Valtteri Vuorikoski <[email protected]> writes: >On Sun, Jan 04, 2026 at 11:56:06AM +0000, Peter Gutmann wrote: >> As an aside, is anyone aware of a single-source design document for what >> Authenticode does? >Are you looking for something more detailed than the Microsoft document titled >"Windows Authenticode Portable Executable Signature Format" from 2008?
Not more detailed, but something that talks about the "keys and signatures fall from the sky and the timestamping fairy blesses them" issue. The referenced doc just covers Microsoft's additions to PKCS #7 and what gets hashed for the signature, it's just another big-bagging format doc along the lines of RFC 9580 for the OpenPGP equivalent. I'll try pinging an exmsft security person, it may be that such a doc doesn't actually exist, or is internal-only. Peter.
