My Windows MSI installer has a digital signature signed with a valid code signing certificate. To validate incoming update installer, I use WinVerifyTrust to verify the file trust and also checked if signer exactly match my organization's name, say ABC, Inc. for example. But the file is being reported that it might be compromised by certificate chain attack. The hacker can use the same signer's name under different certificate chain path. So, what can I do to prevent such attack? Validate each signer's name until Root CA, or any other efficient method to prevent? I can't figure it out for a while and need some experts to help out some advice.
How to protect MSI installer digital signature from tampering
22 Views Asked by user2740605 At
1
There are 1 best solutions below
Related Questions in SECURITY
- HTTPS configuration in Spring Boot, server returning timeout
- HSM ZKA control mask values
- OWASP Amass Subcommands
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- When sanitize/encode while implementing tags system like on SO
- spring security version in spring-boot-starter-security
- I am currently trying to implement a rudimentary firewall from a video I watched but the nimda worm detection is not working and i do not know why?
- Is it possible for `sudo` to fail temporarily with the correct password? Hacking suspected
- Is it viable proxying all my mobile apps requests, to some kind knowing that a request is coming from a secure source
- What abilities should I concentrate on while bug hunting, and how can I improve the quality of my bug bounty reports?
- System.ArgumentOutOfRangeException: I passed this error in every single program
- How to prevent users from creating custom client apps?
- Does server-side content security policy exist for youtube video player API, app, mod apks and website?
- Can we pass a hostname/IP address as a query string in a GET request in REST API
Related Questions in WINDOWS-INSTALLER
- Wix bundle of third party exe and new msi cant figure out detect conditions
- create MSI that can be installed in console per user and per machine
- Invoke-command works only when any user is logged (msi install)
- Windows installer silently skips over component marked as 'Local'
- Customizing the Behavior of the BrowseDlg in WiX to Use a Custom Dialog for Invalid Directories
- Unable to format string in desired format - WiX
- Creating a Desktop Version of a Web Application (NextJS TypeScript Golang Echo)
- wix toolset radio button condition
- Creating an Installer Wizard
- Using msiexec on unattend.xml as SynchronousCommand but it run as asynchronous
- How to protect MSI installer digital signature from tampering
- I finished writing the code for an Android application, and it was in Python kivy, and while converting it to exe, this problem appeared
- Windows Installer Issue: Files Not Replaced After Major Upgrade - Seeking Assistance and Clarification
- WinAPI / WIX - How to detect if the MSI installer is running on ARM64 or x86?
- 'The cabinet file media1.cab required for this installation is corrupted and cannot be used ' in dowloading Node.js
Related Questions in PORTABLE-EXECUTABLE
- Determine physical file address of directory RVA in PE file
- What is the relationship between sections and data directories in a PE file?
- I am confusing some assembly code about enable PE within boot/setup.s file in Linux 0.11
- Is it true that PE files map directly into memory?
- What Does Windows Do Before Main() is Called?
- Call "main" function programmatically in Windows
- Memory Address files
- Determining if the running executable has IMAGE_FILE_LARGE_ADDRESS_AWARE?
- Identification of PE section characteristic
- Is kernel32.dll always loaded below 0x80000000 (x64) ?
- How can I find the public key of any PE file?
- PE format, what is the use for IAT Directory
- How to insert/remove some garbage instructions into ELF/PE file without changing its functionality?
- How does the linker determine at which line a symbol is called?
- How can I use pe.entry_point to write YARA rules?
Related Questions in CRYPTOAPI
- Sign with private key and verify with public
- How do I load an OpenSSL-generated RSA1024 plaintext public key with the CryptoAPI?
- How to determine hash and encryption algorithm of S/MIME message with Win32 CryptoAPI?
- Wrong result for base64 string of HMAC_SHA1 using Crypto*** API
- Use AES CBC with NCrypt in windows
- Microsoft CryptoAPI not working in web service on Windows Server 2008 R2
- Java standard crypto API vs. specific provider (Bouncy Castle)
- How to sign data using blackberry cryptography
- Caused by: java.security.KeyException: Bad Data
- Decrypt using a non-exportable private key with CryptoAPI
- How to get certificate serial number using vc++
- How to determine which personal certificate comes from hardware device in C#?
- STATUS_INVALID_PARAMETER error import diffie hellman public key using BCryptImportKeyPair
- BCryptImportKeyPair returns STATUS_INVALID_PARAMETER when i try to import public key
- What is the certificate store where my USB Token is listed? (Crypto API)
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
If you don't trust the CAs installed in Windows (even though generally you can because that is ~everybody's security boundary), you can always set up your own CA and add a second signature to your MSI that's signed with a certificate issued by that CA. Your updater can check that, while for regular MSI execution, Windows will be content with the regular certificate. You'll have the overhead of running your own CA though, including the security requirements that come from dealing with some customers.