Rule 10000

Rule 10000 - Primary SHA1

This rule checks that the primary Authenticode file digest algorithm is SHA1.

Authenticode appends signatures using nesting. For example, if the file is signed with a SHA1 digest algorithm then a SHA256 signature is appended, the SHA256 is embedded inside of the SHA1 signature as an unsigned attribute. Subsequent signatures are appended.

If signtool were used with the following commands:

signtool /fd SHA1 input.exe
signtool /as /fd SHA256 input.exe
signtool /as /fd SHA384 input.exe

The signature graph would look something look like this:

SHA1
|----SHA256
|----SHA384

SHA1 is the desirable algorithm for the root digest algorithm because it ensures better with older clients. Because the SHA256 and SHA384 signatures are embedded in the SHA1 signature, old clients will safely ignore these signatures.

Clients that understand how to validate nested signatures will validate them.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Rule 10000

Rule 10000 - Primary SHA1

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally