What is "code signed" and how can I test it?

General discussion related to "Everything".
Post Reply
ChrisGreaves
Posts: 697
Joined: Wed Jan 05, 2022 9:29 pm

What is "code signed" and how can I test it?

Post by ChrisGreaves »

I searched for Topics and found none; so this is a first topic for "code signed"
I then searched in message text and topics and found 13 matches, none of which appeared to define "code signed", so ...
Please and thank you.
I suspect that "code signed" refers to a testable certificate of some kind that guarantees that I have downloaded, or even installed, a genuine copy of the Everything.exe and its attendant suite of EXEs and DLLs.

But how would someone with an existing installation test their existing EXEs and DLLS?

Thanks, Chris
raccoon
Posts: 1017
Joined: Thu Oct 18, 2018 1:24 am

Re: What is "code signed" and how can I test it?

Post by raccoon »

ChrisGreaves wrote: Wed Feb 15, 2023 6:57 pm How would someone with an existing installation test their existing EXEs and DLLS?
Right-click the exe/dll and select Properties, then click the Digital Signatures tab.

explorer_MLitvKSt13.png
explorer_MLitvKSt13.png (25.65 KiB) Viewed 5074 times
ChrisGreaves
Posts: 697
Joined: Wed Jan 05, 2022 9:29 pm

Re: What is "code signed" and how can I test it?

Post by ChrisGreaves »

raccoon wrote: Wed Feb 15, 2023 7:33 pmRight-click the exe/dll and select Properties, then click the Digital Signatures tab.
Untitled.png
Untitled.png (17.03 KiB) Viewed 5069 times
Thanks Raccoon.
I can see how to display data from a digital signature, but how would someone with an existing installation test their existing EXEs and DLLS?
From my humble (but perhaps scared, doubtful, apprehensive) position as a novice user, what does the yellow-circled data tell me?

As a very-slightly above novice, I have learned that SHA256 is a technique used to create a signature, and I see that SHA256 was used to create that signature. And that "voidtools" appears to have signed the Digital Signature.
But as a seasoned manipulator of binary data (a long time ago) I am thinking "I could hijack that display by making modification to that part of the EXE that shows "voidtools" and "SHA256" and "February-05-23 9:22:4(0?)" to Windows.

I see no value that would guarantee to you or to Void that the EXE had not been cobbled in some way?

I am missing something obvious, but that display is, to me, equivalent to someone telling me "Chris, The EXE is signed", without telling me how I would truly know that it was, or wasn't, bearing the original signature.
Thanks, Chris
NotNull
Posts: 5517
Joined: Wed May 24, 2017 9:22 pm

Re: What is "code signed" and how can I test it?

Post by NotNull »

When some code -- usually an .exe or .dll file -- is signed, it can no longer be tampered with without alarmbells going off. You will get an errormessage "This program doesn't run on this PC" or something alike.
Code signing adds some checksum to the program which is checked on startup of this program.

You need a code signing certificate to, well, sign your code. This is quite expensive ( $500 per year from memory)
This also requires some personal checks (can't find the right English term) before you get one.
The price will prevents simple script-kiddies from signing their code; "professional" malwarewriters can be easily traced back due to the personal information given.
This should make signed applications extra trustworthy.


One way to check:
- Right-click the executable
- Select Properties
- See if there is a Digital Signatures tab.
This will show who signed the code.
If there is no such tab, the code is unsigned.


Another way:
- Right-click the executable
- Select Run as administrator
- The UAC (User Account Contrl) dialog will pop up.

If the application is signed it will say Verified publisher = ...
If not, it will say Publisher unknown

An ever easier way is to check the background color of the UAC header:
If it is blue, it is signed; if it is orange, it is not.
BTW: Windows 11 messed up this colorscheme: Signed= non-descript grey; Unsigned=nondescript ... brown (?)

(Now you can select NO in the UAC dialog; no need to run the application elevated)

TIP:
A quick way to start a program "As administrator" in Everything 1.5 is by pressing 'CTRL + SHIFT + ENTER' on that file.
NotNull
Posts: 5517
Joined: Wed May 24, 2017 9:22 pm

Re: What is "code signed" and how can I test it?

Post by NotNull »

I just created a "TamperedEverything.exe".
This exe no longer has the Digital Signatures tab under Properties. and was marked as "Publisher unknown" in the UAC dialog.

BTW: The actual error message you get is "This app can't run on your PC" I was close ...
raccoon
Posts: 1017
Joined: Thu Oct 18, 2018 1:24 am

Re: What is "code signed" and how can I test it?

Post by raccoon »

ChrisGreaves wrote: Wed Feb 15, 2023 7:46 pm Thanks Raccoon.
I can see how to display data from a digital signature, but how would someone with an existing installation test their existing EXEs and DLLS?
I see no value that would guarantee to you or to Void that the EXE had not been cobbled in some way?
You can test the certificate by selecting it from the list, and click the Details button.
It should say "This digital signature is OK" if valid.
You can further click View Certificate and it should tell you more information about the certificate IF it is valid.
If the certificate is invalid, it will say "The digital signature of the object did not verify."

Valid certificate of Everything64.exe

notepad_89e4FNDIgN.png
notepad_89e4FNDIgN.png (74.93 KiB) Viewed 5057 times
---

And an invalid certificate of Everything64.exe that I edited in a Hex Editor.
(I changed the text string "E&xit" to "Q&uit" at offset 0x3CC7D0 of 1336a)

notepad_PYtEnFYS0w.png
notepad_PYtEnFYS0w.png (73.26 KiB) Viewed 5057 times
ChrisGreaves
Posts: 697
Joined: Wed Jan 05, 2022 9:29 pm

Re: What is "code signed" and how can I test it?

Post by ChrisGreaves »

NotNull wrote: Wed Feb 15, 2023 8:05 pm You need a code signing certificate to, well, sign your code. This is quite expensive ( $500 per year from memory)
This also requires some personal checks (can't find the right English term) before you get one.
Thanks for this further information. I think the $500 would not deter a professionally malicious person, but I agree it might deter bored teenagers.
- Right-click the executable
- Select Run as administrator
- The UAC (User Account Contrl) dialog will pop up.
Not in my case, perhaps because I continue to limp along on this Win7 laptop.
TIP: A quick way to start a program "As administrator" in Everything 1.5 is by pressing 'CTRL + SHIFT + ENTER' on that file.
Now this tip is worth my subscription to Voidtools forum!

Cheers, Chris
ChrisGreaves
Posts: 697
Joined: Wed Jan 05, 2022 9:29 pm

Re: What is "code signed" and how can I test it?

Post by ChrisGreaves »

raccoon wrote: Wed Feb 15, 2023 8:30 pm
ChrisGreaves wrote: Wed Feb 15, 2023 7:46 pm I see no value that would guarantee to you or to Void that the EXE had not been cobbled in some way?
You can test the certificate by selecting it from the list, and click the Details button.
Thank you Raccoon.
I was fatigued and didn't see or think to follow that "Details" and "Advanced" trail.
Untitled.png
Untitled.png (54.12 KiB) Viewed 5023 times
.
Now I see lots of data that I don't understand, but at least I can see that there is data there!
Thanks again.
Chris
raccoon
Posts: 1017
Joined: Thu Oct 18, 2018 1:24 am

Re: What is "code signed" and how can I test it?

Post by raccoon »

ChrisGreaves wrote: Thu Feb 16, 2023 2:40 pm
NotNull wrote: Wed Feb 15, 2023 8:05 pm TIP: A quick way to start a program "As administrator" in Everything 1.5 is by pressing 'CTRL + SHIFT + ENTER' on that file.
Now this tip is worth my subscription to Voidtools forum!
BTW, this trick also works in Windows Explorer. Ctrl+Shift+Enter or Ctrl+Shift+DoubleClick to Run As Admin.
NotNull
Posts: 5517
Joined: Wed May 24, 2017 9:22 pm

Re: What is "code signed" and how can I test it?

Post by NotNull »

Not here.
It is available in the Run box ('WIN + R') and on the taskbar.
raccoon
Posts: 1017
Joined: Thu Oct 18, 2018 1:24 am

Re: What is "code signed" and how can I test it?

Post by raccoon »

I expect you must have an AutoHotkey script or Other Commander program that's overriding this hotkey for you.
Post Reply