locked
Digital Code Signing RRS feed

  • Question

  • Hi,

    I have signed an executable by using the signtool and a certificate with a pfx extension. When I look into the properties of the executable it indeed tells me that it is signed with a digital signature.

    I expect that when I alter the binary, windows will give me a warning message that the binary has been altered. However this does not happen. I did some research myself and found out that I can use the WinVerifyTrust API call to test "myself" at runtime.

    Is this a good approach to prevent altering the binary? The digital signature itself tell's me that the purpose is to protect the software against alteration after publication, however I still need to add code to perform this check.

    Best Regards,

    Thijs


    Wednesday, April 1, 2015 9:57 AM

Answers

  • Perhaps IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY can help.

    Of course, anyone who modifies the executable can just clear that flag. But then again, they could also remove the signature from the file or sign it again with their own key.

    Wednesday, April 1, 2015 2:14 PM

All replies

  • One would expect the Windows operating system to verify the integrity of a signed executable, in other words when a code sign certificate is found, the OS verifies integrity prior to launching said executable.

    Wednesday, April 1, 2015 11:32 AM
  • Perhaps IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY can help.

    Of course, anyone who modifies the executable can just clear that flag. But then again, they could also remove the signature from the file or sign it again with their own key.

    Wednesday, April 1, 2015 2:14 PM
  • Hi,

    Thank you for your help. This linker option /integritycheck indeed will do the trick. However we are currently using visual studio 2008 in which the linker does not support this flag as I get an link error when this flag is set.

    For now we will use the WinVerifyTrust system call which also works under windows xp.

    In the future when we move to the latest visual studio version we will use this /integritycheck option.

    Thursday, April 2, 2015 9:09 AM