We deliver an executable to a client-service which starts this executable in a new process after downloading it from our servers.

The executable is signed (authenticode) with the CodeSigning-Certificate of our company and now i'd like to verify, that the downloaded executable is validly signed with this CodeSigning-Certificate to prevent malicious Man-in-the-middle attacks.

But currently i can't find any hints on how to verify this without using "signtool.exe" (which isn't available on the client).

The Download-Service on the client is a .NET 4.0 application written in C#. So i'm searching for a way, to verify the authenticode of the downloaded file and only proceed, if the verification succeeded.

Since this question is from 2015 and I assume you can use .NET Standard 2.0, there is another option available:

You can use the NuGet Package Microsoft.Security.Extensions:

using Microsoft.Security.Extensions;

...

using (FileStream fs = File.OpenRead(@"c:\test.exe"))
{
    FileSignatureInfo sigInfo = FileSignatureInfo.GetFromFileStream(fs);

    Console.WriteLine(sigInfo.State); // SignatureState.SignedAndTrusted
}

Important:

Make sure, that you add getfilesiginforedistwrapper.dll and the corresponding native dll of your platform! (getfilesiginforedist.dll)

Source:

I've had a look how Microsoft does this for the PowerShell cmdlet Get-AuthenticodeSignature and found it there 😉

Alternatives:

• The native WinVerifyTrust() apis (There are other answers available which cover that: https://stackoverflow.com/a/6597017)