Digital Signature Viewer
Validate the Identity of the Software Publisher
The Authenticode Digital Signature Viewer lets you view the certificate-based digital signature of an executable file, validate the identity of the software publisher, and verify that the signature of a PE file is valid and has been applied properly, and that it wasn't tampered with after it was signed. You can also save the signature information to a text file.
Microsoft Authenticode® code-signing technology is based on the use of a digital signature, which is in turn is based on a digital certificate issued by a trusted third party (a certification authority) that has verified the identity of the software publisher. Code signing lets you know the origin of the code and can protect the code from tampering (if the code is changed, the digital signature is invalidated). Thus, code signing provides two security protections: authentication of the author, publisher or distributor of the code; and integrity of the code itself.
A digital signature is the public certificate plus the value of the signed data encrypted by a private key. When a developer signs the code, it is put through a one-way hash function. This creates a "message digest" (signed hash) of fixed length. The developer's private key is used to encrypt this message digest. The digest is combined with the certificate and hash algorithm to create a signature block. This signature block is inserted into the portable executable file.
Signed Executable File Certificate Viewer
PE Explorer examines the certificate and obtain the developer's public key from the certificate. Then PE Explorer decrypts the message digest with the public key, and the same hash algorithm that was used to create the message digest is run on the code again, to create a second message digest (Real File Hash). Then PE Explorer compares the second digest (Real File Hash) to the original (Signed File Hash). Additionally, it compares the Real Checksum to the value reported by the header (Link Checksum), since the file checksum field of the optional header can be modified without invalidating the Authenticode signature.
If the two digests match, the signature is valid, and you know that the code has not been altered since it was signed:
If the two digests (Signed File Hash and Real File Hash) don't match, you know that the code has been tampered with (eg: a virus or a hacker):
View the Certificate Chain
A certificate is a set of data that completely identifies an entity, and is issued by a certification authority (CA) only after that authority has verified the entity's identity. A code signing certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the name of the CA that issued the certificate, the name and public key of the entity requesting the certificate, and the CA's signature.
When the software publisher signs the executable file with its private key, you can use the publisher's public key (retrieved from the certificate sent with the software) to verify the publisher's identity.