Why does Microsoft use a digital signature catalog instead of a signature in the executable?

Catalog files have actually been around since Windows 2000/XP. They are an alternative to signing single binaries as you attach one signature to the catalog file rather than a signature to every single binary. You can use either one to the same effect, but catalog files are more efficient for a large collection of files.

Microsoft typically does not include hashes from third party binaries in their catalog files, unless they are including them as part of the OS or a Microsoft application and are willing to sign those files. The exception to this is kernel mode drivers for Windows 10 as explained in this post. It is unlikely that a third party would modify a Microsoft-signed file without having it signed again.


There are some other interesting benefits around the "WHY":

  1. You can catalog sign non-executables. inf, ini etc...That's not possible with an embedded Authenticode signature. Sometimes you want to make sure non-PE files have not been tampered with.

  2. If you take a binary on system A and copy it to system B, you will break the signature if the required catalog is missing. That can help prevent certain classes of exploits that involve user input.