|
|
|
|
|
|
by g45y45
2660 days ago
|
|
|
Kinda. You can use mimikatz to override the checks that the private key is isolated, you can even override 'no export' flag. Timestamping relies on external trusted timestamp providers implementing RFC 3161. There are many out there, maybe you could get a false timestamp out of them. I agree could be stronger than PGP, however it suffers a design flaw in that it considers the geometry of the PE file. PGP signs the whole blob. CVE-2017-0215 is an example of bypass by copying a previously signed header. It is more fragile and has been bypassed historically. |
|
|
"No export" flag is not the same. What I'm talking about is keys stored in hardware modules (TPM, Yubikey) so that the private key is never disclosed, you can only ask the hardware to perform actions using that key.
See for example Yubikey docs: https://developers.yubico.com/PIV/Introduction/PIV_attestati...
> There are many out there, maybe you could get a false timestamp out of them.
Maybe? That's how CA model works, they are trusted third parties. Code signing CAs are required to operate timestamping services so it getting a cert from them is not a security issue, timestamping should also be fine.
PGP on the other hand if used in a Web of Trust model makes every valid key a CA. Not to mention that PGP doesn't have extended key usage flags so signing software is the same as signing e-mail (you cannot specify that you want to have this key be used for code signing exclusively).