Verify digital signatures of downloaded EXEs and MSUs

[rickbrew]

Details

Verifying the digital signature of downloads serves two purposes. One, it ensures that the file has not been tampered with or corrupted. Network corruption happens! I had a friend with a bad NIC who was going crazy until we figured it out. CRC checks are good :)

Two, it ensures that the file is digitally signed by someone and that the certificate is trusted by the system. The file could still have been maliciously replaced, but at least the certificate provides a paper trail.

Here's my code that does this. You'll need to trim the Native*.cs methods, I just included them as-is from my code right now.

VerifySignaturesCode.zip

You can pass null for Authenticode::VerifySignedFile()'s IWin32Window owner parameter, which is reasonable if passing false for both showNegativeUI and showPositiveUI (which is what I do).

You'll also need to make sure KB3004394 is installed. A fresh Win7 SP1 install has an expired Microsoft Root Certificate Authority. Check crypt32.dll's version as >= 6.1.7601.18700 using the code snippet I posted on Twitter https://twitter.com/rickbrewPDN/status/1408860154792054784

[rickbrew]

Also, KB3004394 must be the very first thing installed, after which a reboot is required before doing anything else. The new cert doesn't seem to work until then. Since it's updating crypt32.dll and others, I think the update doesn't actually include the certs -- they don't seem to exist (in certmgr.msc) until I try to inspect the digital signature of a signed file. Then they appear (certmgr doesn't have a Refresh command, just close it and relaunch). I suspect it downloads them on-demand once the update is in place? ¯_(ツ)_/¯

[rickbrew]

(and yes, .msu's can be verified too, not just .exe's)