Validating authenticode of PE File

[samuel-sqrx]

Hi, I am trying to validate the authenticode of PE files by computing a hash from the PE file using goblin and then comparing against the authenticode signature in the PKCS7 SignedData.

It's working well for most exe files and the value matches. However, when I am testing it for firefox.exe, the computed value does not match the signature and I am wondering what is the issue.

This is the code I used to compute the authenticode, is there anything I am missing?

let mut xhasher = Hasher::new(MessageDigest::sha256()).unwrap();
let authenticate_data = pe.authenticode_ranges();
for a in authenticode_data.into_iter() {
       xhasher.update(a);
}
let final_hash = xhasher.finish().unwrap();
println!("hash {:?}", hex::encode(final_hash));

The authenticode I computed : ee2d315da52ae04011dca0f89bba6801f81454f437463675b4285742d720076d
The actual authenticode : d60710b5d82808bd887e1d8f8cda866ce22eee173adb407b48e2c001456aeff3 (definitely correct, verified using other sources)

firefox.exe : https://www.mozilla.org/en-US/firefox/windows/

[m4b]

there was some work going on here about authenticode, not sure what happened with it: #355
i don't know much about the topic myself, but if something needs to be fixed on our end, we should do that :)