如何根据数字证书验证可执行文件 [英] How to verify an executable against a digital certificate

问题描述

我有一个.Net可执行文件，我使用通过makecert.exe生成的证书进行了数字签名，并使用signtool进行了签名。如何验证exe没有被篡改，或者它仍然使用我的数字签名证书。



对于ex - 任何人都可以替换由另一个证书进行数字签名并放入受信任的根权限的exe的情况。



从各种互联网资料中我读到以下代码只会检查证书是否有效

 X509Certificate signer = X509Certificate.CreateFromSignedFile（executablePath）; 
 X509Certificate2 certificate =  new  X509Certificate2（签名者）; 
  var  certificateChain =  new  X509Chain 
 {
 ChainPolicy = {
 RevocationFlag = X509RevocationFlag.EntireChain，
 RevocationMode = X509RevocationMode.Online，
 UrlRetrievalTimeout =  new  TimeSpan（ 0 ， 1 ， 0 ），
 VerificationFlags = X509VerificationFlags.NoFlag 
} 
}; 
 
  var  chainIsValid = certificateChain.Build（certificate）; 
  if （chainIsValid）
 {} 
 

它是建议使用WinVerifyTrust。我的问题是WinVerifyTrust还将验证证书，如果相同的exe由在受信任的根权限中部署的另一个证书签名。如何将exe与我的证书相关联？或者WinVerifyTrust如何在这种情况下提供帮助？请帮助!!



谢谢



我的尝试：



我已经尝试过使用X509Certificate和WinVerifyTrust（）。但是我没有太多关于WinVerifyTrust（）的知识

解决方案

SignTool - Windows应用程序| Microsoft Docs [ ^

Hi,

I have a .Net executable which I have digitally signed using a certificate generated through makecert.exe and signed using signtool. How to verify that exe has not been tampered or it is still using the certificate digitally signed by me.

For ex - A situation where anyone can replace the exe which is digitally signed by another certificate and placed into Trusted Root Authorities.

From various internet sources I read that the below code would just check if the certificate is valid

X509Certificate signer = X509Certificate.CreateFromSignedFile(executablePath);
X509Certificate2 certificate = new X509Certificate2(signer);
var certificateChain = new X509Chain
{
    ChainPolicy = {
        RevocationFlag = X509RevocationFlag.EntireChain,
        RevocationMode = X509RevocationMode.Online,
        UrlRetrievalTimeout = new TimeSpan(0, 1, 0),
        VerificationFlags = X509VerificationFlags.NoFlag
    }
};

var chainIsValid = certificateChain.Build(certificate);
if (chainIsValid)
{}

And it is suggested to use WinVerifyTrust. My question is WinVerifyTrust would also validate the certificate, if the same exe is signed by another certificate deployed in Trusted Root Authorities. How can I associate the exe with my certificate? Or how the WinVerifyTrust can be helpful in this situation as mentioned everywhere? Please help!!

Thanks

What I have tried:

I have already tried using X509Certificate and WinVerifyTrust(). But I don't have much knowledge related to WinVerifyTrust()

解决方案

SignTool - Windows applications | Microsoft Docs[^]

这篇关于如何根据数字证书验证可执行文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！