From 638ad556dcdc3092250b0457e07d6344d0f7bb58 Mon Sep 17 00:00:00 2001
From: roblabla <unfiltered@roblab.la>
Date: Mon, 15 Dec 2025 16:00:16 +0100
Subject: [PATCH] Relax checks on signed_attrs

This crate has some checks on signed attributes that are much stricter
than what is required by windows. For instance:

1. Windows accepts having no signed attributes. In this case, it
   assumes the signature is done over the embedded message data instead
   of the signed attributes.

2. Windows accepts a signed-attributes with no content-type attr. In
   fact, it even accepts one with an invalid/mismatched content-type -
   it looks like windows completely ignores that attribute.

The only check really necessary is that, if signed attributes _are_
present, it must contain a message-digest attribute.
---
 authenticode/src/signature.rs | 29 ++++++++---------------------
 1 file changed, 8 insertions(+), 21 deletions(-)

diff --git a/authenticode/src/signature.rs b/authenticode/src/signature.rs
index 88e2243..34e3077 100644
--- a/authenticode/src/signature.rs
+++ b/authenticode/src/signature.rs
@@ -199,27 +199,14 @@ impl AuthenticodeSignature {
             return Err(AuthenticodeSignatureParseError::AlgorithmMismatch);
         }
 
-        let signed_attrs = if let Some(signed_attrs) = &signer_info.signed_attrs
-        {
-            signed_attrs
-        } else {
-            return Err(
-                AuthenticodeSignatureParseError::EmptyAuthenticatedAttributes,
-            );
-        };
-
-        if !signed_attrs
-            .iter()
-            .any(|a| a.oid == const_oid::db::rfc6268::ID_CONTENT_TYPE)
-        {
-            return Err(AuthenticodeSignatureParseError::MissingContentTypeAuthenticatedAttribute);
-        }
-
-        if !signed_attrs
-            .iter()
-            .any(|a| a.oid == const_oid::db::rfc6268::ID_MESSAGE_DIGEST)
-        {
-            return Err(AuthenticodeSignatureParseError::MissingMessageDigestAuthenticatedAttribute);
+        if let Some(signed_attrs) = &signer_info.signed_attrs {
+            // If we have signed_attrs, we _must_ have message-digest.
+            if !signed_attrs
+                .iter()
+                .any(|a| a.oid == const_oid::db::rfc6268::ID_MESSAGE_DIGEST)
+            {
+                return Err(AuthenticodeSignatureParseError::MissingMessageDigestAuthenticatedAttribute);
+            }
         }
 
         Ok(Self {