality).
windows
Similarly, libcurl on windows built to use schannel (the native windows TLS solution) can use the Windows internal trust store.
A libcurl on Windows that is built to use OpenSSL, however - which is the most popular TLS library choice - needs a separate and provided trust store to use, since it won't use the default one. You can then provide that trust store either as a separate file to pass to libcurl or you set it using the CURLOPT_SSL_CTX_FUNCTION callback as show in the cacertinmem example from the curl web site.
I need to know whether a given .exe is 32-bit or a 64-bit, before I launch it. IsWow64Process is no use here, since there is no process yet. Is there some other API that will give me this information?
If you really only want to do this for EXEs and not DLLs, just use GetBinaryType.
Determines whether a file is an
executable (.exe) file, and if so,
which subsystem runs the executable
file.
This post will surely help you.
Is C# related but it will give you the idea.
This information is available in one of the headers of the PE File file format (the format used for exe's and dll's). The information in these headers can either be extracted programmatically (they are at a specified offset) or more safely queried via the Win32 API.
Alright, Liviu got the correct pointer for you.
I'm implementing an installer in Java, that is supposed to download and install an application for non-privileged users in Windows (from XP and up). The application is written in C++, and depend on the usual VC runtime-libraries (msvcm90.dll and friends). In order to save bandwidth, I want to avoid downloading the VC redistributables if they already are available for the user. I do however have a problem finding a reliable method to detect if an assembly is installed.
If the assembly is missing, I will deploy it as described here:
http://msdn.microsoft.com/en-us/library/ms235291%28VS.80%29.aspx
So the question is simply how to detect if a (any) assembly is installed on the machine. It's no requirement that this can be done from Java. I can easily write a small probe in C++ and link it statically for the task.
jgaa
If you are willing to write a small test program, then rather than writing one that looks for your dependencies, write one that has the same dependencies as your application. Try to run it. If it runs, the dependencies are in place. If it fails, the probable reason is that the dependencies are missing.
Seems a fairly complicated trick really as depending on the setup these may already be located in several possible places. Perhaps your best bet would be testing for the existence of these DLL's using the WinAPI LoadLibrary - this should find any DLL that is shared and appropriate to the build automatically.
Even better LoadLibrary a DLL that requires them as Ben suggests.
I want to call a Subversion API from a Visual Studio 2003 C++ project.
I know there are threads here, here, here, and here that tell how to get started with C#.NET on Windows (the consensus seems to be SharpSvn, which I've used easily and successfully on another project) but that's not what I want.
I've read the chapter on using APIs in the red-bean book which says:
Subversion is primarily a set of C libraries, with header (.h) files that live in the subversion/include directory of the source tree. These headers are copied into your system locations (e.g., /usr/local/include) when you build and install Subversion itself from source. These headers represent the entirety of the functions and types meant to be accessible by users of the Subversion libraries.
I'd like to use CollabNet Subversion but there doesn't seem to be API binary downloads, and I'd just as soon not build the whole thing if I can avoid it.
Considering another approach, I found RapidSVN's C++ API, but it doesn't appear to offer Windows API binaries either and seems to require building SVN (which I would be willing to do as a last choice if RapidSVN's API is higher-level than the stock SVN offering.)
Does calling the API from C++ in Windows have to be this much more work compared to using SharpSvn under .NET, or is there something I haven't found that would help me achieve my goal?
You need the dev (e.g. svn-win32-1.6.16_dev.zip) package from here. Probably download also the binaries (e.g. svn-win32-1.6.16.zip) of the tools (DLLs are there).