[Mac] 使用 osslsigncode 和 sigcheck 檢查 PE 檔案的 digital signature

[Mac] 使用 osslsigncode 和 sigcheck 檢查 PE 檔案的 digital signature

專案最近要處理 PE 的數位簽章 (digital signature) 的問題,

就先來看一下在 Mac 上要怎麼檢查這個簽章是否存在、還有是不是有效的~

找了一下,可以用的有 osslsigncodesigcheck

應該還有其他的,不過我就先只試這兩種~

 

參考資料:

stackoverflow: how to check if a file has a digital signature

OpenSSL-based signcode utility

Windows Sysinternals: Sigcheck

 

1. 安裝 osslsigncode 與 sigcheck

用 Homebrew 就能安裝 osslsigncode:

brew install osslsigncode

 

sigcheck 的話是 Windows 執行檔,本身不需要安裝~

 

2. 使用 osslsigncode 確認數位簽章

執行 osslsigncode verify <file name>,就可以看到這檔案有沒有簽章、與簽章的有效性:

testuser@localhost ~ $ osslsigncode verify GoogleUpdate.exe
Current PE checksum   : 000312C1
Calculated PE checksum: 000312C1
Message digest algorithm  : SHA1
Current message digest    : 60C66223153BDE9E22B3BBE8913BF267E77EF6CE
Calculated message digest : 60C66223153BDE9E22B3BBE8913BF267E77EF6CE
Signature verification: ok
Number of signers: 1
Signer #0:
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/OU=Digital ID Class 3 - Netscape Object Signing/CN=Google Inc
Issuer : /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)04/CN=VeriSign Class 3 Code Signing 2004 CA
Number of certificates: 4
Cert #0:
Subject: /C=US/O=VeriSign, Inc./CN=VeriSign Time Stamping Services Signer - G2
Issuer : /C=US/O=VeriSign, Inc./CN=VeriSign Time Stamping Services CA
Cert #1:
Subject: /C=US/O=VeriSign, Inc./CN=VeriSign Time Stamping Services CA
Issuer : /C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA
Cert #2:
Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)04/CN=VeriSign Class 3 Code Signing 2004 CA
Issuer : /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Cert #3:
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/OU=Digital ID Class 3 - Netscape Object Signing/CN=Google Inc
Issuer : /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)04/CN=VeriSign Class 3 Code Signing 2004 CA
Succeeded

 

若是檔案沒有簽章的話,會顯示 No signature found:

testuser@localhost ~ $ osslsigncode verify notepad.exe
Current PE checksum   : 00039741
Calculated PE checksum: 00039741
No signature found.
Succeeded

 

3. 使用 sigcheck 確認數位簽章

用 Wine 執行 sigcheck,後面帶上要確認的檔案:

testuser@localhost ~ $ wine sigcheck.exe GoogleUpdate.exe
Sigcheck v2.20 - File version and signature viewer
Copyright (C) 2004-2015 Mark Russinovich
Sysinternals - www.sysinternals.com
Z:\users\testuser\googleupdate.exe:
Verified:   Signed
Signing date:   2:10 PM 3/9/2010
Publisher:  Google Inc
Description:    Google Installer
Product:    Google Update
Prod version:   1.2.183.21
File version:   1.2.183.21
MachineType:    32-bit

 

如果檔案沒有簽章的話,也可以看到 Unsigned 訊息:

testuser@localhost ~ $ wine sigcheck.exe notepad.exe
Sigcheck v2.20 - File version and signature viewer
Copyright (C) 2004-2015 Mark Russinovich
Sysinternals - www.sysinternals.com
Z:\users\testuser\notepad.exe:
Verified:   Unsigned
Link date:  7:41 AM 7/14/2009
Publisher:  Microsoft Corporation
Description:    Notepad
Product:    Microsoft? Windows? Operating System
Prod version:   6.1.7600.16385
File version:   6.1.7600.16385 (win7_rtm.090713-1255)
MachineType:    32-bit

 

4. 檔案修改後的驗證

用簽章的其中一個目的就是確認檔案沒有被第三方修改,

若是有修改,驗證時應該要出現錯誤~

像下面是在 GoogleUpdate.exe 後面加一個字元後,

osslsigncode 有指出簽章不在檔尾,無法驗證 (通常亦代表檔案被改了): 

testuser@localhost ~ $ echo a >> GoogleUpdate.exe
testuser@localhost ~ $ osslsigncode verify GoogleUpdate.exe
Corrupt PE file - current signature not at end of file: GoogleUpdate.exe
Failed

 

不過奇怪的是 sigcheck 知道有簽章,卻沒指出檔案被修改的事實,

依然回報說 Signed,不曉得是否是個 bug:

testuser@localhost ~ $ wine sigcheck.exe GoogleUpdate.exe
Sigcheck v2.20 - File version and signature viewer
Copyright (C) 2004-2015 Mark Russinovich
Sysinternals - www.sysinternals.com
Z:\Users\testuser\googleupdate.exe:
Verified:   Signed
Signing date:   2:10 PM 3/9/2010
Publisher:  Google Inc
Description:    Google Installer
Product:    Google Update
Prod version:   1.2.183.21
File version:   1.2.183.21
MachineType:    32-bit

 

從上面的實驗來看,osslsigncode 似乎比較可以信任,

如果想在 Mac 上快速的驗證檔案的數位簽章的話,可以用用看喔~

 

(本頁面已被瀏覽過 960 次)

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料