Menu Show

What is a Windows Authenticode Signature & How Can I Verify It?

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00)

Microsoft Authenticode is the tech giant’s code signing technology. Like all code signing, an Authenticode signature identifies the publisher of the signed software. It also provides a checksum feature that ensures the integrity of the software is intact — that it hasn’t been altered since it was signed.

A Windows Authenticode signature identifies the software publisher or developer for enhanced security.

To sign, the developer first needs to acquire a Microsoft Authenticode signing certificate from a trusted certificate authority (CA). This will require you or your organization to undergo validation, which ensures the certificate isn’t being issued to a negative actor. Once the code signing certificate has been purchased, validated and issued, you can use it to sign software.

SSL Certificate with Comodo Secure Logo

Save Up 42% On Authenticode Signature Code Signing Certificates

You can often save a significant amount by buying your code signing certificate direct instead of through your a CA. We sell all Comodo code signing certificates at up to 42% off.Compare SSL Certificates

An Authenticode signature is basically a complex mathematical function. First, a hash function is performed. The code itself, as well as the Microsoft Authenticode signing certificate, are concatenated (fancy word for combined) and hashed. Hashing is a cryptographic process that maps inputs of any length to a fixed length output or hash value. No two disparate inputs can create the same output.

Checksums rely on this certainty. The hash function is performed once during the signing and then again by the client when it’s first verifying the signature. When the two values match, it means the integrity of the software is intact. If not, the client issues a warning.

The hash value that’s produced during the signing is what actually gets signed. The Authenticode signing certificate’s private key signs the hash and hashes it again.

When the client receives the software, it starts by verifying the signature, repeating the second hash process and using the public key from the Authenticode signing certificate — which is also included with the software — to verify the signature. Then, the checksum is performed.

Provided everything checks out, the software is trusted and the Authenticode signature is considered verified.

What About Embedded Authenticode Signatures?

Ah, you’re going to make me write about that, too? Good question though. Sometimes, for instance with kernel mode signing, the developer embeds the signature within a non-execution portion of a driver file. Additionally, it’s also possible to digitally sign a category file after generating a file hash for every file within the driver package. In both cases, the signature verification process works about the same.

That’s largely thanks to the way public key cryptography works. Most people know about the encryption functions of public-private key pairs. Public keys encrypt and private keys decrypt. But when it comes to digital signatures, because of the mathematical relationship between the two keys, the public key can be used to verify signatures left by the private key.

This is why the certificate and public key are included with the software. The certificate authenticates the developer — it’s what asserts their identity. The public key verifies the signature, which is what’s vouching for the authenticity of the certificate and the integrity of the software.

Regardless of whether the Authenticode signature is embedded, a catalog file, or just a standard Authenticode signature, the verification process is a cryptographic procedure that leverages hashing and public key encryption.