tags:

views:

363

answers:

2
Q: 

Validate signature on EXE with CertGetCertificateChain

I would like to verify a signed executable. The requirement is to validate that the executable itself is valid and where it came from (probably from the subject of the cert). The cert type is PKCS.

I found a similar posting here, http://stackoverflow.com/questions/301024/validate-authenticode-signature-on-exe-c-without-capicom

The Microsoft documentation, among others, appears to point to CertGetCertificateChain, but the examples tend to work with certificates that are in a store. Does anyone know how to validate a signed executable using CertGetCertificateChain and related API's?

A: 

can you elaborate? the question you linked to seems to provide all of the answers you should need.

you state that "the examples tend to work with certificates that are in a store", which i take to mean that the executable needs to be signed with a certificate that chains to a root certificate in the machine's trusted store.

this is true; there's no way around that, otherwise there is no way way to trust that the signer is who he says he is, and no way for the provider to revoke the certificate if it's being fraudulently used.

so, WinVerifyTrust is the right way to validate a signed executable. it's a terrible API so be careful. CryptQueryObject and related apis will give you more information such as the name of the person or company that the certificate was issued to.

~jewels

Jewel S  2009-07-15 02:27:18
Two pieces of info are desired.- Is the app signed? - Who is the signer?To verify the executable WinVerifyTrust will work. However, got stuck on how to know who is the signer. Someone (MSalters) responded to the original post saying CertGetCertificateChain would be helpful. However, couldn't figure out how to go from an executable file on disk to all the odd parm types of CertGetCertificateChain.
cobaia  2009-07-16 22:40:28
it sounds like Josh K has pointed you in the right direction. if not i can dig up some old code i've written and produce a sample.WinVerifyTrust is the critical step; beyond that it's just a few hoops to jump through that aren't very well explained in msdn and similar.
Jewel S  2009-07-17 05:27:12
A: 

I asked this question some time ago. I had your exact requirements. There's sample code in there that will help you. Have fun!!

Josh K  2009-07-15 02:29:46
Great. One of the links in a comment (http://support.microsoft.com/kb/323809) is very good. Thx!
cobaia  2009-07-16 22:44:01

related questions

How to read a value from the Windows registry
CreateProcessAsUser vs ShellExecute
How do you configure an OpenFileDIalog to select folders?
Is there anything similar to the OS X InputManager on Windows?
So what am I missing with this here WPF?
How to convert std::string to LPCWSTR in C++ (Unicode)
Notification of drop in drag-drop in Windows
Find out which process has an exclusive lock on a USB device handle
What's an alternative to GWL_USERDATA for storing an object pointer?
FlashWindowEx FLASHW_STOP still keeps taskbar colored
Getting UI text from external app in C#
Sending a mouse click to a button in the taskbar using C#
Suitable alternative to CryptEncrypt
Is FindFirstChangeNotification the best API to use for file system change notification on windows?
What is the easiest way to parse an INI File in C++?
_wfopen equivalent under Mac OS X
Validating a Win32 Window Handle
Get list of domains on the network
Does it still make sense to learn low level WinAPI programming?
How do you create your own moniker (URL Protocol) on Windows systems?
Where is a good place to start programming GUIs for windows?
Bringing Window to the Front in C# using Win32 API
How can you tell when a user last pressed a key (or moved the mouse)?
Can a windows dll retrieve its own filename?
Wiggling the mouse using C#