I've created a script add-in that adds a column that checks the digital signatures of files.
It's reasonably fast but not instant, so it might be more suited to be enabled by a button.
Note/Update: As of version 13.9.1 (Beta), Opus now has a native "Signed By" column which is quite faster than this script, so that probably makes the most sense to use in most cases.
Screenshot Example:
It uses either choice of two possible external signature checking tools:
-
signtool.exe
- An official tool by Microsoft included in the Windows SDK- Probably fine for most people but not as fast as the other option
- Also supports checking catalog signatures, though that makes it a lot slower because every file needs to be hashed in addition to checked against all the catalogs in System32/Catroot
- Column result is limited to only either Signed or Unsigned (doesn't distinguish invalid and unsigned files, or other errors - all would just show as unsigned)
-
FastSigCheck.exe
- A more lightweight tool I created myself (open source) that is significantly faster than signtool, and allows more nuanced data to show in the column- Roughly 30% faster for signed files and 50% faster for unsigned files, compared to signtool
- Can distinguish between 5 results to show in the column: Signed, Unsigned, Invalid/Untrusted Signature, Unsupported File Type, and Other/Unknown Error
- Does not support catalog signatures - Only embedded signatures (which are by far most common anyway)
Configuration / Customizability:
- Customizable column messages for each result type
- Note: When using signtool, only the "Valid" and "NoSignature" options will be applicable.
- Custom arguments when using signtool
- Possible arguments can be seen by running 'signtool verify' in command prompt.
- For example adding
/a
adds catalog signature checking
- Editable list of file types that will be checked
- Not every file type can have an embedded signature so this improves speed by skipping those not in the list
- The list is customizable because it is possible in Windows to install more "trusted providers" that allows native signature checking of more file types
- Debug mode to display stuff like what command is actually being run by the script. (Can't show the output of the external tools themselves though)
Configuration Options Screenshot:
Installation
- Download VerifySignature.js.txt (9.1 KB)
- Open Preferences / Toolbars / Scripts to display the list of scripts.
- Drag the downloaded VerifySignature.js.txt to the list.
- Click the Gear icon next to the script in the Scripts window to configure things like the path of the chosen exe tool.
- Download one of the exe tools from the next section
Note: If the little symbols part of the Signed and Invalid messages don't show correctly after importing the script, just copy and paste them into the box from here:
External Tools Downloads
-
Signtool
- Though the exe itself is standalone, it's not available as a direct download, but rather installed as part of the Windows SDK here: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/
- However, there are some options to limit the Windows SDK installation to only install necessary parts then copy the signtool.exe file such as:
- This StackOverflow post describes extracting the Windows SDK ISO and just running the included
Windows SDK Signing Tools-x86_en-us.msi
within it - This other post describes how you can download the Windows SDK exe installer and run it with these arguments to just install the signing tools:
winsdksetup.exe /features OptionId.SigningTools
- This StackOverflow post describes extracting the Windows SDK ISO and just running the included
- Location After Installing Windows SDK: signtool.exe will be found in one of these places (which location might depend on how it was installed, not sure):
- (64 Bit): c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe"
- (32 Bit): c:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe"
- C:\Program Files (x86)\Windows Kits\10\bin\[WhateverVersion]\x64\signtool.exe.
-
FastSigCheck
- Available along with source code on my GitHub Repo here: https://github.com/ThioJoe/FastSigCheck
- Specifically downloaded via the releases page here
- There's also a "headless" version which has no string/console output at all (only exit code results), but it's not really any faster than the regular version so probably not relevant.
- Available along with source code on my GitHub Repo here: https://github.com/ThioJoe/FastSigCheck
Using a Button Toggle:
You might choose to use a button to toggle the appearance of the column instead of having it show all the time, which can be done like this:
Set COLUMNSTOGGLE=scp:VerifyFileSignatures/VerifySignature