3

I am looking for a method, using PowerShell only, to list the certificate chain for signed files. Specifically to get the Root certificate.

As I need to get a list of which Non-Microsoft root certificates certain executables (on installed software), are dependent on. This is due to a OS-baseline guidelines, that uses the PKI procedure in Microsoft KB293781. Where only specific Root certificates shall be put on specific computers. E.g the much used "VeriSign Class 3 Primary CA - G5", shall only be used when necessary.

Get-AuthenticodeSignature only lists the Issuer. E.g: Get-AuthenticodeSignature C:\windows\system32\MRT.exe

Tools like "SysInternals SigCheck" is able to do this sigcheck.exe -i C:\windows\System32\mrt.exe, and this infomation can be parsed further on. Also other tools like SignTool.exe from the Windows SDK, and AnalyzePESig by Didier Stevens can get this info.

But can this be done using only PowerShell? Perhaps using the WinVerifyTrust API in Windows. https://msdn.microsoft.com/en-us/library/windows/desktop/aa382384(v=vs.85).aspx http://support2.microsoft.com/kb/323809/en-us

Cheers, Tekk

4

1 回答 1

8

这应该可以通过直接在 PowerShell 中访问 .NET 来实现。这是我使用您在问题中引用的示例文件制作的片段:

# Get a X590Certificate2 certificate object for a file
$cert = (Get-AuthenticodeSignature -FilePath C:\windows\system32\MRT.exe).SignerCertificate
# Create a new chain to store the certificate chain
$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
# Build the certificate chain from the file certificate
$chain.Build($cert)
# Return the list of certificates in the chain (the root will be the last one)
$chain.ChainElements | ForEach-Object {$_.Certificate}

这会给你你想要的东西吗?

于 2015-01-23T03:42:19.467 回答