Check the Authenticode certificate for extended validation for any downloaded coder binaries.

[spikecurtis]

We currently check the Subject name on the certificate matches "Coder Technologies Inc.", but we went thru a lot to get an extended validation certificate, so we should have Coder Desktop also check that the Authenticode certificate is an extended validation cert. This will make it much harder for an malicious actor to successfully sign binaries and have them executed by Coder Desktop.

$sig =  Get-AuthenticodeSignature -FilePath "C:\Program Files\Coder\bin\coder.exe"
foreach ($ext in $sig.SignerCertificate.Extensions) {$ext.Oid}

gives:

Value             FriendlyName
-----             ------------
2.5.29.35         Authority Key Identifier
2.5.29.14         Subject Key Identifier
2.5.29.32         Certificate Policies
2.5.29.15         Key Usage
2.5.29.37         Enhanced Key Usage
2.5.29.31         CRL Distribution Points
1.3.6.1.5.5.7.1.1 Authority Information Access
2.5.29.19         Basic Constraints

We are interested in the Certificate Policies extension, OID 2.5.29.32. If we decode that extension, we get

            SEQUENCE {
               SEQUENCE {
                  OBJECTIDENTIFIER 2.23.140.1.3
                  SEQUENCE {
                     SEQUENCE {
                        OBJECTIDENTIFIER 1.3.6.1.5.5.7.2.1
                        IA5String 'http://www.digicert.com/CPS'
                     }
                  }
               }
            }

OID 2.23.140.1.3 is for Extended Validation