[Mac] 使用 osslsigncode 和 sigcheck 檢查 PE 檔案的 digital signature
專案最近要處理 PE 的數位簽章 (digital signature) 的問題,
就先來看一下在 Mac 上要怎麼檢查這個簽章是否存在、還有是不是有效的~
找了一下,可以用的有 osslsigncode 和 sigcheck,
應該還有其他的,不過我就先只試這兩種~
參考資料:
stackoverflow: how to check if a file has a digital signature
OpenSSL-based signcode utility
Windows Sysinternals: Sigcheck
1. 安裝 osslsigncode 與 sigcheck
用 Homebrew 就能安裝 osslsigncode:
brew install osslsigncode
sigcheck 的話是 Windows 執行檔,本身不需要安裝~
2. 使用 osslsigncode 確認數位簽章
執行 osslsigncode verify <file name>,就可以看到這檔案有沒有簽章、與簽章的有效性:
testuser@localhost ~ $ osslsigncode verify GoogleUpdate.exe Current PE checksum : 000312C1 Calculated PE checksum: 000312C1 Message digest algorithm : SHA1 Current message digest : 60C66223153BDE9E22B3BBE8913BF267E77EF6CE Calculated message digest : 60C66223153BDE9E22B3BBE8913BF267E77EF6CE Signature verification: ok Number of signers: 1 Signer #0: Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/OU=Digital ID Class 3 - Netscape Object Signing/CN=Google Inc Issuer : /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)04/CN=VeriSign Class 3 Code Signing 2004 CA Number of certificates: 4 Cert #0: Subject: /C=US/O=VeriSign, Inc./CN=VeriSign Time Stamping Services Signer - G2 Issuer : /C=US/O=VeriSign, Inc./CN=VeriSign Time Stamping Services CA Cert #1: Subject: /C=US/O=VeriSign, Inc./CN=VeriSign Time Stamping Services CA Issuer : /C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA Cert #2: Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)04/CN=VeriSign Class 3 Code Signing 2004 CA Issuer : /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Cert #3: Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/OU=Digital ID Class 3 - Netscape Object Signing/CN=Google Inc Issuer : /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)04/CN=VeriSign Class 3 Code Signing 2004 CA Succeeded
若是檔案沒有簽章的話,會顯示 No signature found:
testuser@localhost ~ $ osslsigncode verify notepad.exe
Current PE checksum : 00039741
Calculated PE checksum: 00039741
No signature found.
Succeeded
3. 使用 sigcheck 確認數位簽章
用 Wine 執行 sigcheck,後面帶上要確認的檔案:
testuser@localhost ~ $ wine sigcheck.exe GoogleUpdate.exe Sigcheck v2.20 - File version and signature viewer Copyright (C) 2004-2015 Mark Russinovich Sysinternals - www.sysinternals.com Z:\users\testuser\googleupdate.exe: Verified: Signed Signing date: 2:10 PM 3/9/2010 Publisher: Google Inc Description: Google Installer Product: Google Update Prod version: 1.2.183.21 File version: 1.2.183.21 MachineType: 32-bit
如果檔案沒有簽章的話,也可以看到 Unsigned 訊息:
testuser@localhost ~ $ wine sigcheck.exe notepad.exe Sigcheck v2.20 - File version and signature viewer Copyright (C) 2004-2015 Mark Russinovich Sysinternals - www.sysinternals.com Z:\users\testuser\notepad.exe: Verified: Unsigned Link date: 7:41 AM 7/14/2009 Publisher: Microsoft Corporation Description: Notepad Product: Microsoft? Windows? Operating System Prod version: 6.1.7600.16385 File version: 6.1.7600.16385 (win7_rtm.090713-1255) MachineType: 32-bit
4. 檔案修改後的驗證
用簽章的其中一個目的就是確認檔案沒有被第三方修改,
若是有修改,驗證時應該要出現錯誤~
像下面是在 GoogleUpdate.exe 後面加一個字元後,
osslsigncode 有指出簽章不在檔尾,無法驗證 (通常亦代表檔案被改了):
testuser@localhost ~ $ echo a >> GoogleUpdate.exe testuser@localhost ~ $ osslsigncode verify GoogleUpdate.exe Corrupt PE file - current signature not at end of file: GoogleUpdate.exe Failed
不過奇怪的是 sigcheck 知道有簽章,卻沒指出檔案被修改的事實,
依然回報說 Signed,不曉得是否是個 bug:
testuser@localhost ~ $ wine sigcheck.exe GoogleUpdate.exe Sigcheck v2.20 - File version and signature viewer Copyright (C) 2004-2015 Mark Russinovich Sysinternals - www.sysinternals.com Z:\Users\testuser\googleupdate.exe: Verified: Signed Signing date: 2:10 PM 3/9/2010 Publisher: Google Inc Description: Google Installer Product: Google Update Prod version: 1.2.183.21 File version: 1.2.183.21 MachineType: 32-bit
從上面的實驗來看,osslsigncode 似乎比較可以信任,
如果想在 Mac 上快速的驗證檔案的數位簽章的話,可以用用看喔~
(本頁面已被瀏覽過 891 次)