When using recent versions of signify, thrember fails during PE feature extraction with the following error:
TypeError: 'CertificateStore' object is not subscriptable
Where it happens
In thrember/features.py, during Authenticode feature extraction:
for cert in certs[:-1]:
...With recent signify versions, certs is a CertificateStore object, which is iterable but does not support slicing.
This causes a runtime exception when processing signed PE files.
Root cause
signify changed the Authenticode API:
- certificate collections are now returned as
CertificateStore
CertificateStore is iterable but not indexable
thrember still assumes a list-like object and uses slicing.
Suggested fix
Convert the certificate store to a list before slicing:
certs = list(certs)
for cert in certs[:-1]:
...This keeps the existing logic intact and restores compatibility with recent signify versions.
Environment
- Python: 3.10 / 3.11
- signify: >= 0.8.x
- thrember / EMBER2024: current release
When using recent versions of
signify,thremberfails during PE feature extraction with the following error:Where it happens
In
thrember/features.py, during Authenticode feature extraction:With recent
signifyversions,certsis aCertificateStoreobject, which is iterable but does not support slicing.This causes a runtime exception when processing signed PE files.
Root cause
signifychanged the Authenticode API:CertificateStoreCertificateStoreis iterable but not indexablethremberstill assumes a list-like object and uses slicing.Suggested fix
Convert the certificate store to a list before slicing:
This keeps the existing logic intact and restores compatibility with recent
signifyversions.Environment