SQ20123
Detected digital signatures missing extensions required for code integrity validation while trying to enforce it.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | fail | high | medium | 2 | tampering: fail Reason: integrity enforcement errors |
About the issueโ
Enforced image integrity checking ensures that Windows executable files are only allowed to run after their digital signatures are verified. This security mechanism ensures that the tampered and corrupted applications are prohibited from running. Additionally, access to certain operating system functions may require applications to enable enforced integrity checks. Integrity enforcement reduces harm that the malicious code may cause once executed. One or more software components that require integrity enforcement were found to be digitally signed without the mandatory page hash validation data. Operating system will refuse to load files linked with the /INTEGRITYCHECK option unless they are digitally signed with signatures that include the page hash validation data.
How to resolve the issueโ
- Review the certificate information passed to the code signing application.
- With Microsoft SignTool, you can enforce the page hash integrity verification using the /ph parameter.
Recommended readingโ
- Digital certificates (External resource - Microsoft)
- /INTEGRITYCHECK (Require signature check) (External resource - Microsoft)