Certificate Verification Tool (Chktrust.exe)
The Certificate Verification tool checks the validity of a file signed with an Authenticode certificate.
chktrust [/q] [/v] signedFile
|signedFile||The signed file that contains the signature to verify.|
|/help||Displays command syntax and options for the tool.|
|/q||Does not display the user interface that provides the option to install and run the signedFile when the publisher cannot be determined.|
|/v||Specifies verbose mode; displays detailed information about the validity of a signed file. The default is to display brief information.|
|/?||Displays command syntax and options for the tool.|
Chktrust.exe checks the validity of a signed file by doing the following:
- Extracts the PKCS #7 signed-data object from the file.
- Extracts the X.509 certificates from the PKCS #7 signed-data object.
- Computes a new hash of the file and compares it with the signed hash in the PKCS #7 object.
- If the hashes agree, Chktrust.exe verifies that the signer's X.509 certificate can be traced back to a trusted root certificate.
If all steps succeed, the file has not been tampered with and the vendor who signed the file was authenticated by the trusted root authority.
Note that if you provide a signedFile argument that does not have a valid signature, without specifying the /q option, the tool displays the Security Warning dialog box. The dialog gives you the option to install and run the PE file even though an Authenticode signature could not be found. You should select No if you do not have enough information about the software, the publisher, or your computer to be confident that installing the file will not cause negative side effects. If you click the No button, the tool does not run or install the file and reports that the check failed. If you click the Yes button, the tool installs and runs the file, and reports that the check succeeded.
For more information about PKCS #7 objects and certificates, see the About CryptoAPI section of the Microsoft Platform SDK documentation.
The following command demonstrates how to use Chktrust.exe with Microsoft Internet Explorer 4.0 or later.
If the preceding command succeeds, the following output indicates that the file checked has a valid signature.