Search code examples
cryptographycertificatex509certificate

Verification of the digital signature of a PE file

When checking a file through signtool, I get one hash, and when decoding the certificate, another. What am I missing?

Command: signtool verify /a /ph /pa /v .\EmptyExe.exe
Hash of file (sha256): 9FCC67FA3FAA88BCDED22E9FCF6AE1D6D62A95A79A1C777743052DF16F63DADC

Decode octet string: 0001f...f003031300d06096086480165030402010500042066cea53b15089957fc4ca86e419e2058f562e17a802e23e7d5154d2e71412e1a
Parsed string: https://lapo.it/asn1js/#MDEwDQYJYIZIAWUDBAIBBQAEIGbOpTsVCJlX_EyobkGeIFj1YuF6gC4j59UVTS5xQS4a

According to my observation, when signing different files, only 3 fields change: hash, messageDigest, encoded hash. What is stored in the messageDigest field?

Cut digital signature: https://lapo.it/asn1js/#MIIGRgYJKoZIhvcNAQcCoIIGNzCCBjMCAQExDzANBglghkgBZQMEAgEFADBcBgorBgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgBZQMEAgEFAAQgn8xn-j-qiLze0i6fz2rh1tYqlaeaHHd3QwUt8W9j2tygggPFMIIDwTCCAqmgAwIBAgIQGhQKhwNj5Z5IvU4kiPIzqjANBgkqhkiG9w0BAQsFADBVMVMwUQYDVQQDHkoARwBvAGwAbwB2AGwAZQB2ACAAVABpAG0AbwBmAGUAeQAgACgAVABpAG0AXwBkAGUAdgApACAAMQA1AC4AMAA1AC4AMgAwADAAMDAeFw0yMTAzMDMwMjEzNTJaFw0zOTEyMzEyMzU5NTlaMFUxUzBRBgNVBAMeSgBHAG8AbABvAHYAbABlAHYAIABUAGkAbQBvAGYAZQB5ACAAKABUAGkAbQBfAGQAZQB2ACkAIAAxADUALgAwADUALgAyADAAMAAwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsdIyw8JcPlDHM1fQGiBKmpWRYRhrOe31xwvYTYaQ02Uc-g0pIGzCu3Q-o6MS0i-2efIKs5shX0HFkLjMy1zgZc2F-PTx8f8HySRxroi5QVngQWLxu638sB9uYdVqBwWyNd7scZx-Z9Fd-kS0rFRIPlyuLCg8UOGtR5KbZ4V7dSNm8myHFTtVqD79n42oJEe2vkmUXQ266B2rHUdHDXJPTiXKwoZg4wAjeTkJUlgJwHeZUvpOkQfoo27C9dh8-4BRR4dHJOtwA1RDyuaVYl1tiQmBAAOcqjKf1bl9u3JLvxldIM8jura2k9oWLA3cxzx7Gr6DlIlGhD7EkyLww3n6VQIDAQABo4GMMIGJMIGGBgNVHQEEfzB9gBBOBdKqObwJh3JpHeW1T741oVcwVTFTMFEGA1UEAx5KAEcAbwBsAG8AdgBsAGUAdgAgAFQAaQBtAG8AZgBlAHkAIAAoAFQAaQBtAF8AZABlAHYAKQAgADEANQAuADAANQAuADIAMAAwADCCEBoUCocDY-WeSL1OJIjyM6owDQYJKoZIhvcNAQELBQADggEBAJeNUpwyUVqKSYGXPj6ibGfs4xxYaHf4obEJ3pgnWFblVgPahzQTutVJ5Ny-TSp0Ger8fTtu9soal35Zz9dpUE9aTYp-YWtEpaaqx5IC-OnH9Cao7ZJ_zM8fwiP9PtHNMuYCBiO24PmHF6oyB0gwcNYh0oa0YaVKJcmtHAVSH6WSzbdea3j9sdlBPVA6FeNchHCCiatesoM75IAUCvKYuBQ9JLenPvCXoKhXBDsiVb5tMKdZD8Vbvoj7b1JzKuv6NkICV99rLWW5MwfRMB-HG-BoML9E2mNJ-kqaVLFbJOZHCaNNIxejR70fY-ijexPNwvr_rI4VW01uYkdmSMlzRLExggH0MIIB8AIBATBpMFUxUzBRBgNVBAMeSgBHAG8AbABvAHYAbABlAHYAIABUAGkAbQBvAGYAZQB5ACAAKABUAGkAbQBfAGQAZQB2ACkAIAAxADUALgAwADUALgAyADAAMAAwAhAaFAqHA2Plnki9TiSI8jOqMA0GCWCGSAFlAwQCAQUAoF4wEAYKKwYBBAGCNwIBDDECMAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwLwYJKoZIhvcNAQkEMSIEIBiU-ad7f9l47QV96ioO0N-tTrlArZspsH_A9t1TtmEGMA0GCSqGSIb3DQEBAQUABIIBAC8ocpjX6r77Kr4vEdo4F4PsNFZqxEaugEWpOqwjoYERAZ1QutqyrOebeU9iafvjXAC3chFsgMdpyH4NqW0_Wi1tShhpfhl-fNYatBCXaVbBFYUYuXCdpuXcYtN2nMaO3YR8aQVEKYJKB4UpLTlcho5LmxQDkYy42CZ-L795REpSW_Ts3_6Vcq7ZqBZ7nsRfhOxMOCFqb8gAKBdI8yv2XqZtJeQ258ChkkaUHyKnCWAKXlEVNJC4vhVYJWqBcQhcAdAA1lwHsnl0RklZ1httRb7a5inIH10HrJGypv2E9Zu8knCuQPbRzQvwnwu8k43zOrJnp2DlXspfAB0nxhR6s9w

Solution

  • messageDigest contains a hash of PKCS#7 message content which in turns contains the hash of signed data (PE, in a given case).