AD2052: RequireAuthenticode¶
Summary¶
| Property | Value |
|---|---|
| ID | AD2052 |
| Name | RequireAuthenticode |
| Category | Security |
| Severity | Warning |
| Applies to | PE (Windows) |
Description¶
Binaries should have Authenticode signatures to verify publisher identity and protect against tampering.
How It Works¶
The rule checks if the PE binary has a certificate table in its data directories. The certificate table contains Authenticode signatures that cryptographically verify:
- Publisher identity: Who signed the binary
- Integrity: The binary hasn't been modified since signing
- Timestamp: When the signature was created
Why This Matters¶
Code Signing Benefits¶
- Trust establishment: Users and systems can verify the publisher
- Tamper detection: Any modification invalidates the signature
- Malware protection: Unsigned binaries are flagged by security software
- Enterprise deployment: Many organizations require signed software
- SmartScreen reputation: Windows builds reputation for signed publishers
Windows Security Features¶
Unsigned binaries may be: - Blocked or flagged by SmartScreen - Rejected by enterprise security policies - Unable to use certain Windows features - Flagged by antivirus software
Attack Prevention¶
Code signing prevents: - Supply chain attacks: Modified binaries are detected - Man-in-the-middle attacks: Downloaded software integrity is verified - Trojan distribution: Attackers can't forge legitimate publisher identity
Performance Considerations¶
Authenticode signature verification has minimal runtime impact:
| Operation | Impact |
|---|---|
| Signature verification | 5-20ms at load time |
| Subsequent loads | Cached by OS |
| Binary size increase | 2-5KB for signature |
| Build time | Seconds for signing |
Runtime behavior: - Windows caches signature verification results - Subsequent executions are faster - Network-based timestamp verification is optional after first check
Comparison:
| Scenario | Overhead |
|---|---|
| First execution | 10-20ms |
| Repeated execution | <5ms (cached) |
| Application startup impact | Negligible |
The security benefits far outweigh the minimal performance cost.
Resolution¶
Sign Your Binaries¶
- Obtain a code signing certificate from a trusted Certificate Authority (CA)
- Sign the binary using
signtool:
signtool sign /fd SHA256 /f certificate.pfx /p password /tr http://timestamp.digicert.com /td SHA256 myapp.exe
Using Visual Studio¶
- Project Properties → Signing
- Check Sign the assembly
- Select your code signing certificate
Verify Signature¶
Certificate Options¶
| Certificate Type | Use Case | Cost |
|---|---|---|
| EV Code Signing | Production software, highest trust | $$$$ |
| Standard Code Signing | General software distribution | $$ |
| Self-signed | Internal testing only | Free |
For Open Source Projects¶
Free code signing options: - SignPath Foundation: Free for open source projects - Azure Trusted Signing: Available through Azure - Self-signed for CI/testing: Not for distribution