My Windows MSI installer has a digital signature signed with a valid code signing certificate. To validate incoming update installer, I use WinVerifyTrust to verify the file trust and also checked if signer exactly match my organization's name, say ABC, Inc. for example. But the file is being reported that it might be compromised by certificate chain attack. The hacker can use the same signer's name under different certificate chain path. So, what can I do to prevent such attack? Validate each signer's name until Root CA, or any other efficient method to prevent? I can't figure it out for a while and need some experts to help out some advice.
How to protect MSI installer digital signature from tampering
22 views Asked by user2740605 At
1
There are 1 answers
Related Questions in SECURITY
- HTTPS configuration in Spring Boot, server returning timeout
- HSM ZKA control mask values
- OWASP Amass Subcommands
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- When sanitize/encode while implementing tags system like on SO
- spring security version in spring-boot-starter-security
- I am currently trying to implement a rudimentary firewall from a video I watched but the nimda worm detection is not working and i do not know why?
- Is it possible for `sudo` to fail temporarily with the correct password? Hacking suspected
- Is it viable proxying all my mobile apps requests, to some kind knowing that a request is coming from a secure source
- What abilities should I concentrate on while bug hunting, and how can I improve the quality of my bug bounty reports?
- System.ArgumentOutOfRangeException: I passed this error in every single program
- How to prevent users from creating custom client apps?
- Does server-side content security policy exist for youtube video player API, app, mod apks and website?
- Can we pass a hostname/IP address as a query string in a GET request in REST API
Related Questions in WINDOWS-INSTALLER
- Wix bundle of third party exe and new msi cant figure out detect conditions
- create MSI that can be installed in console per user and per machine
- Invoke-command works only when any user is logged (msi install)
- Windows installer silently skips over component marked as 'Local'
- Customizing the Behavior of the BrowseDlg in WiX to Use a Custom Dialog for Invalid Directories
- Unable to format string in desired format - WiX
- Creating a Desktop Version of a Web Application (NextJS TypeScript Golang Echo)
- wix toolset radio button condition
- Creating an Installer Wizard
- Using msiexec on unattend.xml as SynchronousCommand but it run as asynchronous
- How to protect MSI installer digital signature from tampering
- I finished writing the code for an Android application, and it was in Python kivy, and while converting it to exe, this problem appeared
- Windows Installer Issue: Files Not Replaced After Major Upgrade - Seeking Assistance and Clarification
- WinAPI / WIX - How to detect if the MSI installer is running on ARM64 or x86?
- 'The cabinet file media1.cab required for this installation is corrupted and cannot be used ' in dowloading Node.js
Related Questions in PORTABLE-EXECUTABLE
- How can I patch a function call to a Windows DLL (e.g. kernel32 LoadLibrary)? Is this even possible?
- How to protect MSI installer digital signature from tampering
- How can I extract raw bytes of DOS stub using python's pefile library?
- How can I decompile an exe protected by a PE packer?
- Spurious trampoline when calling function from DLL
- Trying to convert MASM into C equivalent, but getting different result
- Parse PE File with C in Windows
- PE Loader with Relocation
- How do file pointers point to the of data on the disk?
- Software copyright infringement
- Getting the forwarded function name
- parsing a PE file to find the export table address using CFF explorer and msdn doc
- Extract/parse resources from Portable Executable (PE) file
- A “universal” binary?
- Relocation Table and IDA
Related Questions in CRYPTOAPI
- How to protect MSI installer digital signature from tampering
- Not able to get account information with MEXC API
- issues when handling callback data with merchant API of faucetpay.io
- Spring ssl bundle for certificate material from windows certificate stores - server and client certificates
- Encrypt in JS and Decrypt in PHP using AES encryption algorithm in GCM and Base64 encoding
- AxiosError: getaddrinfo ENOTFOUND openapi.debank.com
- Monitoring wallet transactions
- Simple CNG example besides the one on Microsoft's site?
- Using CryptoAPI with KP_IV, but the encryption string is the same?
- why public_key_verify_signature() returns error -74?
- Adding user to administrators group does not get read access to certificate
- Problems with signature in MEXC API withdraw
- How to sign transaction in Tron network with trongrid API 4.7.2 and Python?
- Crypto market update function in NodeJS not displaying "5 biggest losers" properly
- How to export public key with NCryptExportKey into a file
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
If you don't trust the CAs installed in Windows (even though generally you can because that is ~everybody's security boundary), you can always set up your own CA and add a second signature to your MSI that's signed with a certificate issued by that CA. Your updater can check that, while for regular MSI execution, Windows will be content with the regular certificate. You'll have the overhead of running your own CA though, including the security requirements that come from dealing with some customers.