Verifying Digital Signatures in Code

  • Thread starter Thread starter Mitchell Vincent
  • Start date Start date
M

Mitchell Vincent

I've recently started signing all EXEs that come out of here. I would
like to verify the signature at startup to detect any changes to the EXE
itself. Is something like that possible?

I'm using VB.NET 2003..
 
Hi Mitchell,

Thanks for your post!

Can you tell me which type of Exe do you want to sign? If you want to sign
..Net assembly, I recommend you use Strong Name technology to get this done.
Strong Name is a build-in security feature for protecting .Net assemblies,
and after signing with Strong Name, CLR will help you to verify the
assembly at loading time. Please refer to the articles below for more
information:
"Cracking .NET Assemblies"
http://www.grimes.demon.co.uk/workshops/fusionWSCrackOne.htm
"Security Briefs: Strong Names and Security in the .NET Framework"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/strongNames.asp

If you want to sign a normal PE file, you can leverage signcode.exe to get
this done, it is shipped with Platform SDK.

Below are two articles that describe how to use it to sign a file:
"Digital Signing for ActiveX Components"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon98/htm
l/vbconunderstandingdigitalsigning.asp

"Signing Files and Checking Signatures"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/cr
yptotools_6cdv.asp

In .Net, you can use System.Diagnostics.Process class to invoke
signcode.exe with command line programmatically.

Hope this helps!

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Jeffrey said:
Hi Mitchell,

Thanks for your post!

Can you tell me which type of Exe do you want to sign? If you want to sign
.Net assembly, I recommend you use Strong Name technology to get this done.
Strong Name is a build-in security feature for protecting .Net assemblies,
and after signing with Strong Name, CLR will help you to verify the
assembly at loading time. Please refer to the articles below for more
information:

"Signing Files and Checking Signatures"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/cr
yptotools_6cdv.asp

In .Net, you can use System.Diagnostics.Process class to invoke
signcode.exe with command line programmatically.
Click to expand...

"We apologize for the inconvenience, but the page you are seeking cannot
be found in this location." - on that last link.

I just want to verify the signature, and was hoping to not have to rely
on signcode.exe (which, by the way, can I ship with my application?).

Thanks!
 
Hi Mitchell,

Thanks for your feedback!

To sign a PE file programmatically, you may leverage CAPICOM 2.0.0.1
capability for Authenticode signatures:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/s
ecurity/signedcode.asp

CAPICOM is available to be downloaded here:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=860E
E43A-A843-462F-ABB5-FF88EA5896F6

Below is some general steps for signing:
1. Signer.Load --> Loads a signing certificate from a specified PFX file.
2. SignedCode.Sign --> The Sign method creates an Authenticode digital
signature and signs the executable file specified in the
SignedCode.FileName property.
3. Signer.Certificate.PrivateKey.Delete().

Michel Gallant MVP has written a sample tool, please refer to the link
below:
"JAuth/Authnet: Authenticode Signature Verification Utilities"
http://www.jensign.com/JavaScience/jauth/

Finally, if you are interested in CAPICOM capability, below is very good
article:
"Extending .NET Cryptography with CAPICOM and P/Invoke"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/html
/netcryptoapi.asp

Hope this helps!

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Ok, if you need further help, please feel free to feedback. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top