Windows Authenticode Portable Executable Signature Format

[Nytro]

Authenticode® is a digital signature format that is used to determine the origin and integrity of software binaries. Authenticode is based on Public-Key Cryptography Standards (PKCS) #7 signed data and X.509 certificates to bind an Authenticode-signed binary to the identity of a software publisher. This paper contains the structure and technical details of the Authenticode signature format.

This paper does not discuss issuing or processing X.509 code signing certificates, use of Windows Software Development Kit tools to sign binaries, deployment of a code signing infrastructure, or related Windows® APIs. Information on these topics is available in ”Resources” at the end of this paper.

This information applies for the following operating systems:

Windows Server® 2008

Windows Vista®

Windows Server 2003

Windows® XP

Windows 2000

References and resources discussed here are listed at the end of this paper.

For the latest information, see:

http://www.microsoft.com/whdc/winlogo/drvsign/Authenticode_PE.mspx

Contents

Introduction 4

Overview 4

Authenticode Profile of PKCS #7 SignedData 7

SignedData 7

SignerInfo 8

Authenticode-Specific Structures 9

Authenticode-Specific Structures in ContentInfo 9

SpcIndirectDataContent 9

SpcPeImageData 10

SpcSerializedObject 11

Authenticode-Specific SignerInfo UnauthenticatedAttributes Structures 12

SpcSpOpusInfo 12

Authenticode-Specific SignerInfo UnsignedAttrs Structures 12

Authenticode Timestamp 12

Authenticode Signature Verification 13

Extracting and Verifying PKCS #7 13

Certificate Processing 13

Timestamp Processing 14

Timestamp Processing with Lifetime Signing Semantics 15

Calculating the PE Image Hash 15

Resources 17

Applicable Standards 17

Authenticode PE Signature Format References 17

General Code Signing References 17

Download:

http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx