SQ20123
Detected digital signatures missing extensions required for code integrity validation while trying to enforce it.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | fail | high | medium | 2 | tampering: fail Reason: integrity enforcement errors |
About the issueโ
Enforced image integrity checking ensures that Windows executable files are only allowed to run after their digital signatures are verified. This security mechanism ensures that the tampered and corrupted applications are prohibited from running. Additionally, access to certain operating system functions may require applications to enable enforced integrity checks. Integrity enforcement reduces harm that the malicious code may cause once executed. One or more software components that require integrity enforcement were found to be digitally signed without the mandatory page hash validation data. Operating system will refuse to load files linked with the /INTEGRITYCHECK option unless they are digitally signed with signatures that include the page hash validation data.
How to resolve the issueโ
- Review the certificate information passed to the code signing application.
- With Microsoft SignTool, you can enforce the page hash integrity verification using the /ph parameter.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Digital certificates (External resource - Microsoft)
- /INTEGRITYCHECK (Require signature check) (External resource - Microsoft)