Jaa


Programmatically checking the Authenticode signature on a file

While I was at MEDC 2006, someone asked me if there was a way to find out programatically what certificate a file is signed with. The answer is yes, and it is really easy using the cryptography libraries on the .Net Framework. (This is desktop code).

Don't forget to add a reference to the cryptography libraries and then the following using statements to your file:

using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

The following function will return you an X509Certificate object that you can later use to get additional information, like the certificate issuer. For more information on the X509Certificate class, take a look at https://msdn2.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate_members.aspx .

/// <summary>
/// Gets the certificate the file is signed with.
/// </summary>
/// <param name="filename">The path of the signed file from which to
/// create the X.509 certificate. </param>
/// <returns>The certificate the file is signed with</returns>
public X509Certificate GetAppCertificate(string filename)
{
X509Certificate cert = null;
try
    {
cert = X509Certificate.CreateFromSignedFile(filename);
}
    catch (CryptographicException e)
{
        Console.WriteLine("Error {0} : {1}", e.GetType(), e.Message);
        Console.WriteLine("Couldn't parse the certificate." +
"Be sure it is a X.509 certificate");
}
    return cert;
}

Enjoy!

Luis E. Cabrera
Windows Mobile Team.
====
This posting is "AS IS" and confers no rights or privileges.

Comments

  • Anonymous
    May 18, 2006
    The comment has been removed

  • Anonymous
    May 19, 2006
    Any way to do this with native C++ to ensure a file is signed with the correct signature? i.e. check the DLLs an application depends on are signed by the original provider (possibly myself)

  • Anonymous
    May 19, 2006
    For PE (NOT CAB files!) files you can use ImageEnumerateCertificates, ImageGetCertificateData, etc.
    for an example see:
    http://groups.google.com/group/microsoft.public.platformsdk.security/browse_frm/thread/faef4e6504a8144d/61a97cad2dc431c4?lnk=st&q=ImageEnumerateCertificates+ImageGetCertificateData&rnum=1#61a97cad2dc431c4

  • Anonymous
    June 07, 2006
    The comment has been removed

  • Anonymous
    June 27, 2006
    Ian,

    You are right. The code is not meant to verify that the signature is correct.

    The code is meant to help you just check what certificate the file was signed with. That was what the person at MEDC asked for.

    Thanks,
    -Luis.

  • Anonymous
    November 08, 2006
    CryptVerifyMessageSignature is not supported in windows mobile. Then how to get PCCERT_CONTEXT from WIN_CERTIFICATE?

  • Anonymous
    March 29, 2007
    One I get the certificate how can I Programmatically verify the Authenticode signature?

  • Anonymous
    July 26, 2007
    I am really concerned about this issue. I have code that does exactly what is being requested in the earlier replies:  I verify that the Authenticode signature is not only present, but valid as well. My current implementation uses the CAPICOM library - which appears to be the only way to test an Authenticode signature. Unfortunately, Microsoft lists CAPICOM as "not supported" on Windows Vista.  They recommend using .Net instead... but I can't find any way to do this from .Net.  Everywhere I look, people recommend using CAPICOM!

  • Anonymous
    September 04, 2007
    Checkout WinVerifyTrust in the Platform SDK.

  • Anonymous
    April 15, 2008
    i want to know Programmatically how to know if a dll has digital signature tab   (right click -->properties-->digital signature)

  • Anonymous
    April 15, 2008
    i tried FileVersionInfo but there is no info about digital signature

  • Anonymous
    April 17, 2008
    The comment has been removed

  • Anonymous
    April 17, 2008
    plz help as soon as possible Thanks

  • Anonymous
    October 23, 2008
    this function is not supported on Windows Mobile OS, any method instead?

  • Anonymous
    October 29, 2008
    Hi, As far as I understood, on the X509Certificate class, you can retrieve the name of the Certificate authority who delivered the Certificate using the Issuer property. The name of the person who provided the sign assembly (or msi in your example) can be retrieved with the Subject property. Concerning the validity period, it starts on GetEffectiveDateString() and ends on GetExpirationDateString(). But this doesn't help on how to check the validity of a file signature... Regards

  • Anonymous
    October 30, 2008
    Thanks for the reply. So if I want to find out what certificate a file with programatically, the only way is using the X509Certificate class right? It seems that there is no other method if I want to implement this function by using Win32 API.