Delphi Developers
Magenta Systems Code Signing Trust and
Certificate Check component v1.0
Download Code Signing Trust and Certificate Check component
v1.0 - 12 Aug 2011
(5,644,638 bytes)
Other Magenta
Sites
CamCollect
view and save
webcam pictures
CodeLook
lookup telephone
numbers and cost
ComCap v4
data capture utility
DUN Manager
broadband and dial-up
networking enhancement
Update Windows
Registration Details
The Magenta Systems Code Signing Trust and Certificate Check component v1.0 functions are designed for Code Signing, aka Microsoft Authenticode.
Currently just two functions that check if an EXE, DLL or CAB file has a valid code signing certificate, that the certificate is trusted and that the program is not corrupted. These functions were written to support an remote program updater tool, to ensure the new program was not corrupted, but may also be used to self test a Delphi application for image corruption.
ProgVerifyTrust - simple function to check code signing certificate exists and is valid and not expired, and the program image is not corrupted. This should work with Windows 2000 and later (which have wintrust.dll).
ProgVerifyCert - similar to ProgVerifyTrust, but also extracts the certificate information, names, dates, etc. But this function needs capicom.dll COM object to be installed (from which the CAPICOM_TLB type library is created), which is a free redistributable file, included with this code. This function only works in Win32 applications, because Microsoft has not released a 64-bit of capicom.dll, instead a class error is returned.
Microsoft claims Capicom is deprecated with Windows 7, but the DLL still works on both 32-bit and 64-bit editions, with Win32 applications. You need to register the COM object by running 'regsvr32.exe capicom.dll'.
Note the API used in CapiCom to sign a program is SignerSign but is not yet supported here since signprog.exe works fine to actually sign code.
Demonstration Application
A Windows demonstration application TRUSTCHK.EXE is supplied, with source and compiled program. A directory signed-samples includes several programs to test checking signatures, trustnone.exe is unsigned, trustbad.exe is deliberately corrupted, trustexpired.cab has an expired certificate, trustodd.exe has an untrusted self signed certificate, trustok.exe is valid.
Function ProgVerifyTrust
function ProgVerifyTrust (const Fname: string ; const HashOnly, Expired:
boolean; var Response: string): integer ;
Returns ERROR_SUCCESS (0)
for success, -1 for error, or Trust_E_xx or CERT_E_xx literals for other
partial success or failures, with a literal response in Response.
Function ProgVerifyCert
function ProgVerifyCert (const Fname: string ; var CertInfo: TCertInfo):
integer ;
TCertInfo = record
Res: integer ;
Response: string ;
SignerName: string ;
SignerIssuer: string ;
SignerExpireDT: TDateTime
;
DescName: string ;
DescURL: string ;
StamperName: string ;
SigningDT: TDateTime ;
end ;
Res and Response similar to
ProgVerifyTrust, also certificate and signing details. A formatted response
is similar to the following:
Check Cert OK for
\signed-samples\trustok.exe
Trusted Code
Signed by: Magenta Systems
Ltd
Issued by: Thawte Code Signing CA
Cert Expires: 17/10/2010
UTC
Timestamp: 10/07/2010 18:19:44
Timestamped by: VeriSign Time Stamping
Services Signer - G2
Description: Signals
URL:
http://www.magsys.co.uk/
Requirements
Compatible with Delphi7/2007/2009/2010/XE/XE2. Supports both VCL Win32
and Win64, but there is no 64-bit version of
capicom.dll so some
functionality is not available. Tested with Windows 2000, XP, 2003, Vista,
2008 and 7.
CAPICOM and Code Sign Tools
Capicom is a COM object DLL redistributable from Microsoft that supports Code Signing and encryption. Microsoft claims Capicom is deprecated with Windows 7, but the DLL still works. Capicom does not come with Windows, but must be installed and registered as a COM object, before the ProgVerifyCert function can be used. This distribution includes two versions of Capicom, 2.1.0.1 and 2.1.0.2 in separate directories, each with numerous example source demos (none Pascal).
The distribution also includes a tools directory with various Microsoft executable code signing tools, of which signcode.exe is the one actually used to a sign a program, demonstrated by signtest.bat command file. An old test certificate is included, but developers really need to buy their own Authenticode Code Signing Certificate from Verisign, Thawte or other vendors.
signcode -spc testcert.spc -v testkey.pvk -n "Test Program" -i http://www.magsys.co.uk/ -tr 4 -tw 2 -t http://timestamp.verisign.com/scripts/timstamp.dll signedtest.exe
Copyright Information
Magenta Systems Code Signing Trust and Certificate Check component is freeware, but is still copyrighted by Magenta Systems Ltd who may change the status or withdraw it at any time, without notice.
Magenta Systems Ltd, 9 Vincent Road,
Croydon CR0 6ED, United Kingdom
Phone 020 8656 3636, International Phone +44 20 8656 3636
Fax 020 8656 8127, International Fax +44 20 8656 8127
http://www.magsys.co.uk/
Copyright © 2012 Magenta Systems Ltd, England. All Rights Reserved.