Signature should only be considered valid if cert is verified

[cedws]

pe/security.go

Lines 401 to 409 in 17e5221

	var signatureValid bool
	signatureContent, err = parseAuthenticodeContent(pkcs.Content)
	if err != nil {
	pe.logger.Errorf("could not parse authenticode content: %v", err)
	signatureValid = false
	} else if !pe.opts.DisableSignatureValidation {
	authentihash := pe.AuthentihashExt(signatureContent.HashFunction.New())[0]
	signatureValid = bytes.Equal(authentihash, signatureContent.HashResult)
	}

As I understand, this code compares the actual Authenticode hash against the hash in the signed message. However, the check is performed independently of certificate validation. Therefore, an unverified certificate chain has no effect, and SignatureValid can still end up being true as long as the hashes match.

I think it would be a good idea to consider the signature valid as long as the certificate chain can be verified to prevent misuse of the API.

signatureValid = signatureValid && certValid

[ayoubfaouzi]

Thanks a lot @cedws, that's a good catch ! I will make a patch soon.

[cedws]

I would suggest using this fork of the pkcs7 library too, it seems to be more maintained: https://github.com/smallstep/pkcs7