We deliver an executable to a client-service which starts this executable in a new process after downloading it from our servers.
The executable is signed (authenticode) with the CodeSigning-Certificate of our company and now i'd like to verify, that the downloaded executable is validly signed with this CodeSigning-Certificate to prevent malicious Man-in-the-middle attacks.
But currently i can't find any hints on how to verify this without using "signtool.exe" (which isn't available on the client).
The Download-Service on the client is a .NET 4.0 application written in C#. So i'm searching for a way, to verify the authenticode of the downloaded file and only proceed, if the verification succeeded.
Since this question is from 2015 and I assume you can use .NET Standard 2.0, there is another option available:
using Microsoft.Security.Extensions;
...
using (FileStream fs = File.OpenRead(@"c:\test.exe"))
{
FileSignatureInfo sigInfo = FileSignatureInfo.GetFromFileStream(fs);
Console.WriteLine(sigInfo.State); // SignatureState.SignedAndTrusted
}
Make sure, that you add getfilesiginforedistwrapper.dll and the corresponding native dll of your platform! (getfilesiginforedist.dll)
I've had a look how Microsoft does this for the PowerShell cmdlet Get-AuthenticodeSignature and found it there 😉