如何检查文件是否具有数字签名 [英] how to check if a file has a digital signature

问题描述

我想以编程方式检查文件是否已进行数字签名。

I'd like to check programatically if a file has been digitally signed or not.

目前，我发现 MSDN中的代码，该代码无法编译...

For the moment, I found a rather obscure code in MSDN, that doesn't compile...

对这个主题有任何想法吗？

Any idea on the subject?

带有命令行的外部工具也很好。

An external tool with command line would also be great, by the way.

推荐答案

答案中提及signtool的重要缺失部分是：

The important missing part of the answer mentioning signtool is:

是，使用众所周知的signtool您也可以找到.exe文件是否经过签名。无需下载其他工具！

Yes, with the well known signtool.exe you can also find out, if a file is signed. No need to download another tool!

例如用简单的行：

signtool verify /pa myfile.exe
if %ERRORLEVEL% GEQ 1 echo This file is not signed.

（要详细列出，请在 / pa之后添加 /v。）

(For verbose out put, add a '/v' after '/pa'.)

一个人可能会问：为什么这很重要？我只是再次签名了要签名的文件，它就可以工作。

One may ask: Why this is important? I just sign the files (again) which shall be signed and it works.

我的目标是保持构建的清洁，不要再次签名，因为

My objective is to keep builds clean, and don't sign files a second time because not only the date is changed, but the is binary different after that.

业务示例：
我的客户拥有简化的自动化开发操作类构建和发布构建过程。对于不同的文件集，有多种来源，最后所有内容都已构建，测试并捆绑到发行版，因此必须对某些文件进行签名。为了确保某些文件不会未经签名就离开本机，我们曾经对所有重要文件进行了签名，即使它们已经签名也是如此。

Business example: My client has a streamlined automated "dev ops" kind build and post build process. There are multiple sources for different file sets, and at the end all is build, tested and bundled to distribution- and for that some files have to be signed. To guarantee that some files don't leave the unit without being signed, we used to sign all important files, even if they were already signed.

但这并不干净足够：

1）如果我们再次对已签名的文件进行签名，则文件日期和二进制指纹会更改，并且如果与文件的来源失去可比性被简单地复制了。
（至少如果您使用时间戳签名，我们经常这样做，我强烈建议这样做。）

1) If we sign a file again, which is already signed, the file date and binary fingerprint changes, and the file looses comparability with it's sources, if it was simply copied. (At least if you sign with a timestamp, which we always do and I think is highly recommended.)

这是严重的质量损失，因为这

This is a severe quality loss, because this file is no longer comparable with it's predecessors from other file source.

2）如果我们再次签名文件，这也可能是错误，它是第三方文件

2) If we sign a file again, this also could be a fault and it is a third party file which shouldn't be signed by your unit.

您可以通过根据前面提到的 signtool verify调用的返回代码将条件本身设为有条件的签名来避免两者。

You can avoid both by making the signing itself conditional depending on the return code of the preceding "signtool verify" call mentioned.

这篇关于如何检查文件是否具有数字签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！