4

I am checking the integrity of the gpg4win installer on Windows and I would like to check the sha256 sum of my file's certificate. My windows (Windows 11) only show the sha1 sum of my file's certificate. How can I check sha256? Can I do this using SignTools or another tool provided by Microsoft? (I consider files from Microsoft servers to be more trusted.)

I tried to check via User Account Control->Show more details->Show information about the publisher's certificate->Details-> Thumbprint There's only sha1 there.

I'm looking for sha256 because the gpg4win website(https://wiki.gnupg.org/Gpg4win/CheckIntegrity) claims it's better than sha1.

Improve this question
0

2 Answers 2

Reset to default
6 
# Show signature details
Get-AuthenticodeSignature "Winobj.exe" | fl

# Get the certificate object
$cert = (Get-AuthenticodeSignature "Winobj.exe").SignerCertificate
$algo = [System.Security.Cryptography.HashAlgorithm]::Create("sha256")
$digest = $algo.ComputeHash($cert.RawData)
$hexdigest = [System.BitConverter]::ToString($digest)
echo $hexdigest

First try a "sha1" hash and compare it against $cert.Thumbprint to verify that the manual procedure works (i.e. both calculate the hash the same way), then switch to "sha256".

SHA-1 is already vulnerable to collisions (where the attacker chooses both inputs), but AFAIK is still believed to not be vulnerable to "preimage" attacks (where the attacker tries to fit their input into an existing hash made from someone else's input), so it's not the end of the world to use it to verify a fingerprint that itself comes from a trusted source.

Improve this answer
3

If you have the certificate file (in DER format – not PEM), in a CMD prompt, try certutil -hashfile <full path to certificate file> SHA256. You can also use use a third-party tool such as Nirsoft's HashMyFiles.

However, if the certificate has already been added to the Windows Certificate Store, you'd need to export that as a file. "The certificate store is located within the Windows operating system [in the Registry]:"

  • Press WinR, type mmc, and press Enter.
  • In the MMC console, go to File > Add/Remove Snap-in, select Certificates and click Add.
  • Right-click on the certificate, select All Tasks and then Export. Choose DER as the format.
  • Now get the checksum for the exported file as above.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.