Added comment explaining verification flags.

vcsjones · vcsjones · commit 8b4197610d63 · 2016-04-13T18:27:18.000-04:00
diff --git a/AuthenticodeLint/Rules/SigningCertificateDigestAlgorithmRule.cs b/AuthenticodeLint/Rules/SigningCertificateDigestAlgorithmRule.cs
@@ -23,6 +23,10 @@ public RuleResult Validate(Graph<Signature> graph, SignatureLoggerBase verboseWr
                 {
                     chain.ChainPolicy.ExtraStore.AddRange(certificates);
                     chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+                    //The purpose of this check is not to validate the chain, completely.
+                    //The chain is needed so we know which certificate is the root and intermediates so we know which to validate and which not to validate.
+                    //It is possible to have a valid authenticode signature if the certificate is expired but was
+                    //timestamped while it was valid. In this case we still want to successfully build a chain to perform validation.
                     chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid;
                     bool success = chain.Build(signature.SignerInfo.Certificate);
                     if (!success)
