Breaking it down,
- use 7z to extract the WIN_CERTIFICATE
- skip metadata fields and extract cert bytes
- parse certificate details with openssl
- additionally grab Validity period end
- remove leading and trailing whitespace
- reverse line order to place “Not After” after “Subject”
- convert output to jsonl
- test that output is queryable with jq
7z e -so foo.exe CERTIFICATE | \
dd bs=1 skip=8 status=none | \
openssl pkcs7 -inform der -print_certs -noout -text | \
grep -E '(Subject:|Not After)' | \
awk '{gsub(/^[ \t]+|[ \t]+$/, "", $0); print $0}' | \
awk '{if (NR%2==1) {line1=$0} else {print $0; print line1}}' | \
awk -F': ' '/Subject/ {subj=$2} /Not After/ {print "{\"Subject\": \"" subj "\", \"Not After\": \"" $2 "\"}"}' | \
jq
Output then looks like the following:
{
"Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4",
"Not After": "Nov 9 23:59:59 2031 GMT"
}
{
"Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
"Not After": "Mar 22 23:59:59 2037 GMT"
}
{
"Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"Not After": "Apr 28 23:59:59 2036 GMT"
}
{
"Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2023",
"Not After": "Oct 13 23:59:59 2034 GMT"
}