How to Verify Software Digital Signature with SignTool, Scripts, or Advanced Installer

Written by Alex Marin · November 8th, 2024 · 5min read

Ensuring the integrity and authenticity of software is essential for maintaining security and user trust. Digital signatures provide a reliable method for verifying the origin and integrity of files, helping to prevent tampering and unauthorized modifications.

This article explains the importance of digital signatures, details how to use Microsoft’s SignTool to verify them, and outlines how Advanced Installer simplifies the process of digitally signing installation packages.

Additionally, it provides script examples in PowerShell, Batch, and VBScript to check if a file is digitally signed.

Understanding Digital Signatures

A digital signature is a cryptographic method that verifies the authenticity and integrity of a digital file or document. It assures the recipient that the file has not been altered since it was signed and confirms the identity of the signer.

Digital signatures are vital in various applications, including software distribution, electronic transactions, and secure communications.

Digital signatures are essential for several reasons:

  • Integrity: They ensure the file has not been altered since it was signed.
  • Authentication: They verify the identity of the sender.
  • Non-repudiation: They prevent the signer from denying the authenticity of the signed document.

Digital signatures are especially crucial for certain applications like MSIX packages, which valid digital signatures to be installed. They also minimize security prompts from User Account Control (UAC) in Windows, enhancing the user experience.

To verify or apply digital signatures, various tools and utilities are available. One widely used tool for this purpose is Microsoft's SignTool.

Using Microsoft SignTool to Verify a File Signature

Microsoft's SignTool is a command-line tool used to digitally sign files, verify signatures, and timestamp files.

Setup Instructions:

- Download and install the Windows Software Development Kit (SDK), which includes the SignTool.exe utility.

This tool is specifically designed for digitally signing files. If you haven't installed the SDK yet, you can get it from the official Microsoft website and opt for only the signing tools to keep the installation lightweight.

Microsoft Signtool for Desktop Apps

- Locate the SignTool.exe utility, typically found under C:\Program Files (x86)\Windows Kits\10\bin\VERSION\x64\.

With the utility ready, open a command prompt with administrative privileges, navigate to the directory containing your file, and use the SignTool.exe command to verify your file signature.

Here’s an example of the command to verify a file signature:

signtool verify /pa myfile.exe

This checks the digital signature of myfile.exe using the specified verification policy.

Microsoft SignTool check software signature

Verifying Digital Signatures Using PowerShell, Batch, and VBScript

We can create simple scripts in different programming languages to check whether a software file has a digital signature. Below are examples of PowerShell, Batch, and VBScript.

Using PowerShell Script to Verify a Digital Signature

PowerShell provides a straightforward way to verify a digital signature:

$filename = "C:\path\to\your\file.exe"
$signed = Get-AuthenticodeSignature $filename
if ($signed.Status -eq 'Valid') {
	Write-Output "File is signed."
} else {
	Write-Output "File is not signed."
}

Using Batch Script to Verify a Digital Signature

For those who prefer using batch files, the following script will check if a file is signed:

@echo off
setlocal
set file="C:\path\to\your\file.exe"
signtool verify /pa %file%
if %ERRORLEVEL% equ 0 (
	echo File is signed.
) else (
	echo File is not signed.
)
endlocal

Using VBScript to Verify a Digital Signature

VBScript is still widely used in certain environments, and the script below can help with signature verification:

Set objShell = CreateObject("WScript.Shell")
Set objExec = objShell.Exec("signtool verify /pa C:\path\to\your\file.exe")
Do While Not objExec.StdOut.AtEndOfStream
	strLine = objExec.StdOut.ReadLine()
	If InStr(strLine, "Successfully verified") > 0 Then
    	WScript.Echo "File is signed."
    	Exit Do
	End If
Loop
If InStr(strLine, "Successfully verified") = 0 Then
	WScript.Echo "File is not signed."
End If

Each of these scripts will verify whether a file is digitally signed and provide an output indicating the result.

Digital Signing with Advanced Installer

While using command-line tools and scripts can effectively verify digital signatures, the process of digitally signing files during software development can be streamlined with Advanced Installer.

Advanced Installer simplifies the digital signing process for your EXE packages by offering built-in signing options. It offers multiple options, including:

  • Using an existing certificate from your certificate store.
  • Using a certificate from a disk file (.cer, .pfx).
  • Trusted Signing.
  • Azure Key Vault.
  • Device Guard.

TipCheck out our comprehensive overview of digital signing options and integrations provided by Advanced Installer.

Advanced Installer Digital Signature options

Using a Certificate from the Certificate Store

If you already have a digital certificate, import it into your personal certificate store.

Advanced Installer will automatically detect it, and you can select it directly from the Digital Signature page.

This streamlines the signing process, as the selected certificate is applied during the build.

Certificate Store in Advanced Installer

Using a Certificate from a File

For those who prefer not to import their certificate into the store, Advanced Installer offers the option to use a certificate file directly.

Navigate to the Digital Signature page, select “Use file from disk,” and choose the certificate file (.cer or .pfx). Once selected, proceed to the build process, and your EXE installer will be signed.

Run certificate from disk in Advanced Installer

After selecting your preferred method, click the Build icon in the upper left corner of the interface.

During the build process, Advanced Installer will automatically sign your EXE installer with the chosen certificate.

Conclusion

Verifying and applying digital signatures is crucial for maintaining software integrity and user trust, ensuring that content is secure and originates from a verified source.

While Microsoft's SignTool and simple scripts in PowerShell, Batch, or VBScript offer effective ways to check digital signatures, Advanced Installer simplifies the process further.

By integrating robust signing options directly into the build workflow, Advanced Installer helps developers maintain high-security standards with minimal effort, ensuring their software is trusted and protected.

NoteEnhance your software security with Advanced Installer's seamless digital signing capabilities.
Start your free 30-day trial today.

Written by
See author's page
Alex Marin

Application Packaging and SCCM Deployments specialist, solutions finder, Technical Writer at Advanced Installer.

Comments: