Authenticode: Verifying a Signature

1. Verify Signature. You must have the certificate from the signer in order to verify the signature of a file. All Authenticode will do is recomputed the hash value and compare it to the hash value that is provided in the signature. If the values match then the file has not been compromised. This does not guarantee that the file is not dangerous, just that it has not changed since it was signed.

To see the importance of installing and trusting the signers certificate you can try to verify the signature without installing the certificate. To verify a file's signature use the command signtool verify v good.dll

The command id described in some detail to provide a better understanding.

  • signtool
  • verify. indicates the action you want to perform
  • v good.dll. specifies the file you want to check for a signature

2. Install Certificate. Navigate to the public certificate, which is at the SDK's installation directory and double click it to open the certificate window. Click on Import Certificate to open the certificate import wizard. Follow the on-screen instructions to import the certificate. You can keep the default settings to import the certificate.

You will be prompted to confirm the installation of the certificate because it was not granted by a CA. This is done because once you install a certificate Windows will automatically trust any certificate issued by this CA, which can lead to dangerous situations if the certificate is not coming from a trusted party. Click Yes to install the certificate.

You can now close the certificate window and reopen it to see that the certificate is now trusted. This is indicated by the absence of the red X over the certificate image in the upper left hand corner of the window.

3. Reverify the Signature. Now you can verify the signature by using the same command as before, which is signtool verify v good.dll.

4. Verifying a Compromised File. To see how Authenticode acts when a compromised files signature is being verified download the bad.dll, which is a modified version of the original after being signed. Verify the signature on this file by using the same command: signtool verify v bad.dll.

You should see this error message because the original signature does not match up with the signature you computed.