Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

Verify Authenticode Signature of EXE or DLL

See more Code Signing Examples

Demonstrates how to verify an Authenticode signed EXE or DLL.

Note: Chilkat's code signing class was added in v9.5.0.97

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.CodeSign,
  Chilkat.DtObj,
  Chilkat.JsonObject,
  Chilkat.CkDateTime;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  path: string;
  json: TJsonObject;
  validator: TCodeSign;
  valid: Boolean;
  issuerCN: string;
  serial: string;
  genTime: TDtObj;
  dt: TCkDateTime;
  i: Integer;
  count_i: Integer;
  numSigners: Integer;

begin
  //  This example requires the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  //  You can verify a signed DLL or EXE.
  path := 'c:/someDir/something.dll';

  //  The verify method returns an overall indicator of whether
  //  the EXE or DLL can be trusted or not.
  //  The details of the signature are emitted to the JSON object
  //  passed in the last argument.

  json := TJsonObject.Create;
  json.EmitCompact := False;

  validator := TCodeSign.Create;
  valid := validator.VerifySignature(path,json);
  if (valid = False) then
    begin
      //  Validation failed.
      WriteLn(validator.LastErrorText);
      //  You can also examine the details of the validation (see below)
      WriteLn(json.Emit());
      Exit;
    end;

  //  Examine the details of the Authenticode signature
  //  println json.Emit();

  //  An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
  //  
  //  Use this online tool to generate parsing code from sample JSON: 
  //  Generate Parsing Code from JSON

  //  {
  //    "pkcs7": {
  //      "verify": {
  //        "peFile": {
  //          "hashOid": "2.16.840.1.101.3.4.2.1",
  //          "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
  //        },
  //        "certs": [
  //          {
  //            "issuerCN": "AAA Certificate Services",
  //            "serial": "48FC93B46055948D36A7C98A89D69416"
  //          },
  //          {
  //            "issuerCN": "Sectigo Public Code Signing Root R46",
  //            "serial": "621D6D0C52019E3B9079152089211C0A"
  //          },
  //          {
  //            "issuerCN": "Sectigo Public Code Signing CA R36",
  //            "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
  //          }
  //        ],
  //        "digestAlgorithms": [
  //          "sha256"
  //        ],
  //        "signerInfo": [
  //          {
  //            "cert": {
  //              "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
  //              "issuerCN": "Sectigo Public Code Signing CA R36",
  //              "digestAlgOid": "2.16.840.1.101.3.4.2.1",
  //              "digestAlgName": "SHA256"
  //            },
  //            "contentType": "1.3.6.1.4.1.311.2.1.4",
  //            "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
  //            "signingAlgOid": "1.2.840.113549.1.1.1",
  //            "signingAlgName": "RSA-PKCSV-1_5",
  //            "authAttr": {
  //              "1.3.6.1.4.1.311.2.1.12": {
  //                "der": "MAA="
  //              },
  //              "1.2.840.113549.1.9.3": {
  //                "name": "contentType",
  //                "oid": "1.3.6.1.4.1.311.2.1.4"
  //              },
  //              "1.3.6.1.4.1.311.2.1.11": {
  //                "der": "MAwGCisGAQQBgjcCARU="
  //              },
  //              "1.2.840.113549.1.9.4": {
  //                "name": "messageDigest",
  //                "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
  //              }
  //            },
  //            "unauthAttr": {
  //              "1.3.6.1.4.1.311.3.3.1": {
  //                "name": "timestampToken",
  //                "der": "MIIXJwY ... QZej",
  //                "verify": {
  //                  "digestAlgorithms": [
  //                    "sha256"
  //                  ],
  //                  "signerInfo": [
  //                    {
  //                      "cert": {
  //                        "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
  //                        "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
  //                        "digestAlgOid": "2.16.840.1.101.3.4.2.1",
  //                        "digestAlgName": "SHA256"
  //                      },
  //                      "contentType": "1.2.840.113549.1.9.16.1.4",
  //                      "signingTime": "240117124047Z",
  //                      "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
  //                      "signingAlgOid": "1.2.840.113549.1.1.1",
  //                      "signingAlgName": "RSA-PKCSV-1_5",
  //                      "authAttr": {
  //                        "1.2.840.113549.1.9.3": {
  //                          "name": "contentType",
  //                          "oid": "1.2.840.113549.1.9.16.1.4"
  //                        },
  //                        "1.2.840.113549.1.9.5": {
  //                          "name": "signingTime",
  //                          "utctime": "240117124047Z"
  //                        },
  //                        "1.2.840.113549.1.9.16.2.12": {
  //                          "name": "signingCertificate",
  //                          "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
  //                        },
  //                        "1.2.840.113549.1.9.4": {
  //                          "name": "messageDigest",
  //                          "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
  //                        },
  //                        "1.2.840.113549.1.9.16.2.47": {
  //                          "name": "signingCertificateV2",
  //                          "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
  //                        }
  //                      }
  //                    }
  //                  ],
  //                  "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
  //                },
  //                "timestampSignatureVerified": true,
  //                "tstInfo": {
  //                  "tsaPolicyId": "2.16.840.1.114412.7.1",
  //                  "messageImprint": {
  //                    "hashAlg": "sha256",
  //                    "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
  //                    "digestMatches": true
  //                  },
  //                  "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
  //                  "genTime": "20240117124047Z"
  //                }
  //              }
  //            }
  //          }
  //        ],
  //        "pkcs7": {
  //          "verify": {
  //            "certs": [
  //              {
  //                "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
  //                "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
  //              },
  //              {
  //                "issuerCN": "DigiCert Trusted Root G4",
  //                "serial": "073637B724547CD847ACFD28662A5E5B"
  //              },
  //              {
  //                "issuerCN": "DigiCert Assured ID Root CA",
  //                "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
  //              }
  //            ]
  //          }
  //        }
  //      }
  //    }
  //  }

  genTime := TDtObj.Create;
  dt := TCkDateTime.Create;

  //  Show the certificates embedded in the PKCS7 signature.
  WriteLn('Certificates contained in the PKCS7 signature:');
  i := 0;
  count_i := json.SizeOfArray('pkcs7.verify.certs');
  while i < count_i do
    begin
      json.I := i;
      issuerCN := json.StringOf('pkcs7.verify.certs[i].issuerCN');
      serial := json.StringOf('pkcs7.verify.certs[i].serial');
      WriteLn(issuerCN + ', ' + serial);
      i := i + 1;
    end;

  //  Show details about the signing certificate(s)
  numSigners := json.SizeOfArray('pkcs7.verify.signerInfo');
  i := 0;
  while i < numSigners do
    begin
      json.I := i;
      WriteLn('---- Signing Certificate ----');
      WriteLn('serial number: ' + json.StringOf('pkcs7.verify.signerInfo[i].cert.serialNumber'));
      WriteLn('issuerCN: ' + json.StringOf('pkcs7.verify.signerInfo[i].cert.issuerCN'));
      WriteLn('hash algorithm: ' + json.StringOf('pkcs7.verify.signerInfo[i].cert.digestAlgName'));
      WriteLn('signing algorithm: ' + json.StringOf('pkcs7.verify.signerInfo[i].signingAlgName'));

      //  If this signature includes a timestamp token, get information about it.
      if (json.HasMember('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1"') = True) then
        begin
          //  We're going to assume the timestamp token had only 1 signer..
          WriteLn('--- Timestamp Token ----');
          WriteLn('TS hash algorithm: ' + json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.digestAlgorithms[0]'));
          WriteLn('TS certificate serial: ' + json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.signerInfo[0].cert.serialNumber'));
          WriteLn('TS certificate issuerCN: ' + json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.signerInfo[0].cert.issuerCN'));
          WriteLn('timestamp signature verified: ' + json.BoolOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".timestampSignatureVerified'));
          json.DtOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".tstInfo.genTime',False,genTime);
          dt.SetFromDtObj(genTime);
          WriteLn('timestamp date/time: ' + dt.GetAsRfc822(True));
        end;

      i := i + 1;
    end;

  WriteLn('The Authenticode signature is valid.');

  //  Sample output:

  //  Certificates contained in the PKCS7 signature:
  //  AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
  //  Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
  //  Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
  //  ---- Signing Certificate ----
  //  serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
  //  issuerCN: Sectigo Public Code Signing CA R36
  //  hash algorithm: SHA256
  //  signing algorithm: RSA-PKCSV-1_5
  //  --- Timestamp Token ----
  //  TS hash algorithm: sha256
  //  TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
  //  TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
  //  timestamp signature verified: True
  //  timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
  //  The Authenticode signature is valid.


  json.Free;
  validator.Free;
  genTime.Free;
  dt.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.