discussion: Sigcheck verifies wrong signatures in some conditions.
I downloaded some samples from Internet, then I verify these samples with Sigcheck (v2.90). However, Sigcheck shows incorrect signature information, different from other verification tools, such as Signtool (another official verification tool).
I run the CMD command:
sigcheck64.exe -a -i -h [filePath]
- The verified sample is signed by Microsoft in a Catalog file (.cat).
- The verified sample is also signed by another signer, with an embedded Authenticode signature, for unknown reasons.
- When Sigcheck verifies signatures, it search embedded Authenticode signatures first. If there is no embedded Authenticode signature, it then search Catalog signatures.
- The result is, Sigcheck shows the verified sample is signed by another signer, not Microsoft.
I think it is a logic flaw to verify Authenticode signatures first. When verification tools invoke Windows API to verify Catalog signatures, it will search certain directories. And Catalog signatures are usually signed by Microsoft. In this sense, they are more credible than embedded Authenticode.
- Sigcheck is integrated in the online malware analysis platform VirusTotal. So VirusTotal users will get incorrect signature information in such a condition.
- Any localhost computer which deploys Sigcheck as a baseline to verify signatures will get incorrect signature information. Meanwhile, anyone can put an invalid embedded Authenticode signature in a Catalog signed file, to disable the signatures.
- Sigcheck should verify Catalog signatures first, like other verification tools (e.g. Signtool and Powershell). Or, if there are Catalog signatures and embedded Authenticode signatures exist at the same time, Sigcheck may show all these two kinds of signature information.
- Sigcheck may provide a parameter to enable users to choose which kind of signatures (embedded Authenticode or Catalog) to be verified.