在Windows应用程序上验证代码签名证书 [英] Validating a Code Signing Certificate on a Windows Application

问题描述

我正在尝试以编程方式验证代码签名证书，如 2014年的问题中所述.遵循建议后，我仍然无法找到一致的工作解决方案来确定何时对我的.exe进行了篡改(即哈希不再匹配)

I am trying to programmatically validate a code signing certificate as described in this question from 2014. After following the suggestions, I am still not able to find a consistent working solution to determine when my .exe has been tampered with (i.e. the hash no longer matches)

来自 wintrust.dll 的 WinVerifyTrust 方法是最准确的，但是在对可执行文件进行混淆/VM处理后，我似乎得到了误报.在这种情况下，即使.exe进行了有效签名和篡改，我仍得到(int)2148204800的结果.我也不想使用Windows API调用，因为我希望代码尽可能地可移植.

The WinVerifyTrust method from wintrust.dll is the most accurate however I seem to getting a false positive after my executable has been obfuscated/VM'd. In this scenario, I am getting a result of (int)2148204800 even though the .exe is validly signed and un-tampered with. I am also averse to using Windows API calls as I want the code to be as portable as possible.

其他方法，例如 X509Certificate.CreateFromSignedFile().Verify()和Powershell方法当然不会验证exe的哈希，因此返回true.

The other methods such as X509Certificate.CreateFromSignedFile().Verify() and the Powershell method of course do not validate the exe's hash so return true.

在过去的4年中，是否有任何新方法可以验证.exe的哈希值，最好是在纯.NET中?我对一个仅验证哈希而不是整个证书(如果可能)的解决方案感到满意.

Is there any new way that's come about in the last 4 years to validate the hash of the .exe, preferably in pure .NET? I am happy with a solution that simply validates that the hash and not the entire certificate (if that's possible).

推荐答案

如果从Mono.Security作为Nuget包提取，则它们具有一个不错的 AuthenticodeDeformatter 类，该类将验证代码签名证书:

If you pull from Mono.Security as a Nuget Package they have a nice AuthenticodeDeformatter class that will verify code signing certificates:

var authenticode = new AuthenticodeDeformatter(Filename);
authenticode.IsTrusted(); //Should return False if tampered with.

这篇关于在Windows应用程序上验证代码签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！