How does Windows link a pe file to its signature in a catalog file?

Question

Running signtool.exe verify /a /v C:\Windows\notepad.exe I can see the signature for notepad.exe is in C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntexe.cat. How does signtool know that is where the signature exists for this pe file?

I am trying to replicate this signtool behaviour in python. Once I have the catalog file I can get the certificate information with the code below but I cannot see how windows links the file to the catalog.

import win32com.client
catpath = "C:\\Windows\\system32\\CatRoot\\{F----E}\\nt5.cat"
signedCode = win32com.client.Dispatch('capicom.signedcode')
signedCode.FileName=catpath
signedCode.Verify()
certs = signedCode.Certificates
for cert in certs:
    print cert.Archived
    print cert.IssuerName
    print cert.SerialNumber
    print cert.SubjectName
    print cert.Thumbprint
    print cert.ValidFromDate
    print cert.ValidToDate
    print cert.Version

But how do I get which security catalog file the executable is in?

Answer 1

Disclaimer: the followings is a rough guess based on testing as the exact process is undocumented.

Windows scans through every cat file in System32\CatRoot\{F7--EE}, add them to the system catalog database and roughly sort them by each entry's file hash/tag value.
(revealed by CatRoot2\dberr.txt which contains the log for the database process)
The database is the file System32\CatRoot2\{F7--EE}\catdb.
Inside catdb, a file hash is followed by its cat file name in CatRoot\{F7--EE}.
Note the hash excludes PE checksum & Certificate Table Entry.
The hash can be obtained from SignTool verify /v or this.