views:

692

answers:

2

I have the exe for the project im working on signed by a digital signature which means when it asks for admin rights it shows the company name. This works very well but if you modify the exe it will still work and show unknown there instead.

Is there a way to check the digital signature to see if it is valid when you run the exe to avoid modified versions running?

Visual studio 2008 windows 7

+2  A: 

Here is a sample program(it uses WinVerifyTrust function) that verifies signature, but I'm not sure that it will work under Windows 7. You should try it.

Kirill V. Lyadvinsky
WinTrustVerify is the call to make. It will tell you that the binary was code-signed. If you need to make sure it was signed with a specific certifiate (e.g. your company), then you need to call CertVerifyCertificateChainPolicy to validate (possibly in a loop).
selbie
A: 

Considering you already have an UAC need, wouldn't it be sufficient to set the GPO option "Only elevate executables that are signed and validated" in "Computer Configuration\Windows Settings\Local Policies\Security Options" ? There's also an "Use Certificate Rules on Windows Executables for Software Restriction Policies" setting that might be useful.

These settings are better than trying to check from your own application, because the whole point is that you can no longer trust yourself when your binary is modified.

MSalters
this will be installed on end users comps so i cant set that option. Im more worried about corruption then "hackers".
Lodle
Ok, wasn't clear from your question whether you were afraid of Murphy or Machiavelli.
MSalters