Sample code for 30+ languages & platforms
Visual FoxPro

Verify Authenticode Signature of EXE or DLL

See more Code Signing Examples

Demonstrates how to verify an Authenticode signed EXE or DLL.

Note: Chilkat's code signing class was added in v9.5.0.97

Chilkat Visual FoxPro Downloads

Visual FoxPro
LOCAL lcPath
LOCAL loJson
LOCAL loValidator
LOCAL lnValid
LOCAL lcIssuerCN
LOCAL lcSerial
LOCAL loGenTime
LOCAL loDt
LOCAL i
LOCAL lnCount_i
LOCAL lnNumSigners

* This example requires the Chilkat API to have been previously unlocked.
* See Global Unlock Sample for sample code.

* You can verify a signed DLL or EXE.
lcPath = "c:/someDir/something.dll"

* The verify method returns an overall indicator of whether
* the EXE or DLL can be trusted or not.
* The details of the signature are emitted to the JSON object
* passed in the last argument.

loJson = CreateObject('Chilkat.JsonObject')
loJson.EmitCompact = 0

loValidator = CreateObject('Chilkat.CodeSign')
lnValid = loValidator.VerifySignature(lcPath,loJson)
IF (lnValid = 0) THEN
    * Validation failed.
    ? loValidator.LastErrorText
    * You can also examine the details of the validation (see below)
    ? loJson.Emit()
    RELEASE loJson
    RELEASE loValidator
    CANCEL
ENDIF

* Examine the details of the Authenticode signature
* println json.Emit();

* An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
* 
* Use this online tool to generate parsing code from sample JSON: 
* Generate Parsing Code from JSON

* {
*   "pkcs7": {
*     "verify": {
*       "peFile": {
*         "hashOid": "2.16.840.1.101.3.4.2.1",
*         "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
*       },
*       "certs": [
*         {
*           "issuerCN": "AAA Certificate Services",
*           "serial": "48FC93B46055948D36A7C98A89D69416"
*         },
*         {
*           "issuerCN": "Sectigo Public Code Signing Root R46",
*           "serial": "621D6D0C52019E3B9079152089211C0A"
*         },
*         {
*           "issuerCN": "Sectigo Public Code Signing CA R36",
*           "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
*         }
*       ],
*       "digestAlgorithms": [
*         "sha256"
*       ],
*       "signerInfo": [
*         {
*           "cert": {
*             "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
*             "issuerCN": "Sectigo Public Code Signing CA R36",
*             "digestAlgOid": "2.16.840.1.101.3.4.2.1",
*             "digestAlgName": "SHA256"
*           },
*           "contentType": "1.3.6.1.4.1.311.2.1.4",
*           "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
*           "signingAlgOid": "1.2.840.113549.1.1.1",
*           "signingAlgName": "RSA-PKCSV-1_5",
*           "authAttr": {
*             "1.3.6.1.4.1.311.2.1.12": {
*               "der": "MAA="
*             },
*             "1.2.840.113549.1.9.3": {
*               "name": "contentType",
*               "oid": "1.3.6.1.4.1.311.2.1.4"
*             },
*             "1.3.6.1.4.1.311.2.1.11": {
*               "der": "MAwGCisGAQQBgjcCARU="
*             },
*             "1.2.840.113549.1.9.4": {
*               "name": "messageDigest",
*               "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
*             }
*           },
*           "unauthAttr": {
*             "1.3.6.1.4.1.311.3.3.1": {
*               "name": "timestampToken",
*               "der": "MIIXJwY ... QZej",
*               "verify": {
*                 "digestAlgorithms": [
*                   "sha256"
*                 ],
*                 "signerInfo": [
*                   {
*                     "cert": {
*                       "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
*                       "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
*                       "digestAlgOid": "2.16.840.1.101.3.4.2.1",
*                       "digestAlgName": "SHA256"
*                     },
*                     "contentType": "1.2.840.113549.1.9.16.1.4",
*                     "signingTime": "240117124047Z",
*                     "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
*                     "signingAlgOid": "1.2.840.113549.1.1.1",
*                     "signingAlgName": "RSA-PKCSV-1_5",
*                     "authAttr": {
*                       "1.2.840.113549.1.9.3": {
*                         "name": "contentType",
*                         "oid": "1.2.840.113549.1.9.16.1.4"
*                       },
*                       "1.2.840.113549.1.9.5": {
*                         "name": "signingTime",
*                         "utctime": "240117124047Z"
*                       },
*                       "1.2.840.113549.1.9.16.2.12": {
*                         "name": "signingCertificate",
*                         "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
*                       },
*                       "1.2.840.113549.1.9.4": {
*                         "name": "messageDigest",
*                         "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
*                       },
*                       "1.2.840.113549.1.9.16.2.47": {
*                         "name": "signingCertificateV2",
*                         "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
*                       }
*                     }
*                   }
*                 ],
*                 "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
*               },
*               "timestampSignatureVerified": true,
*               "tstInfo": {
*                 "tsaPolicyId": "2.16.840.1.114412.7.1",
*                 "messageImprint": {
*                   "hashAlg": "sha256",
*                   "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
*                   "digestMatches": true
*                 },
*                 "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
*                 "genTime": "20240117124047Z"
*               }
*             }
*           }
*         }
*       ],
*       "pkcs7": {
*         "verify": {
*           "certs": [
*             {
*               "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
*               "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
*             },
*             {
*               "issuerCN": "DigiCert Trusted Root G4",
*               "serial": "073637B724547CD847ACFD28662A5E5B"
*             },
*             {
*               "issuerCN": "DigiCert Assured ID Root CA",
*               "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
*             }
*           ]
*         }
*       }
*     }
*   }
* }

loGenTime = CreateObject('Chilkat.DtObj')
loDt = CreateObject('Chilkat.CkDateTime')

* Show the certificates embedded in the PKCS7 signature.
? "Certificates contained in the PKCS7 signature:"
i = 0
lnCount_i = loJson.SizeOfArray("pkcs7.verify.certs")
DO WHILE i < lnCount_i
    loJson.I = i
    lcIssuerCN = loJson.StringOf("pkcs7.verify.certs[i].issuerCN")
    lcSerial = loJson.StringOf("pkcs7.verify.certs[i].serial")
    ? lcIssuerCN + ", " + lcSerial
    i = i + 1
ENDDO

* Show details about the signing certificate(s)
lnNumSigners = loJson.SizeOfArray("pkcs7.verify.signerInfo")
i = 0
DO WHILE i < lnNumSigners
    loJson.I = i
    ? "---- Signing Certificate ----"
    ? "serial number: " + loJson.StringOf("pkcs7.verify.signerInfo[i].cert.serialNumber")
    ? "issuerCN: " + loJson.StringOf("pkcs7.verify.signerInfo[i].cert.issuerCN")
    ? "hash algorithm: " + loJson.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgName")
    ? "signing algorithm: " + loJson.StringOf("pkcs7.verify.signerInfo[i].signingAlgName")

    * If this signature includes a timestamp token, get information about it.
    IF (loJson.HasMember('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1"') = 1) THEN
        * We're going to assume the timestamp token had only 1 signer..
        ? "--- Timestamp Token ----"
        ? "TS hash algorithm: " + loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.digestAlgorithms[0]')
        ? "TS certificate serial: " + loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.signerInfo[0].cert.serialNumber')
        ? "TS certificate issuerCN: " + loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.signerInfo[0].cert.issuerCN')
        ? "timestamp signature verified: " + STR(loJson.BoolOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".timestampSignatureVerified'))
        loJson.DtOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".tstInfo.genTime',0,loGenTime)
        loDt.SetFromDtObj(loGenTime)
        ? "timestamp date/time: " + loDt.GetAsRfc822(1)
    ENDIF

    i = i + 1
ENDDO

? "The Authenticode signature is valid."

* Sample output:

* Certificates contained in the PKCS7 signature:
* AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
* Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
* Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
* ---- Signing Certificate ----
* serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
* issuerCN: Sectigo Public Code Signing CA R36
* hash algorithm: SHA256
* signing algorithm: RSA-PKCSV-1_5
* --- Timestamp Token ----
* TS hash algorithm: sha256
* TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
* TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
* timestamp signature verified: True
* timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
* The Authenticode signature is valid.

RELEASE loJson
RELEASE loValidator
RELEASE loGenTime
RELEASE loDt