How to check if a file has a digital signature

by

The important missing part of the answer mentioning signtool is:

Yes, with the well known signtool.exe you can also find out, if a file is signed. No need to download another tool!

E.g. with the simple line:

signtool verify /pa myfile.exe
if %ERRORLEVEL% GEQ 1 echo This file is not signed.

(For verbose output, add a /v after /pa.)

One may ask: Why this is important? I just sign the files (again) which shall be signed and it works.

My objective is to keep builds clean, and don’t sign files a second time because not only the date is changed, but the is binary different after that.

Business example:
My client has a streamlined automated “dev ops” kind build and post build process. There are multiple sources for different file sets, and at the end all is build, tested and bundled to distribution- and for that some files have to be signed. To guarantee that some files don’t leave the unit without being signed, we used to sign all important files found on the media, even if they were already signed.

But this hasnĀ“t been clean enough ! Generally:

  1. If we sign a file again, which is already signed, the file date and binary fingerprint changes, and the file looses comparability with it’s sources, if it was simply copied.
    (At least if you sign with a timestamp, which we always do and I think is highly recommended.)

This is a severe quality loss, because this file is no longer identical to it’s predecessors although the file itself has not changed.

  1. If we sign a file again, this also could be a fault when it is a third party file which shouldn’t be signed by our company.

You can avoid both by making the signing itself conditional depending on the return code of the preceding signtool verify call mentioned.

More Related Contents:

  1. What happens when a code signing certificate expires?
  2. Convert a CERT/PEM certificate to a PFX certificate
  3. Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
  4. If I revoke an existing distribution certificate, will it mess up anything with existing apps?
  5. Web Browser Certificate Enrollment (CSR Generation) and Certificate Download to Smartcard or USB Token
  6. SAML: Why is the certificate within the Signature?
  7. “Warning: unable to build chain to self-signed root for signer” warning in Xcode 9.2
  8. Code Sign error: The identity ‘iPhone Developer: x Xxxxx’ doesn’t match any identity in any profile
  9. Convert pfx format to p12
  10. How to find out the path for OpenSSL trusted certificates?
  11. RegEx to remove key and certificate headers and footers [duplicate]
  12. Getting Chrome to accept self-signed localhost certificate
  13. why doesn’t java send the client certificate during SSL handshake?
  14. How can I deploy an iPhone application from Xcode to a real iPhone device?
  15. How are ssl certificates verified?
  16. OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE [closed]
  17. How can I get a list of trusted root certificates in Java?
  18. Extract public/private key from PKCS12 file for later use in SSH-PK-Authentication
  19. Verify a certificate chain using openssl verify
  20. Cannot install signed apk to device manually, got error “App not installed”
  21. Convert PEM traditional private key to PKCS8 private key
  22. The code signature version is no longer supported
  23. android webview with client certificate
  24. How to determine SSL cert expiration date from a PEM encoded certificate?
  25. SSL certificate is not trusted – on mobile only [closed]
  26. Wrong version of keystore on android call
  27. Invalid iPhone Application Binary
  28. Could not create SSL/TLS secure channel – Could the problem be a proxy server?
  29. How to use ldid?
  30. How to sign a .NET Assembly DLL file with a Strong Name? [duplicate]

Leave a Comment