Login/Register
Verifying Authenticode with a self-signed certificate
Asked Answered
Solved digital-signaturecode-signingself-signedauthenticode
M

1

10

If I have a self-signed certificate that is not in the machine's trusted root certificate store, how can I verify that a PE file is Authenticode-signed using that certificate without adding that certificate to the trusted root store?

C# would be preferred, but an answer in C++ is fine, too.

There are many similar questions already on StackOverflow, but none so far has an answer that is acceptable. It must be Authenticode, and I cannot add it to the certificate store. It also cannot be a purchased certificate, because it needs a longer validity time (irrespective of timestamping).

Other than to copy a huge chunk of the Mono signature check code, I don't know of a solution in Win32 or .NET.

Mcculley answered 20/8, 2016 at 2:1 Comment(4)
Certificate and signature validation are tricky subjects; a lot needs to be checked. I'm not sure if there is a shortcut.Jarl
@MaartenBodewes But is there a way to accomplish this with the Microsoft APIs?Mcculley
Undoubtedly. C++ and .NET are Turing complete. If I knew an easy way or tool to do it then I would certainly have answered (just like the other 7 people that voted up, undoubtedly).Jarl
Without the certificate store or any other trusted certificate you can never validate a certificate. If you ignore the chain root, then any self-signed certificate would be valid, thus allowing anyone to create a valid signature.Emma
M
1

You can start with calling Get-AuthenticodeSignature PowerShell cmdlet checking .Status is Valid or NotTrusted and verifying that .SignerCertificate is actually yours certificate. If you want more customized solution consider inspecting corresponding DLL sources Authenticode.cs. See also a similar question.

Mcshane answered 14/10, 2023 at 17:26 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.