Reputation: 1
How to verify files signed by Azure Trusted Signing on Windows
I have a Windows application (written in Rust, but the language isn't the key point here) that periodically checks online for new versions of itself, downloads an .msi installer if an update is available, and executes it to update the app.
These .msi installers are signed using Azure Trusted Signing, which differs from traditional code signing because it does not expose public certificates (since they rotate frequently). This makes it unclear how to properly validate the signature of the downloaded MSI before executing it.
So far, I can check the signature status If I used PowerShell, it would be something like:
Get-AuthenticodeSignature -FilePath "C:\path\to\binary.msi"
Then, with the result, I can check that the signature is valid and verify the issuer and subject of the signing certificate.
However, I’m unsure what additional checks I should implement to ensure the MSI was truly signed by my trusted Azure Trusted Signing setup.
Is there a way to validate the thumbprint?
Should I be checking EKU (Enhanced Key Usage)?
Is there a reliable way to enforce certificate chain validation programmatically?
I haven’t found a clear answer in the documentation or elsewhere. What is the recommended approach for verifying Azure Trusted Signing signatures in an auto-update system?
Upvotes: 0
Views: 23
Answers (0)
Related Questions
- How do I install pip on Windows?
- Windows batch files: .bat vs .cmd?
- How can I develop for iPhone using a Windows development machine?
- How do I run two commands in one line in Windows CMD?
- How do I run Redis on Windows?
- Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate
- How to upgrade Git on Windows to the latest version
- How do I get the application exit code from a Windows command line?