Sample code for 30+ languages & platforms
AutoIt

Verify Authenticode Signature of EXE or DLL

See more Code Signing Examples

Demonstrates how to verify an Authenticode signed EXE or DLL.

Note: Chilkat's code signing class was added in v9.5.0.97

Chilkat AutoIt Downloads

AutoIt
; This example requires the Chilkat API to have been previously unlocked.
; See Global Unlock Sample for sample code.

; You can verify a signed DLL or EXE.
Local $sPath = "c:/someDir/something.dll"

; The verify method returns an overall indicator of whether
; the EXE or DLL can be trusted or not.
; The details of the signature are emitted to the JSON object
; passed in the last argument.

$oJson = ObjCreate("Chilkat.JsonObject")
$oJson.EmitCompact = False

$oValidator = ObjCreate("Chilkat.CodeSign")
Local $bValid = $oValidator.VerifySignature($sPath,$oJson)
If ($bValid = False) Then
    ; Validation failed.
    ConsoleWrite($oValidator.LastErrorText & @CRLF)
    ; You can also examine the details of the validation (see below)
    ConsoleWrite($oJson.Emit() & @CRLF)
    Exit
EndIf

; Examine the details of the Authenticode signature
; println json.Emit();

; An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
; 
; Use this online tool to generate parsing code from sample JSON: 
; Generate Parsing Code from JSON

; {
;   "pkcs7": {
;     "verify": {
;       "peFile": {
;         "hashOid": "2.16.840.1.101.3.4.2.1",
;         "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
;       },
;       "certs": [
;         {
;           "issuerCN": "AAA Certificate Services",
;           "serial": "48FC93B46055948D36A7C98A89D69416"
;         },
;         {
;           "issuerCN": "Sectigo Public Code Signing Root R46",
;           "serial": "621D6D0C52019E3B9079152089211C0A"
;         },
;         {
;           "issuerCN": "Sectigo Public Code Signing CA R36",
;           "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
;         }
;       ],
;       "digestAlgorithms": [
;         "sha256"
;       ],
;       "signerInfo": [
;         {
;           "cert": {
;             "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
;             "issuerCN": "Sectigo Public Code Signing CA R36",
;             "digestAlgOid": "2.16.840.1.101.3.4.2.1",
;             "digestAlgName": "SHA256"
;           },
;           "contentType": "1.3.6.1.4.1.311.2.1.4",
;           "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
;           "signingAlgOid": "1.2.840.113549.1.1.1",
;           "signingAlgName": "RSA-PKCSV-1_5",
;           "authAttr": {
;             "1.3.6.1.4.1.311.2.1.12": {
;               "der": "MAA="
;             },
;             "1.2.840.113549.1.9.3": {
;               "name": "contentType",
;               "oid": "1.3.6.1.4.1.311.2.1.4"
;             },
;             "1.3.6.1.4.1.311.2.1.11": {
;               "der": "MAwGCisGAQQBgjcCARU="
;             },
;             "1.2.840.113549.1.9.4": {
;               "name": "messageDigest",
;               "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
;             }
;           },
;           "unauthAttr": {
;             "1.3.6.1.4.1.311.3.3.1": {
;               "name": "timestampToken",
;               "der": "MIIXJwY ... QZej",
;               "verify": {
;                 "digestAlgorithms": [
;                   "sha256"
;                 ],
;                 "signerInfo": [
;                   {
;                     "cert": {
;                       "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
;                       "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
;                       "digestAlgOid": "2.16.840.1.101.3.4.2.1",
;                       "digestAlgName": "SHA256"
;                     },
;                     "contentType": "1.2.840.113549.1.9.16.1.4",
;                     "signingTime": "240117124047Z",
;                     "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
;                     "signingAlgOid": "1.2.840.113549.1.1.1",
;                     "signingAlgName": "RSA-PKCSV-1_5",
;                     "authAttr": {
;                       "1.2.840.113549.1.9.3": {
;                         "name": "contentType",
;                         "oid": "1.2.840.113549.1.9.16.1.4"
;                       },
;                       "1.2.840.113549.1.9.5": {
;                         "name": "signingTime",
;                         "utctime": "240117124047Z"
;                       },
;                       "1.2.840.113549.1.9.16.2.12": {
;                         "name": "signingCertificate",
;                         "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
;                       },
;                       "1.2.840.113549.1.9.4": {
;                         "name": "messageDigest",
;                         "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
;                       },
;                       "1.2.840.113549.1.9.16.2.47": {
;                         "name": "signingCertificateV2",
;                         "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
;                       }
;                     }
;                   }
;                 ],
;                 "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
;               },
;               "timestampSignatureVerified": true,
;               "tstInfo": {
;                 "tsaPolicyId": "2.16.840.1.114412.7.1",
;                 "messageImprint": {
;                   "hashAlg": "sha256",
;                   "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
;                   "digestMatches": true
;                 },
;                 "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
;                 "genTime": "20240117124047Z"
;               }
;             }
;           }
;         }
;       ],
;       "pkcs7": {
;         "verify": {
;           "certs": [
;             {
;               "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
;               "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
;             },
;             {
;               "issuerCN": "DigiCert Trusted Root G4",
;               "serial": "073637B724547CD847ACFD28662A5E5B"
;             },
;             {
;               "issuerCN": "DigiCert Assured ID Root CA",
;               "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
;             }
;           ]
;         }
;       }
;     }
;   }
; }

Local $sIssuerCN
Local $serial
$oGenTime = ObjCreate("Chilkat.DtObj")
$oDt = ObjCreate("Chilkat.CkDateTime")

; Show the certificates embedded in the PKCS7 signature.
ConsoleWrite("Certificates contained in the PKCS7 signature:" & @CRLF)
Local $i = 0
Local $iCount_i = $oJson.SizeOfArray("pkcs7.verify.certs")
While $i < $iCount_i
    $oJson.I = $i
    $sIssuerCN = $oJson.StringOf("pkcs7.verify.certs[i].issuerCN")
    $serial = $oJson.StringOf("pkcs7.verify.certs[i].serial")
    ConsoleWrite($sIssuerCN & ", " & $serial & @CRLF)
    $i = $i + 1
Wend

; Show details about the signing certificate(s)
Local $iNumSigners = $oJson.SizeOfArray("pkcs7.verify.signerInfo")
$i = 0
While $i < $iNumSigners
    $oJson.I = $i
    ConsoleWrite("---- Signing Certificate ----" & @CRLF)
    ConsoleWrite("serial number: " & $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.serialNumber") & @CRLF)
    ConsoleWrite("issuerCN: " & $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.issuerCN") & @CRLF)
    ConsoleWrite("hash algorithm: " & $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgName") & @CRLF)
    ConsoleWrite("signing algorithm: " & $oJson.StringOf("pkcs7.verify.signerInfo[i].signingAlgName") & @CRLF)

    ; If this signature includes a timestamp token, get information about it.
    If ($oJson.HasMember("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1""") = True) Then
        ; We're going to assume the timestamp token had only 1 signer..
        ConsoleWrite("--- Timestamp Token ----" & @CRLF)
        ConsoleWrite("TS hash algorithm: " & $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".verify.digestAlgorithms[0]") & @CRLF)
        ConsoleWrite("TS certificate serial: " & $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".verify.signerInfo[0].cert.serialNumber") & @CRLF)
        ConsoleWrite("TS certificate issuerCN: " & $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".verify.signerInfo[0].cert.issuerCN") & @CRLF)
        ConsoleWrite("timestamp signature verified: " & $oJson.BoolOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".timestampSignatureVerified") & @CRLF)
        $oJson.DtOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".tstInfo.genTime",False,$oGenTime)
        $oDt.SetFromDtObj($oGenTime)
        ConsoleWrite("timestamp date/time: " & $oDt.GetAsRfc822(True) & @CRLF)
    EndIf

    $i = $i + 1
Wend

ConsoleWrite("The Authenticode signature is valid." & @CRLF)

; Sample output:

; Certificates contained in the PKCS7 signature:
; AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
; Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
; Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
; ---- Signing Certificate ----
; serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
; issuerCN: Sectigo Public Code Signing CA R36
; hash algorithm: SHA256
; signing algorithm: RSA-PKCSV-1_5
; --- Timestamp Token ----
; TS hash algorithm: sha256
; TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
; TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
; timestamp signature verified: True
; timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
; The Authenticode signature is valid.