Verify Authenticode signature as being from our company for automatic updater
Asked Answered
B

1

10

I am implementing an automatic update feature and need some advice on how to do this securely using best practices. I would like to use the downloaded file's Authenticode signature to verify that it is safe to run (i.e. originates from our company and hasn't been tampered with). My question is very similar to question #2008519.

The bottom-line question: what's the best, most secure way to check Authenticode signatures for an automatic update feature? What fields in the certificate should be checked? Requirements being: (1) check signature is valid, (2) check it's my signature, (3) old clients can still update when my certificate expires and I get a new one.

Here's some background information / ideas from my research: I believe this could be broken into two steps:

  1. Verify that the signature is valid. I believe this should be easy using WinVerifyTrust as outlined in http://msdn.microsoft.com/en-us/library/aa382384(VS.85).aspx - I don't expect problems here.

  2. Verify that the signature corresponds to our company, and not another company. This seems to be a more difficult question to answer:

One possibility is to check some of the strings in the signature. Could be obtained via code at MS KB article #323809, but this article doesn't make recommendations on what fields should be checked for this type of application (or any other, for that matter). Question #1072540 also illustrates how to get some certificate info, but again doesn't recommend what fields to actually check. My concern is that the strings might not be the best check: what if another person is able to obtain a certificate with the same name, for example? Or if there's a valid reason for us to change the strings in the future?

The person at question #2008519 has a very similar requirement. His need for a "TrustedByUs" function is identical to mine. However, he goes about doing the check by comparing public keys. While this would work in the short-term, it seems like it won't work for an automatic update feature. This is because code signing certificates are only valid for 2 - 3 years max. Therefore, in the future, when we buy a new certificate in 2 years, the old clients wouldn't be able to update any more due to the change in public key.

Baynebridge answered 4/1, 2011 at 15:50 Comment(2)
Followup: I wound up more-or-less doing Brian's suggestion. (1) Verify Authenticode signature with WinTrustVerify, (2) check subject of Authenticode signature; make sure the string matches my company name, (3) as an additional measure, I do a separate signature with DSA. The signature is sent alongside the executable file and checked.Baynebridge
Also see Microsoft's Windows Authenticode Portable Executable Signature Format.Almandine
A
4

The person at question #2008519 has a very similar requirement. His need for a "TrustedByUs" function is identical to mine. However, he goes about doing the check by comparing public keys. While this would work in the short-term, it seems like it won't work for an automatic update feature. This is because code signing certificates are only valid for 2 - 3 years max. Therefore, in the future, when we buy a new certificate in 2 years, the old clients wouldn't be able to update any more due to the change in public key.

Since the concern is that the application trusts you rather than that a person trusts you, you could just use self-signing and embed any public keys needed in the applications themselves. This gives you much more control over the process. This is inappropriate when asking a user or application not under your control to give trust, but in this case the application is under your control, so it will work fine. This allows you to very easily avoid the concern of mistaking someone else's similar-looking certificate for your own.

Automat answered 4/1, 2011 at 16:41 Comment(2)
The automatic updater is going to use the same setup program that the user uses when initially downloading the software from our web site. The self-sign solution works when the application has already been installed with the known self-sign public key. What about the initial download when they are asked whether to run the downloaded program by Windows/web browser? For this, it has to be signed by a trusted root CA. Perhaps (is it possible?) for the EXE to be signed by both the self-signature and the certificate purchased from a root CA...??Baynebridge
@James: You could just as easily put the self-sign signature in a separate file. You have total control over the communication between the server and automatic updater.Automat

© 2022 - 2024 — McMap. All rights reserved.