2

I am distributing an authenticode signed self-extracting executable whose content I control.

It contains a mushroom of MSI-based installers that controls a hot swap of a distributed system, so it cannot easily be an MSI itself.

It would be nice to have if the executable just checked its own authenticode and refused to self-extract if not signed. I do realize that this provides no real integrity guarantee, but it would reinforce the message that the content is in no way customizable and perhaps make some formal certifications easier to handle.

One possible strategy might be based on with this still unanswered question. Any other ideas?

Community
  • 1
  • 1
Jirka Hanika
  • 13,301
  • 3
  • 46
  • 75
  • How do you create the self-extracting exe? If you can modify its code then you could just use WinVerifyTrust to check the certificate integrity before extracting – Isso May 10 '12 at 20:54
  • @Isso - Right now it is pkzip25 -sfx. It is then signed separately. The only way of modifying the emitted code that I am aware of is to scrap pkzip and write my own compression tool. – Jirka Hanika May 10 '12 at 21:04
  • So you basically need a packer like pkzip, that has a signature checker built in? I'm not aware of any such solution, sorry. – Isso May 10 '12 at 21:23

1 Answers1

0

This is not possible in the general case. If someone has tampered with your binary, perhaps they'll also remove your self-check.

If it was possible to build a completely tamper-proof executable, then it would be impossible for anyone to pirate software.

What you are asking for can most closely be achieved by creating an self-extracting executable and then applying a commercial copy-protection package to it.

To do so, use your favourite search engine to search for "executable copy protection".

SecurityMatt
  • 6,593
  • 1
  • 22
  • 28
  • That is true. If there is a packer that is willing to call `WinVerifyTrust` before extracting, I think I have a use case for it. (I guess you didn't care to read the last two sentences of the question that described the use case.) If there is none, I think I will understand why. – Jirka Hanika May 11 '12 at 07:51
  • What you are asking for can most closely be achieved by creating an self-extracting executable and then applying a commercial copy-protection package to it. – SecurityMatt May 11 '12 at 20:41
  • Accepting because the conversation finally helped me to recognize the simple truth that such a feature does not exist and I don't need it. – Jirka Hanika Jun 03 '12 at 21:50