locked
Authenticode Signing RRS feed

  • Question

  • Hello,

    I have a question about verifying Authenticode signed .NET assemblies (coming from a code-signing newbie) that I use SignTool.EXE to sign and timestamp.  During install and launch of the application that I have signed, I wish to verify that the files are not only signed, but signed with my original certificate and not "re-signed" by another third party trying to replace one of our assemblies with theirs in an attempt to hack the system. 

    I am calling WinVerifyTrust() API to verify that the file is signed and has not been corrupted.  What I would like to to do after that is to validate that it is my original certificate that signed it and nobody is attempting to insert their assembly and bypass our security by simply signing their code with a different certificate to get past this check.  I would like to do this without hard coding a bunch of values if at all possible.

    Are there any best practices that I should follow in order to do the validation that I need to do? 

    Monday, April 16, 2012 2:30 PM