> I find it frustrating that the Mach guys have this great write up, but don't just say what the "signing" is.

I think it's for plausible deniability in case M$ ever comes after them for RE reasons. They probably want to be able to say that they didn't use the proprietary blob in order to implement their own code signing.

If that is indeed the reason, I won't blame them. I wouldn't want to upset Microsoft either. If they decide to come after you with an army of lawyers, it doesn't necessarily matter if what you did was legal. And I think it probably was legal in most jurisdictions. Reverse engineering for purposes of interoperability is generally allowed. Of course they could still try to get you on copyright if you didn't do a clean room re-implementation.

Yeah. It's easy to say you got it from some other open-source project that did their own clean-room reimplementation, unless there's clear evidence on your very own website that you looked at their proprietary code anyway, which would allow them to make the case that your knowledge was tainted and your implementation couldn't have possibly been clean-room.

But copyright doesn't care about "tainted", it cares about whether there's substantial similarity between the two works. Copying only the system/mechanism but not the exact code is legal, even if you admit you used the actual decompiled code as a direct guide.

Just for my own understanding, why was it obvious that it has to be a basic hash? At least it wasn't obvious to me, but I have very little experience in this area.