4

When using Set-AuthenticodeSignature, there is an option called IncludeChain. While there is documentation about what each of the options are, I haven't been able to uncover much guidance surrounding the advantages/disadvantages of each setting (when you would pick one setting over another).

Everywhere I see IncludeChain in examples, it is always set to All. I think All is likely the best answer, but I'd like to understand the benefits and disadvantages of each of the settings.

  • Signer
  • NotRoot (default)
  • All

Other than All making the file quite a bit bigger, what are the specific advantages and disadvantages of each of the settings?

References

Example

$certPfx = "super secret location"
$certPassword = "super secret password"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPfx, $certPassword)

Set-AuthenticodeSignature -Filepath "ps1 file location" `
  -Cert $cert `
  -TimeStampServer "url to timestamp server" `
  -IncludeChain All `
  -HashAlgorithm SHA256
Community
  • 1
  • 1
ferventcoder
  • 11,952
  • 3
  • 57
  • 90

1 Answers1

4

Default NotRoot is the best option.

  • Signer

pros: when you put only signer certificate, signature size is relatively small.

cons: if recipient do not have all information to construct the chain, valid signature may become invalid. In addition, certificate retrieval from the internet causes noticeable delays during signature validation.

  • NotRoot

pros: reduces signature validation time by speeding up chain building with attached intermediate CA certificates. In the case when no extra information about chain certificates available (say, through local store or AIA extension), these certificates fill the gap and greatly help in chain building.

cons: signature size is increased by about 2kb per each intermediate CA certificate.

  • All

pros: reduces signature validation time by speeding up chain building with attached intermediate CA certificates.

cons: signature size is increased by about 2kb per each CA certificate. This option includes root CA, which is redundant information. If client already have root certificate trusted (as the result it is already installed), included root CA certificate do not provide any helpful information. If client do not have root certificate, its inclusion in the signature doesn't make sense either.

Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • Agreed. I want to echo that I don't see any value in "All" -- the client's either going to trust your root (and already have it) or not, and under no circumstances should anyone add you root to their trusted store, even if they decide they have to trust *your cert* despite not knowing the root. – Jaykul Mar 26 '16 at 20:01