v1.6.4
⚠️ IMPORTANT
No major security fixes.
TLDR;
- Make2023BootableMedia.ps1 Improved and Signed!
- High Confidence Buckets added
- KEK update map fixes
- authenticode_transplant.py Updates
What's Changed
-
kek update map fixes @kraxel (#364)
Change Details
## Description
Update
scripts/get_auth_var_signing_certificate.pyto sort the entries.Fix
PostSignedObjects/KEK/kek_update_map.jsondata file.
Changes:- All entries are now sorted by filename.
- Fix some paths from windows ('\') to posix ('/') directory separator.
- Remove duplicate RedHat entry.
How This Was Tested
-
Inspect the file changes.
-
Verify with
jqutility thatkek_update_map.jsonis valid JSON.
-
Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement @ballsop (#361)
Change Details
## Description
-
Add Download-Oscdimg function to download oscdimg.exe from the Microsoft public symbol server when not found locally, with architecture detection (AMD64/ARM64/x86) and user confirmation prompt. Previously downloaded copies in %TEMP% are reused automatically. Addresses #333.
-
Fix path handling errors found in testing: normalize ISOPath to absolute early via ConvertTo-AbsolutePath to prevent crash when bare filenames are passed. Replace fragile Substring/LastIndexOf with Split-Path in Create-ISOMedia. Replace unsafe Substring(0,1) drive letter extraction with Split-Path -Qualifier in Initialize-StagingDirectory and Validate-Parameters. Add null/empty input guard and use TrimEnd in ConvertTo-AbsolutePath.
-
Copy boot.stl from boot.wim (Windows\Boot\EFI\boot.stl) to staged media (EFI\Microsoft\Boot\boot.stl) when present and not already at destination. Recent OS servicing introduced a new dependency on boot.stl.
-
Require NTFS for StagingDir and NewMediaPath since WIM mounting relies on reparse points not fully supported on ReFS.
-
Impacts functionality?
-
Impacts security?
-
Breaking change?
-
Includes tests?
-
Includes documentation?
How This Was Tested
Tested on ISO, USB, and LOCAL media creation flows on both X64 and ARM64 systems.
Integration Instructions
N/A
</blockquote> <hr> </details> -
-
High Confidence Buckets - 02/25/2026 @jgeurten (#353)
Change Details
## Description
Open-sourcing the list of buckets where Microsoft has high confidence devices successfully apply the Secure Boot DB and KEK 2023 updates.
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- [X ] Includes documentation?
How This Was Tested
N/A Testing only
Integration Instructions
N/A
-
Add cryptographic verification to authenticode\_transplant.py @Flickdm (#326)
Change Details
This commit adds comprehensive cryptographic validation to the Authenticode signature combining tool, bringing the same verification capabilities from auth_var_tool.py to PE file signature operations.
Key changes:
- Added cryptographic signature verification using the 'cryptography' library
- Implemented SpcIndirectDataContent parsing to extract embedded PE hashes
- Added certificate extraction and display from PKCS#7 signatures
- Compute Authenticode hashes using the algorithm specified in the signature
- Verify signatures mathematically using signer's public key (RSA/ECDSA)
- Validate that computed PE hash matches the hash in SpcIndirectDataContent
New functions:
- _get_hash_algorithm_from_oid(): Maps OID strings to hash algorithms
- _extract_pe_hash_from_spc_indirect_data(): Parses SPC structure for hash
- _extract_certificates_from_pkcs7(): Extracts X.509 certificates
- _verify_pkcs7_signature(): Performs full cryptographic verification
- compute_authenticode_hash(): Flexible hash computation with configurable algorithm
Enhanced functions:
- validate_pkcs7_signatures(): Now performs cryptographic verification
- main_verify(): Displays certificate details and verification status
- main_combine(): Validates signatures cryptographically before combining
Bug fixes:
- Removed incorrect 8-byte padding from Authenticode hash calculation (padding only applies to WIN_CERTIFICATE structure alignment, not hash data)
- Consolidated duplicate hash functions into single implementation
Code improvements:
- Named constants for all magic numbers in SPC parsing
- Better documentation and inline comments
- Proper type annotations with Optional types
Testing:
- Verified against Microsoft-signed bootmgfw.efi files
- Hash computation now matches Windows AppLocker and UEFI firmware
- Both multi-signature and nested signature modes validated
- All test cases pass with cryptographic verification
Follows Microsoft Authenticode PE specification v1.1
Description
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
Ran it against copies of bootmgfw.efi and hellouefi.efi that were both singly signed and
Integration Instructions
N/A
Full Changelog: v1.6.3...v1.6.4
What's Changed
- pip: bump ruff from 0.14.14 to 0.15.0 by @dependabot[bot] in #345
- pip: bump ruff from 0.15.0 to 0.15.1 by @dependabot[bot] in #348
- Add cryptographic verification to authenticode_transplant.py by @Flickdm in #326
- pip: bump cryptography from 43.0.0 to 46.0.5 by @dependabot[bot] in #349
- Repo File Sync: CodeQL sync and update to Mu DevOps v18.0.3 by @mu-automation[bot] in #352
- pip: bump ruff from 0.15.1 to 0.15.2 by @dependabot[bot] in #351
- High Confidence Buckets - 02/25/2026 by @jgeurten in #353
- pip: bump ruff from 0.15.2 to 0.15.4 by @dependabot[bot] in #356
- pip: bump edk2-pytool-extensions from 0.30.6 to 0.30.8 by @dependabot[bot] in #357
- GitHub Action: Bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #354
- pip: bump ruff from 0.15.4 to 0.15.5 by @dependabot[bot] in #360
- Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement by @ballsop in #361
- kek update map fixes by @kraxel in #364
New Contributors
Full Changelog: v1.6.3...v1.6.4
