Skip to content

Add automatic AuthRoot cache for portable trust #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Marc-André Moreau (mamoreau-devolutions) merged 1 commit into from
Jun 25, 2026
Merged

Add automatic AuthRoot cache for portable trust #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion PowerShell/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ New-PSDrive -Name certs -PSProvider PortableCertStore -Root ./project-certs

## Trust Model

By default, `Get-PsignSignature` automatically downloads and caches the Microsoft AuthRoot CAB (~350KB) for trust evaluation. The cache lives at `~/.psign/authroot/`.
By default, `Get-PsignSignature`, `Test-PsignFileCatalog`, and `Test-PsignModule` automatically download and cache the Microsoft AuthRoot CAB for trust evaluation when no explicit trust anchors are supplied. The cache lives at `~/.psign/authroot/` and is refreshed when it is older than 7 days. Set `PSIGN_AUTHROOT_MAX_AGE_DAYS`, `PSIGN_AUTHROOT_CACHE_DIR`, or `PSIGN_AUTHROOT_URL` to override the stale window, cache directory, or source URL.

```powershell
# Disable auto-trust
Expand Down
4 changes: 3 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,9 @@ cargo build -p psign --bin psign-tool --locked
# Portable PE signing with a local RSA key:
# psign-tool portable sign-pe --cert cert.der --key key.pk8 --output signed.exe unsigned.exe
# Existing PE signatures are replaced by default; add --append-signature to match signtool /as.
# Portable trust verification with explicit anchors:
# Portable trust verification downloads/caches Microsoft AuthRoot automatically when no anchors are supplied:
# psign-tool portable trust-verify-pe signed.exe
# Explicit anchors still override auto trust:
# psign-tool portable trust-verify-pe signed.exe --anchor-dir anchors
# Portable custom ZIP Authenticode verification:
# psign-tool portable trust-verify-zip archive.zip --anchor-dir anchors
Expand Down
3 changes: 2 additions & 1 deletion crates/psign-authenticode-trust/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ repository.workspace = true
anyhow = "1"
base64 = "0.22"
serde = { version = "1", features = ["derive"] }
serde_json = "1"
cms = "0.2.3"
der = { version = "0.7", features = ["derive"] }
digest = "0.10"
Expand All @@ -20,7 +21,7 @@ authenticode = { version = "0.5.0", features = ["std", "object"] }
psign-sip-digest = { path = "../psign-sip-digest" }
picky = { version = "7.0.0-rc.23", features = ["pkcs7", "time_conversion"] }
picky-asn1-x509 = "0.15.4"
time = "0.3"
time = { version = "0.3", features = ["formatting", "parsing"] }
x509-cert = "0.2.5"
cab = "0.6"

Expand Down
Loading