Archive: Test for a Valid Certificate?
Test for a Valid Certificate?
Is there a way (or plugin) to test a digitally signed installer (with a code signing certificate), from within that installer, that the digital signature exists and valid?
That is, the the file has not been tampered with after it was signed?
I know how to do it visually, by looking at the corresponding Properties tab. Is it possible to do this programmatically from within the installer?
Thanks.
Wouldn't this be a chicken-egg problem? You can't enter the checksum in the installer without changing the installer's checksum...
Though I do seem to recall some signing solutions existing. Maybe someone else knows.
Originally posted by MSGNot really a chicken-and-egg because I don't expect to read the installer's checksum for that: The digital certificate is appended and itself includes a stronger hashing of the entire file.
Wouldn't this be a chicken-egg problem? You can't enter the checksum in the installer without changing the installer's checksum...
Originally posted by MSGThere's not a problem to fix its last four bytes.
You can't enter the checksum in the installer without changing the installer's checksum...
There is really no point to do this, NSIS already checks itself with a CRC (And "pirates" will get around it anyways, or just extract the files without running the installer)
If you really want to do this, call Wintrust::CryptCATAdminCalcHashFromFileHandle (and WTHelperGetProvSignerFromChain or CryptCATAdminEnumCatalogFromHash?) and WinVerifyTrust with the system plugin
See also:
http://forum.sysinternals.com/forum_posts.asp?TID=19404
http://forum.sysinternals.com/forum_...6893&PID=83634
http://forum.sysinternals.com/forum_posts.asp?TID=19247