Verifying Signed Files Downloaded via HTTP

From: DaveW (david_wender_at_yahoo.com)
Date: 06/24/05 

Date: 24 Jun 2005 11:40:57 -0700

I have created a Launcher Application to automatically update files for
my main application before the main application starts. The launcher
checks a XML file on a server to see a list of files/versions that are
associated with the main application and will automatically download
new versions.
All DLLs and EXEs are strong named and signed with a Authenticode Code
signing certificate.
It seems that some clients are now encountering Strong Name exceptions
after downloading new versions.

I am trying to figure out whether they are getting these exceptions
because the downloaded file was somehow corrupted during the file
transfer. If so, is there any way to verify that a file has a valid
signature after it is downloaded so that I can attempt to re-download
if there are problems?

Another thing to note is that I renewed my Digital Certificate on
6/6/05 but I have not rebuilt the SNK with new new certificate. I don't
know much about how these certificates work, but I'm wondering if there
is some sort of random verification going on that is failing because
the old certificate may be expired.

Any help would be greatly appreciated.

Thanks.

Relevant Pages

  • Re: ?Expired Security Certif for MS Update
    ... Steven, I couldn't get the MBSA to run -- it seemed to download okay, but it ... faith in the downloads I have, that used the expired certificate to get the ... At the risk of sounding like an alien abductee, this security invasion ... Microsoft and signed by a CA that your computer trusts I would not worry ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Security flaw in how Outlook verifies digital signatures
    ... Microsoft now really likes to make avail for download these self-extracting ... Outlook client, LIKE ALL OTHER CLIENTS, would notify if the sender was not ... happened to my private key. ... all that interested me was to spend $10 to get a valid certificate ...
    (microsoft.public.outlook)
  • Re: Verifying Signed Files Downloaded via HTTP
    ... one of your xml elements for the file. ... verify the new hash run over the file bits match the hash from the server. ... > associated with the main application and will automatically download ... > Another thing to note is that I renewed my Digital Certificate on ...
    (microsoft.public.dotnet.security)
  • Re: Brigadoon Software kosher?
    ... But when I attempted to download the trial software, Safari spat the dummy and warned that it couldn't identify the indentity of "www.pcphonehome.com", noting that it was signed by an unknown certification authority, with the attendant risk it may be a spoof site. ... I'm guessing the download form you fill out to get the download redirects to an HTTPS page, and Safari is notifying you that the certificate that is associated with these pages is not verifiable. ... This may be something as simply as you not having a local cert for their CA, or they are using a self-signed cert. ... the lack of a properly setup site certificate has no bearing on the quality (or lack thereof) of the software offered by the site. ...
    (comp.sys.mac.system)
  • Re: [opensuse] best file distribution technology for my case?
    ... Or does BitTorrent already incorporate certificate validation? ... Tell me, when I download opensuse, using http, for instance, do I get such ...
    (SuSE)