We publish an update patch to our software package in a single executable file. The file is signed with an Authenticode digital signature, using the certificate issued to us. The file is downloaded to Windows XP or Vista systems that our customers operate, where they run it in order to update our software.

Our PCI compliance auditor has asked us to protect against the following situation:

1. After downloading our executable file, a malicious person alters the file. An observant person would be able to check the properties for the file and determine that the signature is no longer valid.
2. The malicious person places the altered executable somewhere that an unsuspecting user could run it.
3. An unsuspecting user runs the altered file, releasing unspecified havoc.

The auditor contends there is a way (or ought to be a way) to prevent the file from running at all if the signature is not valid.

Do you know how this can be accomplished?

MSDN has some interesting articles about this subject:

• Verifying the Signature of a PE File in C
• How To Get Information from Authenticode Signed Executables

There is a setting in the group policy. Open "gpedit" as administrator, then under "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options", set "User Account Control: Only elevate executables that are signed and validated" to "Enabled".

Now, if your manipulated program tries to grab admin rights, or you try to run it as admin, it will fail with the unhelpful error message "A referral was returned from the server". However, this also affects all executables which aren't signed at all.

It seems like there is no way to handle broken signatures differently from unsigned executables. Even their orange UAC popups look the same, although a broken signature is much more alarming than a missing signature. (Ok granted, if an attacker manipulates your executable, he could just as well remove the tell-tale signature altogether.)