views:

363

answers:

2

I would like to verify a signed executable. The requirement is to validate that the executable itself is valid and where it came from (probably from the subject of the cert). The cert type is PKCS.

I found a similar posting here, http://stackoverflow.com/questions/301024/validate-authenticode-signature-on-exe-c-without-capicom

The Microsoft documentation, among others, appears to point to CertGetCertificateChain, but the examples tend to work with certificates that are in a store. Does anyone know how to validate a signed executable using CertGetCertificateChain and related API's?

A: 

can you elaborate? the question you linked to seems to provide all of the answers you should need.

you state that "the examples tend to work with certificates that are in a store", which i take to mean that the executable needs to be signed with a certificate that chains to a root certificate in the machine's trusted store.

this is true; there's no way around that, otherwise there is no way way to trust that the signer is who he says he is, and no way for the provider to revoke the certificate if it's being fraudulently used.

so, WinVerifyTrust is the right way to validate a signed executable. it's a terrible API so be careful. CryptQueryObject and related apis will give you more information such as the name of the person or company that the certificate was issued to.

~jewels

Jewel S
Two pieces of info are desired.- Is the app signed? - Who is the signer?To verify the executable WinVerifyTrust will work. However, got stuck on how to know who is the signer. Someone (MSalters) responded to the original post saying CertGetCertificateChain would be helpful. However, couldn't figure out how to go from an executable file on disk to all the odd parm types of CertGetCertificateChain.
cobaia
it sounds like Josh K has pointed you in the right direction. if not i can dig up some old code i've written and produce a sample.WinVerifyTrust is the critical step; beyond that it's just a few hoops to jump through that aren't very well explained in msdn and similar.
Jewel S
A: 

I asked this question some time ago. I had your exact requirements. There's sample code in there that will help you. Have fun!!

Josh K
Great. One of the links in a comment (http://support.microsoft.com/kb/323809) is very good. Thx!
cobaia