0

Quoting a jsign bug report related How to validate authenticode for Javascript in C#.

I've played a bit with VBScript and JScript files, it looks like the hashing method is different from the PowerShell scripts. For PowerShell the content is converted to UTF-16LE before being hashed. For VB and JS it doesn't work, the hash generated differs from the one computed by signtool. I tried various encodings (UTF-8, UTF-16BE, UTF-32BE/LE, with or without byte order marks) but it still doesn't match.

How does one create the .vbs signature block without signtool.exe (and without any proprietary and/or Microsoft tools?)

Edit:

So far, I've observed the following:

  • By default, signtool.exe uses SHA-1 signatures. It can be forced to use SHA-256 signatures using /fd sha256
  • By default, JSign adds some additional properties to the signature which throw off an exact signature match.

For reference, this is what the end-product signature normally looks like when using signtool.exe. 

'' SIG '' Begin signature block
'' SIG '' MIIM4AYJKoZIhvcNAQcCoIIM0TCCDM0CAQExCzAJBgUr
' ... (a bunch of bas64 data) ...
'' SIG '' cSu0HJyT7v9OctFKlKj7aCB6JHPrR0il9GFdoZrQFNuU
'' SIG '' End signature block

The purpose of this signature is to allow Windows to verify the publisher of the file. It's not a well-documented standard, but can be found in solutions like this.

Modern purposes may include running a .vbs file as a standalone script or as part of an application. Leveraging Windows' built-in validation mechanism adds a layer of trust to the script for environments that need it.

Quoting Chapter 28 of Don Jones' "Managing Windows with VBScript and WMI."

Running Only Signed Scripts

If you don't want to mess around with software restriction policies, you can also rely on WSH's own built-in form of security policy. This policy allows you to specify that only signed scripts will be run; unsigned scripts won't be. This is probably the easiest and most effective way to prevent most unauthorized scripts.

Digital signatures are common enough so that we shouldn't be limited by closed source utilities like signtool.exe.

tresf
  • 7,103
  • 6
  • 40
  • 101
  • Why the vba tag? – Vincent G Dec 16 '19 at 16:30
  • Why not? VBA supports signatures too, no? https://support.office.com/en-us/article/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01 – tresf Dec 16 '19 at 16:31
  • http://download.microsoft.com/download/winscript56/Install/5.6/W982KMeXP/EN-US/scrdoc56en.exe and read the page on that says how to sign scripts. –  Dec 16 '19 at 18:14
  • Of course any programmer can still run scripts. –  Dec 16 '19 at 18:15
  • https://social.msdn.microsoft.com/Forums/en-US/adcae113-4758-481a-a367-60d5d14d97d6/this-is-how-to-turn-vbs-and-js-files-into-exe-files-from-the-command-line-without-third-party-tools?forum=scripting pop this code into a text file, compile with inbuilt VB.NET compiler. –  Dec 16 '19 at 18:21
  • Thanks, but those still use closed-source tools. Placing a closed source-tool (or library) into a script doesn't change the fact that the signature generation is closed source. :) The VB.NET compiler solution is worse, it actually wraps the script into an `.exe` file, which doesn't answer the question at all. – tresf Dec 16 '19 at 19:04
  • They are called system tools. My point is that all you'll achieve is to make the computer harder to use. There will be NO SECURITY. –  Dec 16 '19 at 19:11
  • And your question said without using signtool - the docs show how to do it in code. –  Dec 16 '19 at 19:17
  • No, the linked components aren't system tools, they're developer tools. Regardless, the question is about creating the signature. The quote is about the hashing method. If you have something to add, please do. This is a technical question, not a place to argue security. – tresf Dec 16 '19 at 20:07
  • Question amended to make it explicit that proprietary tools are not acceptable solutions. – tresf Dec 16 '19 at 20:10
  • 1
    Don't ask in Windows groups about non windows things. So I want to sign something for Windows but don't want to do it in the way provided to do it? –  Dec 16 '19 at 21:00
  • This is not a Windows group, it's StackOverflow. I've tagged Windows-specific technologies because the question pertains to Windows-specific technologies. Originating platform does not hold jurisdiction over solution. OPs can ask as they want. Please keep this on-topic. – tresf Dec 16 '19 at 21:20

1 Answers1

4

Quoting Emmanuel Bourg, the author of JSign from the bug that inspired this question:

I got it, the script is indeed hashed in UTF-16LE, but the size of the unsigned file encoded as a 4 bytes little endian integer is added to the hash.

So, common hashing algorithms will work against hashable content (SHA-1, SHA-256), but in order to pass WinVerifyTrust, the additional 4 bytes need to be added to the hashed data.

tresf
  • 7,103
  • 6
  • 40
  • 101