Hi,
I have a .Net executable which I have digitally signed using a certificate generated through makecert.exe and signed using signtool. How to verify that exe has not been tampered or it is still using the certificate digitally signed by me.
For ex - A situation where anyone can replace the exe which is digitally signed by another certificate and placed into Trusted Root Authorities.
From various internet sources I read that the below code would just check if the certificate is valid
X509Certificate signer = X509Certificate.CreateFromSignedFile(executablePath);
X509Certificate2 certificate = new X509Certificate2(signer);
var certificateChain = new X509Chain
{
ChainPolicy = {
RevocationFlag = X509RevocationFlag.EntireChain,
RevocationMode = X509RevocationMode.Online,
UrlRetrievalTimeout = new TimeSpan(0, 1, 0),
VerificationFlags = X509VerificationFlags.NoFlag
}
};
var chainIsValid = certificateChain.Build(certificate);
if (chainIsValid)
{}
And it is suggested to use WinVerifyTrust. My question is WinVerifyTrust would also validate the certificate, if the same exe is signed by another certificate deployed in Trusted Root Authorities. How can I associate the exe with my certificate? Or how the WinVerifyTrust can be helpful in this situation as mentioned everywhere? Please help!!
Thanks
What I have tried:
I have already tried using X509Certificate and WinVerifyTrust(). But I don't have much knowledge related to WinVerifyTrust()
Submit an article or tip