Getting WinVerifyTrust to work with catalog signed files such as cmd.exe
I Tested the Following Code Which sets NULL (as recommended in the docs) instead of BCRYPT_SHA256_ALGORITHM. It's No Problem.
Although The Document says The default hashing algorithm may change in future Windows versions, It’s necessary to maintain consistent behavior For Microsoft.
DWORD VerifyCatalogSignature(_In_ HANDLE FileHandle, _In_ bool UseStrongSigPolicy){ ... if (UseStrongSigPolicy != false) { SigningPolicy.cbSize = sizeof(CERT_STRONG_SIGN_PARA); SigningPolicy.dwInfoChoice = CERT_STRONG_SIGN_OID_INFO_CHOICE; //SigningPolicy.pszOID = const_cast<char*>(szOID_CERT_STRONG_SIGN_OS_CURRENT); SigningPolicy.pszOID = const_cast<char*>(szOID_CERT_STRONG_KEY_OS_1); if (!CryptCATAdminAcquireContext2( &CatAdminHandle, NULL, NULL, &SigningPolicy, 0)) { Error = GetLastError(); goto Cleanup; } } else { if (!CryptCATAdminAcquireContext2( &CatAdminHandle, NULL, BCRYPT_SHA256_ALGORITHM, NULL, 0)) { Error = GetLastError(); goto Cleanup; } } ...}