8

I'm using CAPICOM in a .NET 3.0 C# app to check an Authenticode signature on an exe file. I need to make sure that the certificate is listed as a Trusted Publisher. Using signedCode.Verify(true) will show a dialog if the certificate is not already trusted, so the user can choose whether or not to do so. However, signedCode.Verify(false) is verifying the signature even if it is not from a trusted publisher - presumably this is only checking that the certificate is valid.

How can I check that the signature on a file is from a valid and trusted certificate without the UI?

Chris John
  • 174
  • 6

3 Answers3

2

First, StrongNameSignatureVerificationEx is for assembly signature verification and not Authenticode signature verification. So, this is not relevant to the context of original poster's question.

Concerning the initial question, you can manually check that the signer certificate is correctly chained to a trusted root without any GUI by using the following code : 

ICertificateStatus certStatus = signedCode.Signer.Certificate.IsValid();

The idea is to retrieve the signer's certificate and to tell CAPICom to check if it has a correct trust chain.

I hope this will help. Cheers,

Mounir IDRASSI, IDRIX, http://www.idrix.fr

Mounir IDRASSI
  • 1,336
  • 10
  • 15
0

What you would probably need to do is to use exposed through the mscoree.dll StrongNameSignatureVerificationEx function with P/Invoke:

[DllImport("mscoree.dll", CharSet=CharSet.Unicode)]
static extern bool StrongNameSignatureVerificationEx(string wszFilePath, bool fForceVerification, ref bool  pfWasVerified);
Karim Agha
  • 3,606
  • 4
  • 32
  • 48
0

You can use WinVerifyTrust as shown here. It works beautifully on Windows XP/Vista/2008/7. If you also want to check the revocation list set

RevocationChecks = WinTrustDataRevocationChecks.WholeChain;
SlavaGu
  • 817
  • 1
  • 8
  • 15