Validate Authenticode Signature on Exe - C++ Without Capicom

Validate Authenticode signature on EXE - C++ without CAPICOM

You should use CryptQueryObject.

This KB-article demonstrates the use: How To Get Information from Authenticode Signed Executables.

To the commenter that asked about how to do it without the Windows-APIs, I am not aware of any library that can do it, but the format is documented here: Windows Authenticode Portable Executable Signature Format

Verify Authenticode signature as being from our company for automatic updater

The person at question #2008519 has a
very similar requirement. His need for
a "TrustedByUs" function is identical
to mine. However, he goes about doing
the check by comparing public keys.
While this would work in the
short-term, it seems like it won't
work for an automatic update feature.
This is because code signing
certificates are only valid for 2 - 3
years max. Therefore, in the future,
when we buy a new certificate in 2
years, the old clients wouldn't be
able to update any more due to the
change in public key.

Since the concern is that the application trusts you rather than that a person trusts you, you could just use self-signing and embed any public keys needed in the applications themselves. This gives you much more control over the process. This is inappropriate when asking a user or application not under your control to give trust, but in this case the application is under your control, so it will work fine. This allows you to very easily avoid the concern of mistaking someone else's similar-looking certificate for your own.

Check whether a given executable is digitally signed and valid?

You can do this using only managed code. The mono project has it's own signcode and chktrust tools that allows you to sign and verify Authenticode(tm) signatures.

Both use the Mono.Security.dll assembly, which works fine under Windows, and all the code is licensed under the MIT.X11 license (so you can pretty much do what you want with it).

However you'll need a bit of extra logic to check the root certificate, since Mono uses it's own stores - not the one on Windows. That should not be a big issue since .NET (since v2) provides classes that query/access the user/machine certificate stores.

Disclaimer: I wrote most of the code above ;-)

What to use to check for a specific EXE file signature?

Combination of IssuerRDN (set of fields that identify the issuer) and SerialNumber fields uniquely identifies the certificate as per RFC 5280.

The RFC doesn't define, what happens if the certificate is re-issued, but I would assume that the serial number is changed. The reason is that the new certificate would differ from the previous one and as such it must be identified uniquely.

Consequently for your task the better approach would be to

1. validate the certificate chain completely to ensure integrity and authenticity of the certificate
2. check issuer name
3. check subject name
4. check key usage field.

This will ensure that the certificate is valid and authorized for this company, and at the same time this algorithm saves you from the mistake of checking for exactly one certificate (this mistake can lead to trouble if the certificate is revoked for whatever reason and replaced with a new one).

Windows Server 2016/2019 incorrectly return Authenticode signature on Owin.dll

Whilst the signature isn't part of the Owin.dll itself, Windows Server has a "Security Catalog" (under %SystemRoot%\System32\CatRoot) which identifies Owin.dll by name/hash. The security catalog is signed by Microsoft, and it's the signing certificate of the security catalog that's being returned by Get-AuthenticodeSignature. In effect it's simply a "detached" Authenticode signature, rather than being embedded in the .dll.

---

Related Topics