You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, if a binary enrolled by hash in MokList or MokListX (or db/dbx/etc), but it is not signed, and the Data Directory is not padded out to the correct alignment, a different Authenticode hash is produced than would be produced for a signed binary.
This seems like an easy fix, but it isn't, because padding it out ourselves would break existing entries - and thus in some cases un-ban an executable.
So we need to extend the authenticode implementation to compute two hashes for comparison in this case, and also compute both hashes on binaries that are correctly padded.
The text was updated successfully, but these errors were encountered:
Currently, if a binary enrolled by hash in MokList or MokListX (or db/dbx/etc), but it is not signed, and the Data Directory is not padded out to the correct alignment, a different Authenticode hash is produced than would be produced for a signed binary.
This seems like an easy fix, but it isn't, because padding it out ourselves would break existing entries - and thus in some cases un-ban an executable.
So we need to extend the authenticode implementation to compute two hashes for comparison in this case, and also compute both hashes on binaries that are correctly padded.
The text was updated successfully, but these errors were encountered: