Sample code for 30+ languages & platforms
Tcl

Verify Authenticode Signature of EXE or DLL

See more Code Signing Examples

Demonstrates how to verify an Authenticode signed EXE or DLL.

Note: Chilkat's code signing class was added in v9.5.0.97

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# You can verify a signed DLL or EXE.
set path "c:/someDir/something.dll"

# The verify method returns an overall indicator of whether
# the EXE or DLL can be trusted or not.
# The details of the signature are emitted to the JSON object
# passed in the last argument.

set json [new_CkJsonObject]

CkJsonObject_put_EmitCompact $json 0

set validator [new_CkCodeSign]

set valid [CkCodeSign_VerifySignature $validator $path $json]
if {$valid == 0} then {
    # Validation failed.
    puts [CkCodeSign_lastErrorText $validator]
    # You can also examine the details of the validation (see below)
    puts [CkJsonObject_emit $json]
    delete_CkJsonObject $json
    delete_CkCodeSign $validator
    exit
}

# Examine the details of the Authenticode signature
# println json.Emit();

# An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
# 
# Use this online tool to generate parsing code from sample JSON: 
# Generate Parsing Code from JSON

# {
#   "pkcs7": {
#     "verify": {
#       "peFile": {
#         "hashOid": "2.16.840.1.101.3.4.2.1",
#         "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
#       },
#       "certs": [
#         {
#           "issuerCN": "AAA Certificate Services",
#           "serial": "48FC93B46055948D36A7C98A89D69416"
#         },
#         {
#           "issuerCN": "Sectigo Public Code Signing Root R46",
#           "serial": "621D6D0C52019E3B9079152089211C0A"
#         },
#         {
#           "issuerCN": "Sectigo Public Code Signing CA R36",
#           "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
#         }
#       ],
#       "digestAlgorithms": [
#         "sha256"
#       ],
#       "signerInfo": [
#         {
#           "cert": {
#             "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
#             "issuerCN": "Sectigo Public Code Signing CA R36",
#             "digestAlgOid": "2.16.840.1.101.3.4.2.1",
#             "digestAlgName": "SHA256"
#           },
#           "contentType": "1.3.6.1.4.1.311.2.1.4",
#           "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
#           "signingAlgOid": "1.2.840.113549.1.1.1",
#           "signingAlgName": "RSA-PKCSV-1_5",
#           "authAttr": {
#             "1.3.6.1.4.1.311.2.1.12": {
#               "der": "MAA="
#             },
#             "1.2.840.113549.1.9.3": {
#               "name": "contentType",
#               "oid": "1.3.6.1.4.1.311.2.1.4"
#             },
#             "1.3.6.1.4.1.311.2.1.11": {
#               "der": "MAwGCisGAQQBgjcCARU="
#             },
#             "1.2.840.113549.1.9.4": {
#               "name": "messageDigest",
#               "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
#             }
#           },
#           "unauthAttr": {
#             "1.3.6.1.4.1.311.3.3.1": {
#               "name": "timestampToken",
#               "der": "MIIXJwY ... QZej",
#               "verify": {
#                 "digestAlgorithms": [
#                   "sha256"
#                 ],
#                 "signerInfo": [
#                   {
#                     "cert": {
#                       "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
#                       "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
#                       "digestAlgOid": "2.16.840.1.101.3.4.2.1",
#                       "digestAlgName": "SHA256"
#                     },
#                     "contentType": "1.2.840.113549.1.9.16.1.4",
#                     "signingTime": "240117124047Z",
#                     "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
#                     "signingAlgOid": "1.2.840.113549.1.1.1",
#                     "signingAlgName": "RSA-PKCSV-1_5",
#                     "authAttr": {
#                       "1.2.840.113549.1.9.3": {
#                         "name": "contentType",
#                         "oid": "1.2.840.113549.1.9.16.1.4"
#                       },
#                       "1.2.840.113549.1.9.5": {
#                         "name": "signingTime",
#                         "utctime": "240117124047Z"
#                       },
#                       "1.2.840.113549.1.9.16.2.12": {
#                         "name": "signingCertificate",
#                         "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
#                       },
#                       "1.2.840.113549.1.9.4": {
#                         "name": "messageDigest",
#                         "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
#                       },
#                       "1.2.840.113549.1.9.16.2.47": {
#                         "name": "signingCertificateV2",
#                         "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
#                       }
#                     }
#                   }
#                 ],
#                 "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
#               },
#               "timestampSignatureVerified": true,
#               "tstInfo": {
#                 "tsaPolicyId": "2.16.840.1.114412.7.1",
#                 "messageImprint": {
#                   "hashAlg": "sha256",
#                   "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
#                   "digestMatches": true
#                 },
#                 "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
#                 "genTime": "20240117124047Z"
#               }
#             }
#           }
#         }
#       ],
#       "pkcs7": {
#         "verify": {
#           "certs": [
#             {
#               "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
#               "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
#             },
#             {
#               "issuerCN": "DigiCert Trusted Root G4",
#               "serial": "073637B724547CD847ACFD28662A5E5B"
#             },
#             {
#               "issuerCN": "DigiCert Assured ID Root CA",
#               "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
#             }
#           ]
#         }
#       }
#     }
#   }
# }

set genTime [new_CkDtObj]

set dt [new_CkDateTime]

# Show the certificates embedded in the PKCS7 signature.
puts "Certificates contained in the PKCS7 signature:"
set i 0
set count_i [CkJsonObject_SizeOfArray $json "pkcs7.verify.certs"]
while {$i < $count_i} {
    CkJsonObject_put_I $json $i
    set issuerCN [CkJsonObject_stringOf $json "pkcs7.verify.certs[i].issuerCN"]
    set serial [CkJsonObject_stringOf $json "pkcs7.verify.certs[i].serial"]
    puts "$issuerCN, $serial"
    set i [expr $i + 1]
}

# Show details about the signing certificate(s)
set numSigners [CkJsonObject_SizeOfArray $json "pkcs7.verify.signerInfo"]
set i 0
while {$i < $numSigners} {
    CkJsonObject_put_I $json $i
    puts "---- Signing Certificate ----"
    puts "serial number: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].cert.serialNumber}]"
    puts "issuerCN: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].cert.issuerCN}]"
    puts "hash algorithm: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].cert.digestAlgName}]"
    puts "signing algorithm: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].signingAlgName}]"

    # If this signature includes a timestamp token, get information about it.
    if {[CkJsonObject_HasMember $json "pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\""] == 1} then {
        # We're going to assume the timestamp token had only 1 signer..
        puts "--- Timestamp Token ----"
        puts "TS hash algorithm: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.digestAlgorithms[0]}]"
        puts "TS certificate serial: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.signerInfo[0].cert.serialNumber}]"
        puts "TS certificate issuerCN: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.signerInfo[0].cert.issuerCN}]"
        puts "timestamp signature verified: [CkJsonObject_BoolOf $json {pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".timestampSignatureVerified}]"
        CkJsonObject_DtOf $json "pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".tstInfo.genTime" 0 $genTime
        CkDateTime_SetFromDtObj $dt $genTime
        puts "timestamp date/time: [CkDateTime_getAsRfc822 $dt 1]"
    }

    set i [expr $i + 1]
}

puts "The Authenticode signature is valid."

# Sample output:

# Certificates contained in the PKCS7 signature:
# AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
# Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
# Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
# ---- Signing Certificate ----
# serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
# issuerCN: Sectigo Public Code Signing CA R36
# hash algorithm: SHA256
# signing algorithm: RSA-PKCSV-1_5
# --- Timestamp Token ----
# TS hash algorithm: sha256
# TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
# TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
# timestamp signature verified: True
# timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
# The Authenticode signature is valid.

delete_CkJsonObject $json
delete_CkCodeSign $validator
delete_CkDtObj $genTime
delete_CkDateTime $dt