Examining Digital Signature Signers

by Apr 5, 2018

When you download a script from the internet, it may contain a digital signature that can help you find out where the script comes from. We looked at this in the previous tip, and this is the code we used: it downloads a PowerShell script to disk, then displays its digital signature:

# save script to file
$url = 'https://chocolatey.org/install.ps1'
$outPath = "$env:temp\installChocolatey.ps1"
Invoke-WebRequest -UseBasicParsing -Uri $url -OutFile $outPath

# test signature
Get-AuthenticodeSignature -FilePath $outPath

The result would look similar to this:

 
    Directory: C:\Users\tobwe\AppData\Local\Temp


SignerCertificate                         Status         Path                       
-----------------                         ------         ----                       
493018BA27EAA09B895BC5660E77F694B84877C7  Valid          installChocolatey.ps1
 

The column “Status” reports whether the file is trustworthy. Yet how can you get more details about the certificate and its owner, and specifically find out who “493018BA27EAA09B895BC5660E77F694B84877C7” is?

Simply submit the signer certificate to a Windows API function that displays the property dialog for the certificate:

# save script to file
$url = 'https://chocolatey.org/install.ps1'
$outPath = "$env:temp\installChocolatey.ps1"
Invoke-WebRequest -UseBasicParsing -Uri $url -OutFile $outPath

# test signature
$result = Get-AuthenticodeSignature -FilePath $outPath
$signerCert = $result.SignerCertificate

Add-Type -Assembly System.Security
[Security.Cryptography.x509Certificates.X509Certificate2UI]::DisplayCertificate($signerCert)

Now you know that the cert number refers to “Chocolatey Software, Inc”, and that the certificate was issued by DigiCert. This is why Windows trusted the signature: DigiCert takes measures to validate the signers personal details.

Twitter This Tip! ReTweet this Tip!