Skip to main content

 none
Microsoft authenticode sign check failure......... RRS feed

  • Question

  • Certificate chain verification of host process image file through CertGetCertificateChain() or WinVerfyTrust() from a DLL loaded into the same process it fails. There are two scenarios.

    1: When the process image is signed and not expired it cant execute CertGetCertificateChain() or WinVerfyTrust() and host process stuck.

    2: When the process image is signed and expired then CertGetCertificateChain() execute but unload the DLL.

    Can some one answer why is this happening.


    Friday, September 13, 2019 10:02 AM

All replies

  • Hi,

    What's the error code of CertGetCertificateChain/WinVerifyTrust when the call is failed?

    For CertGetCertificateChain(), call GetLastError()

    For WinVerifyTrust(), check the return code of in the document to get the error information.

    And could provide a minimal, reproducible code sample for us?

    Thanks,

    Drake


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, September 16, 2019 8:16 AM
    Moderator
  • The code does not provide any error code. rather it pause further code execution and hang the process. The call to CertGetCertificateChain/WinVerifyTrust is made from a DLL program.

    There are two types of condition:

    1: In first case if the target file (Host process image file) is perfectly root signed and time valid, code execution in DLL stops without any GetlastError().

    2: In second case if the target file (Host process image file) is not perfectly root signed and time expired, code execution in DLL continue without error but DLL get automatically unloaded from host process.

    But the code run fine when executed as a console app....


    Monday, September 16, 2019 12:43 PM
  • According to the MSDN document,

    https://docs.microsoft.com/en-us/windows/win32/api/wintrust/ns-wintrust-wintrust_data?redirectedfrom=MSDN

    https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_chain_engine_config?redirectedfrom=MSDN

    It seems you will need to prevent retrieval of revocation lists as well. Set the WTD_CACHE_ONLY_URL_RETRIEVAL or CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL.

    Best Regards,

    Drake


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, September 17, 2019 6:50 AM
    Moderator