2.15 用signtool校验PE签名

https://scz.617.cn/windows/202111171326.txt

A: scz@nsfocus 2021-11-17 13:26

Using SignTool to Verify a File Signature
https://docs.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-verify-a-file-signature

用VS 2019/Win10 SDK中的signtool

/pa Use the "Default Authenticode" Verification Policy.
/kp Perform the verification with the kernel-mode driver signing policy.
/v  Print verbose success and status messages. This may also provide
    slightly more information on error. If you want to see information
    about the signer, you should use this option.

$ Z:\Green\CLI\signtool.exe verify /v /pa "Z:\Green\Windows Kits\10\x64\Debuggers\x64\livekd.exe"

Verifying: Z:\Green\Windows Kits\10\x64\Debuggers\x64\livekd.exe

Signature Index: 0 (Primary Signature)
Hash of file (sha256): B8D8C888FA6F87ED50790955D1CD591D4048A1060EFD25A3891E5A9F038CF2BA

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2011
    Issued by: Microsoft Root Certificate Authority 2011
    Expires:   Sun Mar 23 06:13:04 2036
    SHA1 hash: 8F43288AD272F3103B6FB1428485EA3014C0BCFE

        Issued to: Microsoft Code Signing PCA 2011
        Issued by: Microsoft Root Certificate Authority 2011
        Expires:   Thu Jul 09 05:09:09 2026
        SHA1 hash: F252E794FE438E35ACE6E53762C0A234A2C52135

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA 2011
            Expires:   Thu Mar 04 02:39:47 2021
            SHA1 hash: 2485A7AFA98E178CB8F30C9838346B514AEA4769

The signature is timestamped: Tue Apr 28 00:03:45 2020
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Sun Jun 24 06:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Time-Stamp PCA 2010
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Wed Jul 02 05:46:55 2025
        SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA 2010
            Expires:   Fri Feb 12 05:40:35 2021
            SHA1 hash: CDD79BD7202F6B69092769857C375E49F14931DC


Successfully verified: Z:\Green\Windows Kits\10\x64\Debuggers\x64\livekd.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

$ Z:\Green\CLI\signtool.exe verify /v /kp C:\Windows\System32\drivers\LiveKdD.SYS

Verifying: C:\Windows\System32\drivers\LiveKdD.SYS

Signature Index: 0 (Primary Signature)
Hash of file (sha256): D19B9EF73FC8F99E4AD4415947395B7B6BDBD1E06D0A6ED9385ED1AA2AA34265

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Sun Jun 24 06:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Windows Third Party Component CA 2012
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Mon Apr 19 07:58:38 2027
        SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73

            Issued to: Microsoft Windows Hardware Compatibility Publisher
            Issued by: Microsoft Windows Third Party Component CA 2012
            Expires:   Thu Mar 04 03:12:18 2021
            SHA1 hash: 710405DC192AA15007C8912D33394A706478ED92

The signature is timestamped: Mon Apr 27 23:58:40 2020
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Sun Jun 24 06:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Time-Stamp PCA 2010
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Wed Jul 02 05:46:55 2025
        SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA 2010
            Expires:   Wed Mar 17 09:14:57 2021
            SHA1 hash: 9703E5342ABE527E7851FC4B7BFC0A4B55DCE27A

Cross Certificate Chain:
    Issued to: Microsoft Root Certificate Authority 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Sun Jun 24 06:04:01 2035
    SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

        Issued to: Microsoft Windows Third Party Component CA 2012
        Issued by: Microsoft Root Certificate Authority 2010
        Expires:   Mon Apr 19 07:58:38 2027
        SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73

            Issued to: Microsoft Windows Hardware Compatibility Publisher
            Issued by: Microsoft Windows Third Party Component CA 2012
            Expires:   Thu Mar 04 03:12:18 2021
            SHA1 hash: 710405DC192AA15007C8912D33394A706478ED92


Successfully verified: C:\Windows\System32\drivers\LiveKdD.SYS

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

D: 张云海

PE有个"签名时间"，还有个"证书有效期"。

"证书有效期"有起始、终止时间，证书会过期，证书本身有各种校验。

"签名时间"是用证书对PE进行签名的时间，只要"签名时间"位于"证书有效期"内即可，
"签名时间"没有过期一说。

证书过期后就不能用来对PE签名，但证书有效期内产生的PE签名始终有效。很容易出
现这种现象，证书已过期，但签名始终有效。比如

                证书有效期          签名时间
livekd.exe      2020.3.5-2021.3.4   2020.4.28
LiveKdD.SYS     2020.3.5-2021.3.4   2020.4.27