Closed
Description
We currently check the Subject name on the certificate matches "Coder Technologies Inc.", but we went thru a lot to get an extended validation certificate, so we should have Coder Desktop also check that the Authenticode certificate is an extended validation cert. This will make it much harder for an malicious actor to successfully sign binaries and have them executed by Coder Desktop.
$sig = Get-AuthenticodeSignature -FilePath "C:\Program Files\Coder\bin\coder.exe"
foreach ($ext in $sig.SignerCertificate.Extensions) {$ext.Oid}gives:
Value FriendlyName
----- ------------
2.5.29.35 Authority Key Identifier
2.5.29.14 Subject Key Identifier
2.5.29.32 Certificate Policies
2.5.29.15 Key Usage
2.5.29.37 Enhanced Key Usage
2.5.29.31 CRL Distribution Points
1.3.6.1.5.5.7.1.1 Authority Information Access
2.5.29.19 Basic Constraints
We are interested in the Certificate Policies extension, OID 2.5.29.32. If we decode that extension, we get
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 2.23.140.1.3
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.3.6.1.5.5.7.2.1
IA5String 'http://www.digicert.com/CPS'
}
}
}
}
OID 2.23.140.1.3 is for Extended Validation
Metadata
Metadata
Assignees
Labels
No labels