Verifying that your system files are digitally signed

re: Verifying that your system files are digitally signed

Ben Hutchings — Wed, 16 Jun 2004 15:13:00 GMT

So how do you verify sigverif (and the parts of the OS that it depends on)?

re: Verifying that your system files are digitally signed

Cooney — Wed, 16 Jun 2004 16:29:00 GMT

well, you could build a bootable linux cd with a known good copy of sigverif on it. For the full version, check out 'On Trusting Trust': http://www.acm.org/classics/sep95/

File Signature Verification Utility

Notes2Self.net — Thu, 17 Jun 2004 00:26:00 GMT

re: Verifying that your system files are digitally signed

will — Thu, 17 Jun 2004 00:11:00 GMT

In reply to the acm linking dude-
you could also use a known good version of WinPE to run sigverif on.

re: Verifying that your system files are digitally signed

Drew — Thu, 17 Jun 2004 01:54:00 GMT

Ben:
That's one of the tough questions for us. In the future NGSCB might be an answer.

Cooney/will:
Running sigverif from a different OS install will probably give you lots of false results. Most of the files that are signed in Windows are signed indirectly with catalog (.cat) files. An install of the OS might have catalogs installed from a patch, service pack, or a 3rd party driver installation. So the one you're running your check from won't necessarily ahve the catalogs from the OS you're checking.
And WinPE won't work because the infrastructure to check signatures (and store catalogs) isn't there. Something like BartPE could be coaxed into working, but that means licensing trouble.
Linux CD - Maybe if WINE supports the right APIs and implements cryptsvc. I'm putting this on my list of things to try sometime when I don't have anything better to do. I have my doubts that it would work "out of the box" on any Linux distro, though.

Unfortunately we don't have a good (public, released) tool to find/view a signature for catalog-signed files at the moment.

And then?

Harcourt Jarenmyer — Thu, 17 Jun 2004 08:32:00 GMT

I ran this check, which scanned 2339 files. 842 files were not scanned, and 15 files were found that were not signed.

Now what?

I cannot find any info on each of these files by clicking on them. I cannot connect to a server to check if these files have been tampered with. I cannot connect to a server to verify that these files are genuine, and then have this app sign the files as valid.

In fact, once the scan is over I get a list that I cannot even export to a txt file so I can send it somewhere to do something. Unless I specify it FIRST in the "Advanced" section.

I would suggest that you are already advanced if you are running this app from the cli, and these options should be strung across the front of the tool.

So, I have a machine that has unsigned dlls and other cruft, which someone could be using to compromise my machine, or in a compromise of my machine, and there is no immediate, simple action that I can take to "enclose my confidence".

Just thinking aloud!

re: Verifying that your system files are digitally signed

Raymond Chen — Thu, 17 Jun 2004 15:25:00 GMT

If a file shows up in the list it means "This is a file that is not in the list of approved Windows files." It could be because it's been tampered with. It could be because it is a driver written by somebody other than Microsoft. The tool doesn't know; it's just listing everything it finds. (As you can easily tell by now, the tool is definitely *not* user friendly; its target audience was propeller-headed ultrageeks.) It's now up to you to decide what you want to do with this information.

re: Verifying that your system files are digitally signed

Drew — Thu, 17 Jun 2004 21:40:00 GMT

Not all files are going to be signed even if they're "approved" - .log files created by the OS, for example.
The signtool/capicom combo is a much better way to check signatures. It tells you what error was encountered.
Yes, Harcourt - sigverif is clunky. It's existed more or less unchanged since at least Win9x days. Which is probably why it's too geeky for the average user yet too feature-poor for a geek. :-(

re: Verifying that your system files are digitally signed

YV — Sat, 19 Jun 2004 21:29:00 GMT

Why does sigverif need to connect to internet halfway throught the process. ZoneAlaram alerted me , any ideas?

re: Verifying that your system files are digitally signed

Raymond Chen — Sun, 20 Jun 2004 00:05:00 GMT

I have no idea. Perhaps it's done as part of certificate verification? I'm just guessing. You could always debug it and find out.

Commenting on this entry has been closed.

Raymond Chen — Fri, 30 Jul 2004 05:31:00 GMT

Commenting closes after two weeks.

http://weblogs.asp.net/oldnewthing/archive/2004/02/21/77681.aspx

Why didn't XP SP2 install copy the right SP2 DLL when there was a DLL with a higher version number on the machine?

Larry Osterman's WebLog — Tue, 17 Aug 2004 20:40:00 GMT

Yet another post about signing and not hyperthreading

The Old New Thing — Wed, 15 Sep 2004 09:12:00 GMT