I'm looking for a way to read the properties of a file so that I can programmatically verify a file came from a specific company. I just want to perform the basic checks such as 'is it signed' and 'who signed it' - the information that you can get when you right-click the file and select 'Digital Signatures'. I can't call any OS specific tool (e.g. signtool --verify) and ideally want to avoid any third party libraries as we have a super strict policy in regards to using them.
This will be initially on windows using GoLang and will be used to verify some signed msi files. I was thinking I could load one of the OS dlls to help out but not sure what one would be able to provide that information. If someone can point me in the right direction I should be taking in order to solve this problem or provide a short example of something similiar that would be great.
It sounds like you want to call WinVerifyTrust, WinVerifyTrustEx, or some similar functionality. Searching for golang WinVerifyTrust, it looks like there exists some example go code you could reference for invoking the system's wintrust.dll. Assuming you're willing to write code that only works on Windows, that's probably the direction I would recommend.
From a more cross-platform perspective, you could instead look for OpenSSL wrappers or implementations. Reportedly, Windows PE digital signatures are based on PKCS#7, which OpenSSL should be able to support with enough glue code.