Sample code for 30+ languages & platforms
PureBasic

Verify Authenticode Signature of EXE or DLL

See more Code Signing Examples

Demonstrates how to verify an Authenticode signed EXE or DLL.

Note: Chilkat's code signing class was added in v9.5.0.97

Chilkat PureBasic Downloads

PureBasic
IncludeFile "CkCodeSign.pb"
IncludeFile "CkDtObj.pb"
IncludeFile "CkJsonObject.pb"
IncludeFile "CkDateTime.pb"

Procedure ChilkatExample()

    ; This example requires the Chilkat API to have been previously unlocked.
    ; See Global Unlock Sample for sample code.

    ; You can verify a signed DLL or EXE.
    path.s = "c:/someDir/something.dll"

    ; The verify method returns an overall indicator of whether
    ; the EXE or DLL can be trusted or not.
    ; The details of the signature are emitted to the JSON object
    ; passed in the last argument.

    json.i = CkJsonObject::ckCreate()
    If json.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkJsonObject::setCkEmitCompact(json, 0)

    validator.i = CkCodeSign::ckCreate()
    If validator.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    valid.i = CkCodeSign::ckVerifySignature(validator,path,json)
    If valid = 0
        ; Validation failed.
        Debug CkCodeSign::ckLastErrorText(validator)
        ; You can also examine the details of the validation (see below)
        Debug CkJsonObject::ckEmit(json)
        CkJsonObject::ckDispose(json)
        CkCodeSign::ckDispose(validator)
        ProcedureReturn
    EndIf

    ; Examine the details of the Authenticode signature
    ; println json.Emit();

    ; An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
    ; 
    ; Use this online tool to generate parsing code from sample JSON: 
    ; Generate Parsing Code from JSON

    ; {
    ;   "pkcs7": {
    ;     "verify": {
    ;       "peFile": {
    ;         "hashOid": "2.16.840.1.101.3.4.2.1",
    ;         "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
    ;       },
    ;       "certs": [
    ;         {
    ;           "issuerCN": "AAA Certificate Services",
    ;           "serial": "48FC93B46055948D36A7C98A89D69416"
    ;         },
    ;         {
    ;           "issuerCN": "Sectigo Public Code Signing Root R46",
    ;           "serial": "621D6D0C52019E3B9079152089211C0A"
    ;         },
    ;         {
    ;           "issuerCN": "Sectigo Public Code Signing CA R36",
    ;           "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
    ;         }
    ;       ],
    ;       "digestAlgorithms": [
    ;         "sha256"
    ;       ],
    ;       "signerInfo": [
    ;         {
    ;           "cert": {
    ;             "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
    ;             "issuerCN": "Sectigo Public Code Signing CA R36",
    ;             "digestAlgOid": "2.16.840.1.101.3.4.2.1",
    ;             "digestAlgName": "SHA256"
    ;           },
    ;           "contentType": "1.3.6.1.4.1.311.2.1.4",
    ;           "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
    ;           "signingAlgOid": "1.2.840.113549.1.1.1",
    ;           "signingAlgName": "RSA-PKCSV-1_5",
    ;           "authAttr": {
    ;             "1.3.6.1.4.1.311.2.1.12": {
    ;               "der": "MAA="
    ;             },
    ;             "1.2.840.113549.1.9.3": {
    ;               "name": "contentType",
    ;               "oid": "1.3.6.1.4.1.311.2.1.4"
    ;             },
    ;             "1.3.6.1.4.1.311.2.1.11": {
    ;               "der": "MAwGCisGAQQBgjcCARU="
    ;             },
    ;             "1.2.840.113549.1.9.4": {
    ;               "name": "messageDigest",
    ;               "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
    ;             }
    ;           },
    ;           "unauthAttr": {
    ;             "1.3.6.1.4.1.311.3.3.1": {
    ;               "name": "timestampToken",
    ;               "der": "MIIXJwY ... QZej",
    ;               "verify": {
    ;                 "digestAlgorithms": [
    ;                   "sha256"
    ;                 ],
    ;                 "signerInfo": [
    ;                   {
    ;                     "cert": {
    ;                       "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
    ;                       "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
    ;                       "digestAlgOid": "2.16.840.1.101.3.4.2.1",
    ;                       "digestAlgName": "SHA256"
    ;                     },
    ;                     "contentType": "1.2.840.113549.1.9.16.1.4",
    ;                     "signingTime": "240117124047Z",
    ;                     "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
    ;                     "signingAlgOid": "1.2.840.113549.1.1.1",
    ;                     "signingAlgName": "RSA-PKCSV-1_5",
    ;                     "authAttr": {
    ;                       "1.2.840.113549.1.9.3": {
    ;                         "name": "contentType",
    ;                         "oid": "1.2.840.113549.1.9.16.1.4"
    ;                       },
    ;                       "1.2.840.113549.1.9.5": {
    ;                         "name": "signingTime",
    ;                         "utctime": "240117124047Z"
    ;                       },
    ;                       "1.2.840.113549.1.9.16.2.12": {
    ;                         "name": "signingCertificate",
    ;                         "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
    ;                       },
    ;                       "1.2.840.113549.1.9.4": {
    ;                         "name": "messageDigest",
    ;                         "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
    ;                       },
    ;                       "1.2.840.113549.1.9.16.2.47": {
    ;                         "name": "signingCertificateV2",
    ;                         "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
    ;                       }
    ;                     }
    ;                   }
    ;                 ],
    ;                 "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
    ;               },
    ;               "timestampSignatureVerified": true,
    ;               "tstInfo": {
    ;                 "tsaPolicyId": "2.16.840.1.114412.7.1",
    ;                 "messageImprint": {
    ;                   "hashAlg": "sha256",
    ;                   "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
    ;                   "digestMatches": true
    ;                 },
    ;                 "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
    ;                 "genTime": "20240117124047Z"
    ;               }
    ;             }
    ;           }
    ;         }
    ;       ],
    ;       "pkcs7": {
    ;         "verify": {
    ;           "certs": [
    ;             {
    ;               "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
    ;               "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
    ;             },
    ;             {
    ;               "issuerCN": "DigiCert Trusted Root G4",
    ;               "serial": "073637B724547CD847ACFD28662A5E5B"
    ;             },
    ;             {
    ;               "issuerCN": "DigiCert Assured ID Root CA",
    ;               "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
    ;             }
    ;           ]
    ;         }
    ;       }
    ;     }
    ;   }
    ; }

    issuerCN.s
    serial.s
    genTime.i = CkDtObj::ckCreate()
    If genTime.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    dt.i = CkDateTime::ckCreate()
    If dt.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    ; Show the certificates embedded in the PKCS7 signature.
    Debug "Certificates contained in the PKCS7 signature:"
    i.i = 0
    count_i.i = CkJsonObject::ckSizeOfArray(json,"pkcs7.verify.certs")
    While i < count_i
        CkJsonObject::setCkI(json, i)
        issuerCN = CkJsonObject::ckStringOf(json,"pkcs7.verify.certs[i].issuerCN")
        serial = CkJsonObject::ckStringOf(json,"pkcs7.verify.certs[i].serial")
        Debug issuerCN + ", " + serial
        i = i + 1
    Wend

    ; Show details about the signing certificate(s)
    numSigners.i = CkJsonObject::ckSizeOfArray(json,"pkcs7.verify.signerInfo")
    i = 0
    While i < numSigners
        CkJsonObject::setCkI(json, i)
        Debug "---- Signing Certificate ----"
        Debug "serial number: " + CkJsonObject::ckStringOf(json,"pkcs7.verify.signerInfo[i].cert.serialNumber")
        Debug "issuerCN: " + CkJsonObject::ckStringOf(json,"pkcs7.verify.signerInfo[i].cert.issuerCN")
        Debug "hash algorithm: " + CkJsonObject::ckStringOf(json,"pkcs7.verify.signerInfo[i].cert.digestAlgName")
        Debug "signing algorithm: " + CkJsonObject::ckStringOf(json,"pkcs7.verify.signerInfo[i].signingAlgName")

        ; If this signature includes a timestamp token, get information about it.
        If CkJsonObject::ckHasMember(json,"pkcs7.verify.signerInfo[i].unauthAttr." + Chr(34) + "1.3.6.1.4.1.311.3.3.1" + Chr(34)) = 1
            ; We're going to assume the timestamp token had only 1 signer..
            Debug "--- Timestamp Token ----"
            Debug "TS hash algorithm: " + CkJsonObject::ckStringOf(json,"pkcs7.verify.signerInfo[i].unauthAttr." + Chr(34) + "1.3.6.1.4.1.311.3.3.1" + Chr(34) + ".verify.digestAlgorithms[0]")
            Debug "TS certificate serial: " + CkJsonObject::ckStringOf(json,"pkcs7.verify.signerInfo[i].unauthAttr." + Chr(34) + "1.3.6.1.4.1.311.3.3.1" + Chr(34) + ".verify.signerInfo[0].cert.serialNumber")
            Debug "TS certificate issuerCN: " + CkJsonObject::ckStringOf(json,"pkcs7.verify.signerInfo[i].unauthAttr." + Chr(34) + "1.3.6.1.4.1.311.3.3.1" + Chr(34) + ".verify.signerInfo[0].cert.issuerCN")
            Debug "timestamp signature verified: " + Str(CkJsonObject::ckBoolOf(json,"pkcs7.verify.signerInfo[i].unauthAttr." + Chr(34) + "1.3.6.1.4.1.311.3.3.1" + Chr(34) + ".timestampSignatureVerified"))
            CkJsonObject::ckDtOf(json,"pkcs7.verify.signerInfo[i].unauthAttr." + Chr(34) + "1.3.6.1.4.1.311.3.3.1" + Chr(34) + ".tstInfo.genTime",0,genTime)
            CkDateTime::ckSetFromDtObj(dt,genTime)
            Debug "timestamp date/time: " + CkDateTime::ckGetAsRfc822(dt,1)
        EndIf

        i = i + 1
    Wend

    Debug "The Authenticode signature is valid."

    ; Sample output:

    ; Certificates contained in the PKCS7 signature:
    ; AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
    ; Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
    ; Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
    ; ---- Signing Certificate ----
    ; serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
    ; issuerCN: Sectigo Public Code Signing CA R36
    ; hash algorithm: SHA256
    ; signing algorithm: RSA-PKCSV-1_5
    ; --- Timestamp Token ----
    ; TS hash algorithm: sha256
    ; TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
    ; TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
    ; timestamp signature verified: True
    ; timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
    ; The Authenticode signature is valid.


    CkJsonObject::ckDispose(json)
    CkCodeSign::ckDispose(validator)
    CkDtObj::ckDispose(genTime)
    CkDateTime::ckDispose(dt)


    ProcedureReturn
EndProcedure