Menu
In my C#/.NET application I have to check if a given executable is digitally signed (preferably without Exception testing.)
Then I need to check if its certificate is valid (based on installed root certificates) and if the files content is valid for the signature.
There are so many classes in the BCL, I don't know where to start & what to use, and anything I've found so far doesn't eliminate my confusion...
I'd like to do something like this, without P/Invoke if possible:
bool IsSignedFile(string path);
Cert GetCertificateFromSignedFile(string path);
bool IsValidCertificate(Cert cert)
Sig GetSignatureFromSignedFile(string path);
bool IsValidSignature(string path, Sig sig, Cert cert);
Added clarification:
The big problem I currently have is that I don't find a way to obtain the signature of such a file in an easy way. Still hope there is a provided, managed, BCL solution as I would be surprised if exactly that part is missing. (For the certificate this can be done with just X509Certificate.CreateFromSignedFile, validating that is possible, too)
I'd prefer not mixing that 50% work done with P/Invoke code or a big different library.
I've found a AuthenticodeSignatureInformation class, no information about using that for a given executable though.
604
Check the signature on an EXE or MSI fileRight-click the EXE or MSI file and select Properties. Click the Digital Signatures tab to check the signature.
Open the properties sheet for the . dll from Windows Explorer. If a tab "Digital Signatures" is shown, it's a signed assembly. If the tab is missing, it's unsigned.
The digital signature is added to the file in a section of the file that is not processed when the file thumbprint is generated. To verify the digital signature of a file, Windows extracts the information about the publisher and the CA and uses the public key to decrypt the encrypted file thumbprint.
Right-click on the setup file and then click on Properties. Navigate to the tab that is labeled as Digital Signatures. In the Signature List, if you see entries that means that your file is digitally signed. You can double-click on any of those entries to view additional details about the signing authority.
You can do this using only managed code. The mono project has it's own signcode and chktrust tools that allows you to sign and verify Authenticode(tm) signatures.
Both use the Mono.Security.dll assembly, which works fine under Windows, and all the code is licensed under the MIT.X11 license (so you can pretty much do what you want with it).
However you'll need a bit of extra logic to check the root certificate, since Mono uses it's own stores - not the one on Windows. That should not be a big issue since .NET (since v2) provides classes that query/access the user/machine certificate stores.
Disclaimer: I wrote most of the code above ;-)
166
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
