Column - Verify Digital Signatures

I've created a script add-in that adds a column that checks the digital signatures of files.

It's reasonably fast but not instant, so it might be more suited to be enabled by a button.


Screenshot Example:


It uses either choice of two possible external signature checking tools:

  • signtool.exe - An official tool by Microsoft included in the Windows SDK

    • Probably fine for most people but not as fast as the other option
    • Also supports checking catalog signatures, though that makes it a lot slower because every file needs to be hashed in addition to checked against all the catalogs in System32/Catroot
    • Column result is limited to only either Signed or Unsigned (doesn't distinguish invalid and unsigned files, or other errors - all would just show as unsigned)
  • FastSigCheck.exe - A more lightweight tool I created myself (open source) that is significantly faster than signtool, and allows more nuanced data to show in the column

    • Roughly 30% faster for signed files and 50% faster for unsigned files, compared to signtool
    • Can distinguish between 5 results to show in the column: Signed, Unsigned, Invalid/Untrusted Signature, Unsupported File Type, and Other/Unknown Error
    • Does not support catalog signatures - Only embedded signatures (which are by far most common anyway)

Configuration / Customizability:

  • Customizable column messages for each result type
    • Note: When using signtool, only the "Valid" and "NoSignature" options will be applicable.
  • Custom arguments when using signtool
    • Possible arguments can be seen by running 'signtool verify' in command prompt.
    • For example adding /a adds catalog signature checking
  • Editable list of file types that will be checked
    • Not every file type can have an embedded signature so this improves speed by skipping those not in the list
    • The list is customizable because it is possible in Windows to install more "trusted providers" that allows native signature checking of more file types
  • Debug mode to display stuff like what command is actually being run by the script. (Can't show the output of the external tools themselves though)

Configuration Options Screenshot:


Installation

  • Download VerifySignature.js.txt (9.1 KB)
    1. Open Preferences / Toolbars / Scripts to display the list of scripts.
    2. Drag the downloaded VerifySignature.js.txt to the list.
    3. Click the Gear icon next to the script in the Scripts window to configure things like the path of the chosen exe tool.
  • Download one of the exe tools from the next section

Note: If the little symbols part of the Signed and Invalid messages don't show correctly after importing the script, just copy and paste them into the box from here: :warning: :heavy_check_mark:


External Tools Downloads

  • Signtool

    • Though the exe itself is standalone, it's not available as a direct download, but rather installed as part of the Windows SDK here: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/
    • However, there are some options to limit the Windows SDK installation to only install necessary parts then copy the signtool.exe file such as:
      • This StackOverflow post describes extracting the Windows SDK ISO and just running the included Windows SDK Signing Tools-x86_en-us.msi within it
      • This other post describes how you can download the Windows SDK exe installer and run it with these arguments to just install the signing tools: winsdksetup.exe /features OptionId.SigningTools
    • Location After Installing Windows SDK: signtool.exe will be found in one of these places (which location might depend on how it was installed, not sure):
      • (64 Bit): c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe"
      • (32 Bit): c:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe"
      • C:\Program Files (x86)\Windows Kits\10\bin\[WhateverVersion]\x64\signtool.exe.
  • FastSigCheck

    • Available along with source code on my GitHub Repo here: https://github.com/ThioJoe/FastSigCheck
    • There's also a "headless" version which has no string/console output at all (only exit code results), but it's not really any faster than the regular version so probably not relevant.

Using a Button Toggle:
You might choose to use a button to toggle the appearance of the column instead of having it show all the time, which can be done like this:
Set COLUMNSTOGGLE=scp:VerifyFileSignatures/VerifySignature

6 Likes