How to verify Digital Signatures of programs in Windows

Martin Brinkmann
Apr 16, 2018
Windows
|
16

Software developers and companies may sign software programs they develop or distribute which is used to validate the integrity of the program to ensure that it has not been altered after it has been signed.

The following guide lists several methods to verify digital signatures of programs on a computer running Windows.

Using Explorer

You can display and verify the signature of any program on Windows using Explorer.

Step 1: Right-click on the program that you want to check and select properties from the context menu that is displayed.

Step 2: Select the Digital Signatures tab in the Properties window.

digital signatures

Step 3: If you see signatures listed on the tab, you know that the file has been signed digitally. Double-click on one of the signatures to display further information.

signature details

Windows lists the signer information and countersignatures in the window that opens. You may click on View Certificate to display the signature or click on the advanced tab to display signature details as well.

Windows reveals to you if the "digital signature is ok", or not.

Verify the signature of files using SignTool

signtool verify

SignTool is a Microsoft program that is included in the Windows SDK. The program is not included when you install Windows on a machine or use Windows, and needs to be added to the system by installing the Windows SDK.

  1. Windows 7 SDK
  2. Windows 10 SDK

Note: The download has a size of about 2.5 Gigabytes if you download the Windows 10 SDK. It will install all sorts of files on the system that you don't require if you don't develop Windows programs.

The installer installs signtool.exe in the following locations:

  • C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe
  • C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe

Use the following commands to verify signatures:

  • SignTool verify program.exe -- Defaults to the Windows driver policy for verification.
  • SignTool verify /pa program.exe -- Use this to verify code-signing certificates.

Use the DigiCert Certificate Utility to verify signatures

code signed signature check

You may download the Digicert Certificate Utility for Windows to check application signatures on the operating system.

  1. Run the program after download. It does not need to be installed.
  2. Accept the terms of use displayed on start.
  3. On the "Code Signining" tab, select "check signature" in the header.
  4. Select the program that you want to check using the file browser that opens.
  5. DigiCert checks the signature and displays information in an extra window.
    1. It checks whether the file was signed and if the signature validated.
    2. It checks the timestamp of the signature.

If you get green checkmarks for both checks, verification was successful.

Closing Words

While most Windows users may have no need to verify the signature of programs, it may be useful to developers, researchers and advanced Windows users.

Summary
How to verify Digital Signatures of programs in Windows
Article Name
How to verify Digital Signatures of programs in Windows
Description
Find out how to verify the digital signatures of programs in Windows using built-in tools and functions, and external programs.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. rke50 said on July 14, 2023 at 10:32 pm
    Reply

    Most digital signatures in system files in Windows 10 and later are in catalog files; to check them with signtool add the /a option. e.g.:

    SignTool verify /pa /a program.exe

  2. KSanger said on July 9, 2021 at 2:20 am
    Reply

    Right clicking on downloaded files Cygwin setup-x86_64, setup-x86_64.exe, or zim-desktop-wiki-0.73.5-setup-w64_x86; Selecting Properties, and there is no digital signatures tab. Cygwin does supply a .sig file though. I’m completely lost as to how to verify programs that I download into Windows 10. No issues using Fedora but how do I verify downloads in Win 10?

  3. makaila said on February 21, 2021 at 11:47 am
    Reply

    Hi Martin,

    There is no “Digital Signatures” tab in the properties of a file when using W10.
    I use certutil.exe to verify the MD5, SHA1 or SHA256 hash after a downloaded and compare it with the source.

    certutil -hashfile sha256

    Greetz

  4. TelV said on January 19, 2019 at 4:32 pm
    Reply

    Forget about my question re: running Sigcheck please. I figured it out.

  5. TelV said on January 18, 2019 at 7:50 pm
    Reply

    @Martin,

    There appears to be a vulnerability in .msi files whereby malware can be appended to the original file and yet the latter will still retain its digital signature according the the VirusTotal blog at: https://blog.virustotal.com/2019/01/distribution-of-malicious-jar-appended.html

    Worse still, it would appear from the second to last paragraph that Microsoft doesn’t intend to fix the problem in “current versions” of Windows which presumably includes W10.

    I was trying to use Sigcheck today but the command prompt window closes instantly as soon as the app is run. Any ideas on that aspect?

  6. Anonymous said on April 17, 2018 at 1:27 am
    Reply

    Hey, Martin, could you do a “how to verify Tor browser bundles” article? Particularly for Ubuntu linux. I can never seem to quite understand it.

  7. Pete12 said on April 16, 2018 at 2:49 pm
    Reply

    ” Select the Digital Signatures tab in the Properties window. “……………??
    Can not find this tab in my latest Win10 !! How can ………??

    1. Martin Brinkmann said on April 16, 2018 at 2:52 pm
      Reply

      Did you right-click an executable file?

      1. Pete12 said on April 16, 2018 at 2:55 pm
        Reply

        Yes, on some exes its present indeed , but not on all exe-files………….!

  8. Paul(us) said on April 16, 2018 at 2:21 pm
    Reply

    Martin, you reported back in 2014 about the file files & folder check program Sincheckgui and the website is still up and running do you think this program will work, (It did with Windows 7) with Windows 10?

    And are the problems resolved that your mention back in 2014: “The Virustotal scanning did not work correctly during tests? When enabled, it would not display any information about the file besides its name. What weights, even more, is the fact that the program opened the Virustotal TOS for each file that you have added to the application. It did open the site 48 times for instance during a test when I selected to scan all running processes.”

    https://www.ghacks.net/2014/09/11/check-windows-folders-for-file-signatures-with-sigcheckgui/

    1. Martin Brinkmann said on April 16, 2018 at 2:34 pm
      Reply

      Paulus, the issue with Virustotal is resolved. The program works just fine under Windows 10.

      1. Paul(us) said on April 16, 2018 at 2:38 pm
        Reply

        Thanks, Martin!

  9. jupe said on April 16, 2018 at 9:25 am
    Reply

    I hate how they make it difficult to get those standalone SDK exe’s, they are useful but who wants to install all that to get a few 100K exe’s, I wish they would make them available separately like SysInternals.

    1. Martin Brinkmann said on April 16, 2018 at 9:50 am
      Reply

      Agreed, lots of people search for individual executable files they would like to use.

      1. Anonymous said on April 4, 2020 at 2:31 am
        Reply

        Someone should break them into their individual exe’s and upload them, then people can verify the digital signatures of the exe’s using……. oh wait

      2. xXAiykoXx said on September 17, 2020 at 4:48 am
        Reply

        Maybe a working solution:

        – Download winsdksetup.exe
        – Run winsdksetup.exe
        – Choose option 2 “… for installation on a separate computer.”
        – Install to the path you prefer. You will get a folder called “Windows Kits”
        – Following the path … / Windows Kits / 10 / WindowsSDK / … you’ll get to a folder
        called “Installers”
        – Here you’ll find the individual files you’re looking for…

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.