- Notifications
You must be signed in to change notification settings - Fork4
Closed
Description
We currently check the Subject name on the certificate matches "Coder Technologies Inc.", but we went thru a lot to get an extended validation certificate, so we should have Coder Desktop also check that the Authenticode certificate is an extended validation cert. This will make it much harder for an malicious actor to successfully sign binaries and have them executed by Coder Desktop.
$sig=Get-AuthenticodeSignature-FilePath"C:\Program Files\Coder\bin\coder.exe"foreach ($extin$sig.SignerCertificate.Extensions) {$ext.Oid}
gives:
Value FriendlyName----- ------------2.5.29.35 Authority Key Identifier2.5.29.14 Subject Key Identifier2.5.29.32 Certificate Policies2.5.29.15 Key Usage2.5.29.37 Enhanced Key Usage2.5.29.31 CRL Distribution Points1.3.6.1.5.5.7.1.1 Authority Information Access2.5.29.19 Basic ConstraintsWe are interested in the Certificate Policies extension, OID 2.5.29.32. If we decode that extension, we get
SEQUENCE {SEQUENCE { OBJECTIDENTIFIER 2.23.140.1.3SEQUENCE {SEQUENCE { OBJECTIDENTIFIER 1.3.6.1.5.5.7.2.1IA5String 'http://www.digicert.com/CPS' } } } }
OID 2.23.140.1.3is for Extended Validation
Metadata
Metadata
Assignees
Labels
No labels