We publish an update patch to our software package in a single executable file. The file is signed with an Authenticode digital signature, using the certificate issued to us. The file is downloaded to Windows XP or Vista systems that our customers operate, where they run it in order to update our software.
Our PCI compliance auditor has asked us to protect against the following situation:
- After downloading our executable file, a malicious person alters the file. An observant person would be able to check the properties for the file and determine that the signature is no longer valid.
- The malicious person places the altered executable somewhere that an unsuspecting user could run it.
- An unsuspecting user runs the altered file, releasing unspecified havoc.
The auditor contends there is a way (or ought to be a way) to prevent the file from running at all if the signature is not valid.
Do you know how this can be accomplished?