RE: Validate signed executables via the certificate

I think your samples may help me. Thank you. Ill just use the
WinVerifyTrust function directly to do the verification, however I will do an
additional step. I do not want to know if it is just a valid cert, but is it
OUR valid cert? So after the chain of trust is verified Ill just read the
subject lines and make sure it is our cert, not just any cert.

Between your two examples, I think that is covered.

"Mounir IDRASSI" wrote:


Concerning the warning on MSDN, it has been there for years now but this API
is still available (XP, Vista and Windows 7) and it behaves the same under
all these operating systems. Actually, many real-life products use it to
ensure the integrity of software components.

For WIN_CERTIFICATE, there is no pCert field on this structure so I don't
understand your question.
As I explained before, the bCertificate field of WIN_CERTIFICATE is pointing
to a PKCS#7 byte array. This array contains the signature and the associated
certificates. It's normal that you get an error if you try to pass it to
certificate function because it is not an X509 certificate byte array.
In order to retrieve the certificates, you have to use CertOpenStore with
the flag CERT_STORE_PROV_PKCS7 and call CertFindCertificateInStore. I have
written a sample that demonstrate how you can do that. Here is the link :

After this, you have to compute the digest of the correct parts of the PE
file and verify the signature contained inside the PKCS#7 data against it.
Did you manage to implement this part of the verification? I have never
implemented my self since WinVerifyTrust do the job more easily and I am
interested in knowing the steps involved (certainly starting with


To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)