Not only include Code Signing certificates

get_code_signing_ca.py

@@ -1,6 +1,7 @@
 #!/usr/bin/python3
 # © 2024 Michal Trojnara
 # This script downloads Microsoft code signing certificates
+# Tor is required for this script to work
 # Redirect the script output to a PEM file
 
 from sys import stderr
@@ -15,21 +16,24 @@ def download_cert(hash):
         if attempt > 0:
             sleep(10)
         try:
-            resp = get('https://crt.sh/?d=' + hash)
+            creds = f'{attempt}{hash}:{attempt}{hash}'
+            resp = get(f'https://crt.sh/?d={hash}',
+                proxies=dict(https=f'socks5://{creds}@127.0.0.1:9050'))
             resp.raise_for_status()
             print('.', file=stderr, end='')
             stderr.flush()
             return resp.content.decode('utf-8')
         except RequestException as e:
-            print(f'\n{e}', file=stderr)
+            print(f'\nAttempt {attempt}: {e}', file=stderr)
     print('\nGiving up on', hash, file=stderr)
 
 resp = get('https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFTCSV')
 resp.raise_for_status()
-lines = resp.content.decode('utf-8').splitlines()
+lines = resp.content.decode('utf-8').splitlines()[1:]
 hashes = [row[4] for row in reader(lines)
-    if row[0] != 'Disabled' and 'Code Signing' in row[5].split(';')]
+    if row[0] != 'Disabled'
-with ThreadPoolExecutor(max_workers=5) as executor:
+        or row[4] == 'F38406E540D7A9D90CB4A9479299640FFB6DF9E224ECC7A01C0D9558D8DAD77D']
+with ThreadPoolExecutor(max_workers=20) as executor:
     certs = executor.map(download_cert, hashes)
 for cert in certs:
     if cert is not None: