Perl
Perl
Verify Authenticode Signature of EXE or DLL
See more Code Signing Examples
Demonstrates how to verify an Authenticode signed EXE or DLL.Note: Chilkat's code signing class was added in v9.5.0.97
Chilkat Perl Downloads
use chilkat();
# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.
# You can verify a signed DLL or EXE.
$path = "c:/someDir/something.dll";
# The verify method returns an overall indicator of whether
# the EXE or DLL can be trusted or not.
# The details of the signature are emitted to the JSON object
# passed in the last argument.
$json = chilkat::CkJsonObject->new();
$json->put_EmitCompact(0);
$validator = chilkat::CkCodeSign->new();
$valid = $validator->VerifySignature($path,$json);
if ($valid == 0) {
# Validation failed.
print $validator->lastErrorText() . "\r\n";
# You can also examine the details of the validation (see below)
print $json->emit() . "\r\n";
exit;
}
# Examine the details of the Authenticode signature
# println json.Emit();
# An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
#
# Use this online tool to generate parsing code from sample JSON:
# Generate Parsing Code from JSON
# {
# "pkcs7": {
# "verify": {
# "peFile": {
# "hashOid": "2.16.840.1.101.3.4.2.1",
# "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
# },
# "certs": [
# {
# "issuerCN": "AAA Certificate Services",
# "serial": "48FC93B46055948D36A7C98A89D69416"
# },
# {
# "issuerCN": "Sectigo Public Code Signing Root R46",
# "serial": "621D6D0C52019E3B9079152089211C0A"
# },
# {
# "issuerCN": "Sectigo Public Code Signing CA R36",
# "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
# }
# ],
# "digestAlgorithms": [
# "sha256"
# ],
# "signerInfo": [
# {
# "cert": {
# "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
# "issuerCN": "Sectigo Public Code Signing CA R36",
# "digestAlgOid": "2.16.840.1.101.3.4.2.1",
# "digestAlgName": "SHA256"
# },
# "contentType": "1.3.6.1.4.1.311.2.1.4",
# "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
# "signingAlgOid": "1.2.840.113549.1.1.1",
# "signingAlgName": "RSA-PKCSV-1_5",
# "authAttr": {
# "1.3.6.1.4.1.311.2.1.12": {
# "der": "MAA="
# },
# "1.2.840.113549.1.9.3": {
# "name": "contentType",
# "oid": "1.3.6.1.4.1.311.2.1.4"
# },
# "1.3.6.1.4.1.311.2.1.11": {
# "der": "MAwGCisGAQQBgjcCARU="
# },
# "1.2.840.113549.1.9.4": {
# "name": "messageDigest",
# "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
# }
# },
# "unauthAttr": {
# "1.3.6.1.4.1.311.3.3.1": {
# "name": "timestampToken",
# "der": "MIIXJwY ... QZej",
# "verify": {
# "digestAlgorithms": [
# "sha256"
# ],
# "signerInfo": [
# {
# "cert": {
# "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
# "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
# "digestAlgOid": "2.16.840.1.101.3.4.2.1",
# "digestAlgName": "SHA256"
# },
# "contentType": "1.2.840.113549.1.9.16.1.4",
# "signingTime": "240117124047Z",
# "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
# "signingAlgOid": "1.2.840.113549.1.1.1",
# "signingAlgName": "RSA-PKCSV-1_5",
# "authAttr": {
# "1.2.840.113549.1.9.3": {
# "name": "contentType",
# "oid": "1.2.840.113549.1.9.16.1.4"
# },
# "1.2.840.113549.1.9.5": {
# "name": "signingTime",
# "utctime": "240117124047Z"
# },
# "1.2.840.113549.1.9.16.2.12": {
# "name": "signingCertificate",
# "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
# },
# "1.2.840.113549.1.9.4": {
# "name": "messageDigest",
# "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
# },
# "1.2.840.113549.1.9.16.2.47": {
# "name": "signingCertificateV2",
# "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
# }
# }
# }
# ],
# "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
# },
# "timestampSignatureVerified": true,
# "tstInfo": {
# "tsaPolicyId": "2.16.840.1.114412.7.1",
# "messageImprint": {
# "hashAlg": "sha256",
# "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
# "digestMatches": true
# },
# "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
# "genTime": "20240117124047Z"
# }
# }
# }
# }
# ],
# "pkcs7": {
# "verify": {
# "certs": [
# {
# "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
# "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
# },
# {
# "issuerCN": "DigiCert Trusted Root G4",
# "serial": "073637B724547CD847ACFD28662A5E5B"
# },
# {
# "issuerCN": "DigiCert Assured ID Root CA",
# "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
# }
# ]
# }
# }
# }
# }
# }
$genTime = chilkat::CkDtObj->new();
$dt = chilkat::CkDateTime->new();
# Show the certificates embedded in the PKCS7 signature.
print "Certificates contained in the PKCS7 signature:" . "\r\n";
$i = 0;
$count_i = $json->SizeOfArray("pkcs7.verify.certs");
while ($i < $count_i) {
$json->put_I($i);
$issuerCN = $json->stringOf("pkcs7.verify.certs[i].issuerCN");
$serial = $json->stringOf("pkcs7.verify.certs[i].serial");
print $issuerCN . ", " . $serial . "\r\n";
$i = $i + 1;
}
# Show details about the signing certificate(s)
$numSigners = $json->SizeOfArray("pkcs7.verify.signerInfo");
$i = 0;
while ($i < $numSigners) {
$json->put_I($i);
print "---- Signing Certificate ----" . "\r\n";
print "serial number: " . $json->stringOf("pkcs7.verify.signerInfo[i].cert.serialNumber") . "\r\n";
print "issuerCN: " . $json->stringOf("pkcs7.verify.signerInfo[i].cert.issuerCN") . "\r\n";
print "hash algorithm: " . $json->stringOf("pkcs7.verify.signerInfo[i].cert.digestAlgName") . "\r\n";
print "signing algorithm: " . $json->stringOf("pkcs7.verify.signerInfo[i].signingAlgName") . "\r\n";
# If this signature includes a timestamp token, get information about it.
if ($json->HasMember("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\"") == 1) {
# We're going to assume the timestamp token had only 1 signer..
print "--- Timestamp Token ----" . "\r\n";
print "TS hash algorithm: " . $json->stringOf("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.digestAlgorithms[0]") . "\r\n";
print "TS certificate serial: " . $json->stringOf("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.signerInfo[0].cert.serialNumber") . "\r\n";
print "TS certificate issuerCN: " . $json->stringOf("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.signerInfo[0].cert.issuerCN") . "\r\n";
print "timestamp signature verified: " . $json->BoolOf("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".timestampSignatureVerified") . "\r\n";
$json->DtOf("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".tstInfo.genTime",0,$genTime);
$dt->SetFromDtObj($genTime);
print "timestamp date/time: " . $dt->getAsRfc822(1) . "\r\n";
}
$i = $i + 1;
}
print "The Authenticode signature is valid." . "\r\n";
# Sample output:
# Certificates contained in the PKCS7 signature:
# AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
# Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
# Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
# ---- Signing Certificate ----
# serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
# issuerCN: Sectigo Public Code Signing CA R36
# hash algorithm: SHA256
# signing algorithm: RSA-PKCSV-1_5
# --- Timestamp Token ----
# TS hash algorithm: sha256
# TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
# TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
# timestamp signature verified: True
# timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
# The Authenticode signature is valid.