How to verify Digital Signatures of programs in Windows
Software developers and companies may sign software programs they develop or distribute which is used to validate the integrity of the program to ensure that it has not been altered after it has been signed.
The following guide lists several methods to verify digital signatures of programs on a computer running Windows.
Using Explorer
You can display and verify the signature of any program on Windows using Explorer.
Step 1: Right-click on the program that you want to check and select properties from the context menu that is displayed.
Step 2: Select the Digital Signatures tab in the Properties window.
Step 3: If you see signatures listed on the tab, you know that the file has been signed digitally. Double-click on one of the signatures to display further information.
Windows lists the signer information and countersignatures in the window that opens. You may click on View Certificate to display the signature or click on the advanced tab to display signature details as well.
Windows reveals to you if the "digital signature is ok", or not.
Verify the signature of files using SignTool
SignTool is a Microsoft program that is included in the Windows SDK. The program is not included when you install Windows on a machine or use Windows, and needs to be added to the system by installing the Windows SDK.
Note: The download has a size of about 2.5 Gigabytes if you download the Windows 10 SDK. It will install all sorts of files on the system that you don't require if you don't develop Windows programs.
The installer installs signtool.exe in the following locations:
- C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe
- C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe
Use the following commands to verify signatures:
- SignTool verify program.exe -- Defaults to the Windows driver policy for verification.
- SignTool verify /pa program.exe -- Use this to verify code-signing certificates.
Use the DigiCert Certificate Utility to verify signatures
You may download the Digicert Certificate Utility for Windows to check application signatures on the operating system.
- Run the program after download. It does not need to be installed.
- Accept the terms of use displayed on start.
- On the "Code Signining" tab, select "check signature" in the header.
- Select the program that you want to check using the file browser that opens.
- DigiCert checks the signature and displays information in an extra window.
- It checks whether the file was signed and if the signature validated.
- It checks the timestamp of the signature.
If you get green checkmarks for both checks, verification was successful.
Closing Words
While most Windows users may have no need to verify the signature of programs, it may be useful to developers, researchers and advanced Windows users.
Most digital signatures in system files in Windows 10 and later are in catalog files; to check them with signtool add the /a option. e.g.:
SignTool verify /pa /a program.exe
Right clicking on downloaded files Cygwin setup-x86_64, setup-x86_64.exe, or zim-desktop-wiki-0.73.5-setup-w64_x86; Selecting Properties, and there is no digital signatures tab. Cygwin does supply a .sig file though. I’m completely lost as to how to verify programs that I download into Windows 10. No issues using Fedora but how do I verify downloads in Win 10?
Hi Martin,
There is no “Digital Signatures” tab in the properties of a file when using W10.
I use certutil.exe to verify the MD5, SHA1 or SHA256 hash after a downloaded and compare it with the source.
certutil -hashfile sha256
Greetz
Forget about my question re: running Sigcheck please. I figured it out.
@Martin,
There appears to be a vulnerability in .msi files whereby malware can be appended to the original file and yet the latter will still retain its digital signature according the the VirusTotal blog at: https://blog.virustotal.com/2019/01/distribution-of-malicious-jar-appended.html
Worse still, it would appear from the second to last paragraph that Microsoft doesn’t intend to fix the problem in “current versions” of Windows which presumably includes W10.
I was trying to use Sigcheck today but the command prompt window closes instantly as soon as the app is run. Any ideas on that aspect?
Hey, Martin, could you do a “how to verify Tor browser bundles” article? Particularly for Ubuntu linux. I can never seem to quite understand it.
” Select the Digital Signatures tab in the Properties window. “……………??
Can not find this tab in my latest Win10 !! How can ………??
Did you right-click an executable file?
Yes, on some exes its present indeed , but not on all exe-files………….!
Martin, you reported back in 2014 about the file files & folder check program Sincheckgui and the website is still up and running do you think this program will work, (It did with Windows 7) with Windows 10?
And are the problems resolved that your mention back in 2014: “The Virustotal scanning did not work correctly during tests? When enabled, it would not display any information about the file besides its name. What weights, even more, is the fact that the program opened the Virustotal TOS for each file that you have added to the application. It did open the site 48 times for instance during a test when I selected to scan all running processes.”
https://www.ghacks.net/2014/09/11/check-windows-folders-for-file-signatures-with-sigcheckgui/
Paulus, the issue with Virustotal is resolved. The program works just fine under Windows 10.
Thanks, Martin!
I hate how they make it difficult to get those standalone SDK exe’s, they are useful but who wants to install all that to get a few 100K exe’s, I wish they would make them available separately like SysInternals.
Agreed, lots of people search for individual executable files they would like to use.
Someone should break them into their individual exe’s and upload them, then people can verify the digital signatures of the exe’s using……. oh wait
Maybe a working solution:
– Download winsdksetup.exe
– Run winsdksetup.exe
– Choose option 2 “… for installation on a separate computer.”
– Install to the path you prefer. You will get a folder called “Windows Kits”
– Following the path … / Windows Kits / 10 / WindowsSDK / … you’ll get to a folder
called “Installers”
– Here you’ll find the individual files you’re looking for…