Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID:
 <ME2PR01MB36506B29C4635FB7A1D94D5FEE87A@ME2PR01MB3650.ausprd01.prod.outlook.com>
Date: Tue, 6 Jan 2026 02:22:47 +0000
From: Peter Gutmann <pgut001@...auckland.ac.nz>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Re: Best practices for signature verifcation

Valtteri Vuorikoski <vuori@...com.org> writes:
>On Sun, Jan 04, 2026 at 11:56:06AM +0000, Peter Gutmann wrote:
>> As an aside, is anyone aware of a single-source design document for what
>> Authenticode does?
>Are you looking for something more detailed than the Microsoft document titled
>"Windows Authenticode Portable Executable Signature Format" from 2008?

Not more detailed, but something that talks about the "keys and signatures
fall from the sky and the timestamping fairy blesses them" issue.  The
referenced doc just covers Microsoft's additions to PKCS #7 and what gets
hashed for the signature, it's just another big-bagging format doc along the
lines of RFC 9580 for the OpenPGP equivalent.

I'll try pinging an exmsft security person, it may be that such a doc doesn't
actually exist, or is internal-only.

Peter.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.