A Rust library for checking digital signatures on Windows.
Code signing allows authors to certify the origin of their work, and end users to verify the integrity of executables before running them. Microsoft has a lot of documentation around the topic here and here.
Code signing on windows comes in two basic flavors:
- Embedded Signatures
- Signature Catalogs
When using embedded signatures the executable has the x509 data attached to it and integrity checks can be run directly against that file.
Signature catalogs are where things get a little more complicated. Instead of embedding certificate data in all of the thousands upon thousands of binaries included in windows, the concept of a catalog was introduced. Catalog files contain hash information of binaries on the system. This catalog is then signed using an embedded signature. Applications who's hash(es) appear in the catalog are treated as though they share the embedded signature of the catalog file.
Cargo.toml:
[dependencies]
codesigned = { git = "https://github.com/rustysec/codesigned-rs" }
rust code:
use codesigned::CodeSigned;
let signature = CodeSigned::new(r"c:\windows\system32\notepad.exe")?;
Contributions are always welcome! If you find a bug or a missing feature, please file an issue.