Check file with revoked cert and countersign raise COUNTERSIGNER_ERROR

[Gixal9]

I try to check file which cert was revoked. If I check it without allow_fetching, then signify says that sign is OK
But if i use that flag, I'm getting error AuthenticodeVerificationResult.COUNTERSIGNER_ERROR An error occurred while validating the countersignature: allow_fetching must be False when moment is specified, when I except smth like "Certificate was revoked by signer"

My code

from polysignify.authenticode import AuthenticodeFile

with open("/home/skyman/projects/crypto/signify/e1dcbfcbf8f2fb7bb938fdcc9e2fef1d316bc794", "rb") as f:
    file = AuthenticodeFile.detect(f)
    res, err = file.explain_verify(
        verification_context_kwargs={"allow_fetching": True, "revocation_mode": "hard-fail"}
        )
    print(res, err)

How do I suppose to check file likes this? I'm sure that ceri is revoked, it can be checked by ocsp

Becouse file is malicious, I attach link to virustotal, u can download it by their API. I'm not sure then Gitgub provide an opportunity to attach malicious files
https://www.virustotal.com/gui/file/833bee7594823e69abe05034c1efa58a15f0bb9f54cf9e42b25954108bce97a4

[Gixal9]

I found why this is happening

in file signify/x509/context.py

 def verify(self, certificate: Certificate) -> list[Certificate]:
        """Verifies the certificate, and its chain.

        :param Certificate certificate: The certificate to verify
        :return: A valid certificate chain for this certificate.
        :rtype: Iterable[Certificate]
        :raises AuthenticodeVerificationError: When the certificate could not be
            verified.
        """

        # we keep track of our asn1 objects to make sure we return Certificate objects
        # when we're done
        to_check_asn1cert = certificate.asn1
        all_certs = {to_check_asn1cert: certificate}

        # we need to get lists of our intermediates and trusted certificates
        intermediates: list[asn1crypto.x509.Certificate] = []
        trust_roots: list[asn1crypto.x509.Certificate] = []
        for store in self.stores:
            for cert in store:
                asn1cert = cert.asn1
                # we short-circuit the check here to ensure we do not check too much
                # possibilities
                (trust_roots if store.trusted else intermediates).append(asn1cert)
                all_certs[asn1cert] = cert

        # construct the context and validator for certvalidator
        timestamp = self.timestamp
        context = ValidationContext(
            trust_roots=list(trust_roots),
            moment=timestamp, # IT SHOULD BE  `None if self.allow_fetching else timestamp`,
            weak_hash_algos=set() if self.allow_legacy else None,
            revocation_mode=self.revocation_mode,
            allow_fetching=self.allow_fetching,
            crl_fetch_params={"timeout": self.fetch_timeout},
            ocsp_fetch_params={"timeout": self.fetch_timeout},
            crls=self.crls,
            ocsps=self.ocsps,
        )
        validator = CertificateValidator(
            end_entity_cert=to_check_asn1cert,
            intermediate_certs=list(intermediates),
            validation_context=context,
        )

        # verify the chain
        try:
            chain = validator.validate_usage(
                key_usage=set(self.key_usages) if self.key_usages else set(),
                extended_key_usage=(
                    set(self.extended_key_usages) if self.extended_key_usages else set()
                ),
                extended_optional=self.optional_eku,
            )
        except Exception as e:
            raise CertificateVerificationError(
                f"Chain verification from {certificate} failed: {e}"
            )

        signify_chain = [all_certs[x] for x in chain]
        self.verify_trust(signify_chain)
        return signify_chain

Now I don't have an opportunity to open PR, so add resolution here

[ralphje]

@Skyman2413 Sure that would resolve this specific issue, but is incorrect. The issue is that we need to validate countersigned files as if they were signed at that specific date. If the certificate has since expired, this suggested change would result in an invalid chain, regardless of whether the certificate is in the CRL.

The only viable solution, until certvalidator builds support for it, would be to not allow fetching when a timestamp is set.

See #13 for a similar suggestion and a provided workaround.