Verify digital signatures of downloaded EXEs and MSUs #8
Labels
enhancement
New feature or request
Comments
|
Also, KB3004394 must be the very first thing installed, after which a reboot is required before doing anything else. The new cert doesn't seem to work until then. Since it's updating |
|
(and yes, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Details
Verifying the digital signature of downloads serves two purposes. One, it ensures that the file has not been tampered with or corrupted. Network corruption happens! I had a friend with a bad NIC who was going crazy until we figured it out. CRC checks are good :)
Two, it ensures that the file is digitally signed by someone and that the certificate is trusted by the system. The file could still have been maliciously replaced, but at least the certificate provides a paper trail.
Here's my code that does this. You'll need to trim the
Native*.csmethods, I just included them as-is from my code right now.VerifySignaturesCode.zip
You can pass
nullforAuthenticode::VerifySignedFile()'sIWin32Window ownerparameter, which is reasonable if passingfalsefor bothshowNegativeUIandshowPositiveUI(which is what I do).You'll also need to make sure KB3004394 is installed. A fresh Win7 SP1 install has an expired Microsoft Root Certificate Authority. Check
crypt32.dll's version as >= 6.1.7601.18700 using the code snippet I posted on Twitter https://twitter.com/rickbrewPDN/status/1408860154792054784The text was updated successfully, but these errors were encountered: