Sample code for 30+ languages & platforms
Xojo Plugin

Verify Authenticode Signature of EXE or DLL

See more Code Signing Examples

Demonstrates how to verify an Authenticode signed EXE or DLL.

Note: Chilkat's code signing class was added in v9.5.0.97

Chilkat Xojo Plugin Downloads

Xojo Plugin
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// You can verify a signed DLL or EXE.
Dim path As String
path = "c:/someDir/something.dll"

// The verify method returns an overall indicator of whether
// the EXE or DLL can be trusted or not.
// The details of the signature are emitted to the JSON object
// passed in the last argument.

Dim json As New Chilkat.JsonObject
json.EmitCompact = False

Dim validator As New Chilkat.CodeSign
Dim valid As Boolean
valid = validator.VerifySignature(path,json)
If (valid = False) Then
    // Validation failed.
    System.DebugLog(validator.LastErrorText)
    // You can also examine the details of the validation (see below)
    System.DebugLog(json.Emit())
    Return
End If

// Examine the details of the Authenticode signature
// println json.Emit();

// An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
// 
// Use this online tool to generate parsing code from sample JSON: 
// Generate Parsing Code from JSON

// {
//   "pkcs7": {
//     "verify": {
//       "peFile": {
//         "hashOid": "2.16.840.1.101.3.4.2.1",
//         "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
//       },
//       "certs": [
//         {
//           "issuerCN": "AAA Certificate Services",
//           "serial": "48FC93B46055948D36A7C98A89D69416"
//         },
//         {
//           "issuerCN": "Sectigo Public Code Signing Root R46",
//           "serial": "621D6D0C52019E3B9079152089211C0A"
//         },
//         {
//           "issuerCN": "Sectigo Public Code Signing CA R36",
//           "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
//         }
//       ],
//       "digestAlgorithms": [
//         "sha256"
//       ],
//       "signerInfo": [
//         {
//           "cert": {
//             "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
//             "issuerCN": "Sectigo Public Code Signing CA R36",
//             "digestAlgOid": "2.16.840.1.101.3.4.2.1",
//             "digestAlgName": "SHA256"
//           },
//           "contentType": "1.3.6.1.4.1.311.2.1.4",
//           "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
//           "signingAlgOid": "1.2.840.113549.1.1.1",
//           "signingAlgName": "RSA-PKCSV-1_5",
//           "authAttr": {
//             "1.3.6.1.4.1.311.2.1.12": {
//               "der": "MAA="
//             },
//             "1.2.840.113549.1.9.3": {
//               "name": "contentType",
//               "oid": "1.3.6.1.4.1.311.2.1.4"
//             },
//             "1.3.6.1.4.1.311.2.1.11": {
//               "der": "MAwGCisGAQQBgjcCARU="
//             },
//             "1.2.840.113549.1.9.4": {
//               "name": "messageDigest",
//               "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
//             }
//           },
//           "unauthAttr": {
//             "1.3.6.1.4.1.311.3.3.1": {
//               "name": "timestampToken",
//               "der": "MIIXJwY ... QZej",
//               "verify": {
//                 "digestAlgorithms": [
//                   "sha256"
//                 ],
//                 "signerInfo": [
//                   {
//                     "cert": {
//                       "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
//                       "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
//                       "digestAlgOid": "2.16.840.1.101.3.4.2.1",
//                       "digestAlgName": "SHA256"
//                     },
//                     "contentType": "1.2.840.113549.1.9.16.1.4",
//                     "signingTime": "240117124047Z",
//                     "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
//                     "signingAlgOid": "1.2.840.113549.1.1.1",
//                     "signingAlgName": "RSA-PKCSV-1_5",
//                     "authAttr": {
//                       "1.2.840.113549.1.9.3": {
//                         "name": "contentType",
//                         "oid": "1.2.840.113549.1.9.16.1.4"
//                       },
//                       "1.2.840.113549.1.9.5": {
//                         "name": "signingTime",
//                         "utctime": "240117124047Z"
//                       },
//                       "1.2.840.113549.1.9.16.2.12": {
//                         "name": "signingCertificate",
//                         "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
//                       },
//                       "1.2.840.113549.1.9.4": {
//                         "name": "messageDigest",
//                         "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
//                       },
//                       "1.2.840.113549.1.9.16.2.47": {
//                         "name": "signingCertificateV2",
//                         "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
//                       }
//                     }
//                   }
//                 ],
//                 "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
//               },
//               "timestampSignatureVerified": true,
//               "tstInfo": {
//                 "tsaPolicyId": "2.16.840.1.114412.7.1",
//                 "messageImprint": {
//                   "hashAlg": "sha256",
//                   "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
//                   "digestMatches": true
//                 },
//                 "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
//                 "genTime": "20240117124047Z"
//               }
//             }
//           }
//         }
//       ],
//       "pkcs7": {
//         "verify": {
//           "certs": [
//             {
//               "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
//               "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
//             },
//             {
//               "issuerCN": "DigiCert Trusted Root G4",
//               "serial": "073637B724547CD847ACFD28662A5E5B"
//             },
//             {
//               "issuerCN": "DigiCert Assured ID Root CA",
//               "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
//             }
//           ]
//         }
//       }
//     }
//   }
// }

Dim issuerCN As String
Dim serial As String
Dim genTime As New Chilkat.DtObj
Dim dt As New Chilkat.CkDateTime

// Show the certificates embedded in the PKCS7 signature.
System.DebugLog("Certificates contained in the PKCS7 signature:")
Dim i As Int32
i = 0
Dim count_i As Int32
count_i = json.SizeOfArray("pkcs7.verify.certs")
While i < count_i
    json.I = i
    issuerCN = json.StringOf("pkcs7.verify.certs[i].issuerCN")
    serial = json.StringOf("pkcs7.verify.certs[i].serial")
    System.DebugLog(issuerCN + ", " + serial)
    i = i + 1
Wend

// Show details about the signing certificate(s)
Dim numSigners As Int32
numSigners = json.SizeOfArray("pkcs7.verify.signerInfo")
i = 0
While i < numSigners
    json.I = i
    System.DebugLog("---- Signing Certificate ----")
    System.DebugLog("serial number: " + json.StringOf("pkcs7.verify.signerInfo[i].cert.serialNumber"))
    System.DebugLog("issuerCN: " + json.StringOf("pkcs7.verify.signerInfo[i].cert.issuerCN"))
    System.DebugLog("hash algorithm: " + json.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgName"))
    System.DebugLog("signing algorithm: " + json.StringOf("pkcs7.verify.signerInfo[i].signingAlgName"))

    // If this signature includes a timestamp token, get information about it.
    If (json.HasMember("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1""") = True) Then
        // We're going to assume the timestamp token had only 1 signer..
        System.DebugLog("--- Timestamp Token ----")
        System.DebugLog("TS hash algorithm: " + json.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".verify.digestAlgorithms[0]"))
        System.DebugLog("TS certificate serial: " + json.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".verify.signerInfo[0].cert.serialNumber"))
        System.DebugLog("TS certificate issuerCN: " + json.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".verify.signerInfo[0].cert.issuerCN"))
        System.DebugLog("timestamp signature verified: " + Str(json.BoolOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".timestampSignatureVerified")))
        Dim success As Boolean
        success = json.DtOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".tstInfo.genTime",False,genTime)
        success = dt.SetFromDtObj(genTime)
        System.DebugLog("timestamp date/time: " + dt.GetAsRfc822(True))
    End If

    i = i + 1
Wend

System.DebugLog("The Authenticode signature is valid.")

// Sample output:

// Certificates contained in the PKCS7 signature:
// AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
// Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
// Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
// ---- Signing Certificate ----
// serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
// issuerCN: Sectigo Public Code Signing CA R36
// hash algorithm: SHA256
// signing algorithm: RSA-PKCSV-1_5
// --- Timestamp Token ----
// TS hash algorithm: sha256
// TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
// TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
// timestamp signature verified: True
// timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
// The Authenticode signature is valid.