c# - Checking digital signature on EXE

Question

My .NET exe is signed using signtool. Using this code, I can verify the validity of the certificate itself:

var cert = X509Certificate.CreateFromSignedFile("application.exe");
var cert2 = new X509Certificate2(cert.Handle);
bool valid = cert2.Verify();

However, this only checks the certificate itself, and not the signature of the EXE. Therefore, if the EXE is tampered with, this method doesn't detect it.

How can I check the signature?

Answer 1

You need to call (P/Invoke) WinVerifyTrust() function from wintrust.dll. There is (as far as I know) no alternative in managed .NET.

You can find documentation of this method here.

Someone already asked this question on SO. It was not accepted, but it should be correct (I only scrolled through). Take a look.

You could also take a look at this guide but they really do the same.