8

If you go to the VirusTotal link , there is a tab called file info(I think; mine is dutch). You'll see a header called 

"Authenticode signature block and FileVersionInfo properties"

I want to extract the data under the header using Linux cli. Example:

Signature verification Signed file, verified signature
Signing date 7:43 AM 11/4/2014
Signers
[+] Microsoft Windows
[+] Microsoft Windows Production PCA 2011
[+] Microsoft Root Certificate Authority 2010
Counter signers
[+] Microsoft Time-Stamp Service
[+] Microsoft Time-Stamp PCA 2010
[+] Microsoft Root Certificate Authority 2010

I used the Camera.exe in Windows 10, to somehow extract the data.

I extracted the .exe file, and found a CERTIFICATE file in it, there is a lot of unreadable data, but also some text, I can read, that is - roughly - the same like the above output.

How can I extract Signatures from a Windows .exe file under Linux using cli

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
blade19899
  • 547
  • 5
  • 12
  • 25

2 Answers2

12

On Linux there's a tool called osslsigncode which can process Windows Authenticode signatures. Verifying a binary's signature produces output similar to what you show in your example; on a vcredist_x86.exe I have to hand I get:

$ osslsigncode verify vcredist_x86.exe
Current PE checksum   : 004136A1
Calculated PE checksum: 004136A1

Message digest algorithm  : SHA1
Current message digest    : 0A9F10FB285BA0064B5537023F8BC9E06E173801
Calculated message digest : 0A9F10FB285BA0064B5537023F8BC9E06E173801

Signature verification: ok

Number of signers: 1
        Signer #0:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA

Number of certificates: 7
        Cert #0:
                Subject: /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
                Issuer : /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
        Cert #1:
                Subject: /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
                Issuer : /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
        Cert #2:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA
                Issuer : /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
        Cert #3:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA
        Cert #4:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=nCipher DSE ESN:D8A9-CFCC-579C/CN=Microsoft Timestamping Service
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Timestamping PCA
        Cert #5:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=nCipher DSE ESN:10D8-5847-CBF8/CN=Microsoft Timestamping Service
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Timestamping PCA
        Cert #6:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Timestamping PCA
                Issuer : /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority

Succeeded

You can also extract the signature:

osslsigncode extract-signature vcredist_x86.exe vcredist_x86.sig
Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
1

You can also check out https://github.com/msdhedhi/VerifyWinFileDigitalSignature

This is java code I wrote a while back which extracts and verifies the digital signature of a windows PE file( 32 bit and 64 bit )

Mohammad S. Dhedhi
  • 111
  • 3