digital-signaturecode-signingself-signedauthenticode

Verifying Authenticode with a self-signed certificate


If I have a self-signed certificate that is not in the machine's trusted root certificate store, how can I verify that a PE file is Authenticode-signed using that certificate without adding that certificate to the trusted root store?

C# would be preferred, but an answer in C++ is fine, too.

There are many similar questions already on StackOverflow, but none so far has an answer that is acceptable. It must be Authenticode, and I cannot add it to the certificate store. It also cannot be a purchased certificate, because it needs a longer validity time (irrespective of timestamping).

Other than to copy a huge chunk of the Mono signature check code, I don't know of a solution in Win32 or .NET.


Solution

  • You can start with calling Get-AuthenticodeSignature PowerShell cmdlet checking .Status is Valid or NotTrusted and verifying that .SignerCertificate is actually yours certificate. If you want more customized solution consider inspecting corresponding DLL sources Authenticode.cs. See also a similar question.