Wizard Selecting Wrong Certificate for Publisher Cert when there are many in the Chain #482
Description
I am working on WDAC using Publisher Certs wherever possible to limit administrative overhead and confusion in the policies.
I created a Supplemental Policy using the Wizard, pointed it at the EXE, and it generated the following:
I spent days trying to figure out why this Supplemental Policy was still blocking my app.
Copilot suggested confirming that the TBS Value was correct - why would I think of this, I assumed that the Wizard would pick up the Signing Cert.
I ran the following PowerShell against the same EXE that I pointed the Wizard at and got the following TBS Value: 6A52B17A011621C79722D320E25C99B5510F4F47202EA5E0C88217D2FD298EB2
Path to your signed file
$filePath = ""
Extract the signing certificate
$signature = Get-AuthenticodeSignature -FilePath $filePath
$cert = $signature.SignerCertificate
Compute the TBS hash (SHA256 of raw cert data)
$sha256 = [System.Security.Cryptography.SHA256]::Create()
$tbsHash = $sha256.ComputeHash($cert.RawData)
Convert to uppercase hex string
$tbsHashHex = -join ($tbsHash | ForEach-Object { $_.ToString("x2") }).ToUpper()
Write-Output "TBS Hash: $tbsHashHex"
When I replaced with my policy started working as expected.
It looks like the Wizard is pulling a cert higher up the chain, when it should be pulling the last one.