1

I wanted to check the trust of the one of the .exe file in our project for which I am using C#.

I have referred - http://pinvoke.net/default.aspx/wintrust/WinVerifyTrust.html

Here is my code snippet.

WinTrustData wtd = new WinTrustData(filename);
Guid guidAction = new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2);
WinVerifyTrustResult result = WinVerifyTrust(INVALID_HANDLE_VALUE, guidAction, wtd);
bool valid = (result == WinVerifyTrustResult.Success);

filename - is nothing but .exe file path.

WinVerifyTrust() mentioned in above code returns "WinVerifyTrustResult.Success" only if machine is connected to internet at least once.

However on fresh machine it returns "0x800b0100" i.e.- "Trust_e_nosignature".

Is it expected behavior? If yes then how to resolve it?

I searched for this specific behavior but did not found any satisfactory answer.

MrTux
  • 32,350
  • 30
  • 109
  • 146
Tausif
  • 117
  • 1
  • 3
  • 17
  • This isn't any different from real life. If you sell your house to somebody, how can you make sure you can trust that the buyer is who he says he is and the contract he signs will be a legal document? You go to a notary, you have to get out of the house. The notary here is the issuer of the certificate, like Verisign, getting out of the house requires an Internet connection. – Hans Passant Jul 12 '16 at 15:30

1 Answers1

2

Windows (7+) is shipped with a very limited set of root certificates.

Those are downloaded on demand. This could be the reason why the authenticode signature could not be verified if a computer was never connected to the internet before (but still, I suppose that just connecting to the internet is not sufficient, but some surfing to https pages or verifying the authenticode signature is necessary so that the "right" root certificate is downloaded).

You can verify this by checking/counting the ca certificates which are installed in the internet explorer before and after connecting to the internet.

MrTux
  • 32,350
  • 30
  • 109
  • 146
  • Hi MrTux,Thanks a lot for your quick response. Adding proxy settings solves my problem. But in our case, their are many users who deliberately don't want to connect to the internet . Then it becomes very difficult. My question is - how to bypass this kind of situation? Do you know any setting that we can tell users to follow on their machine? Or is it like - for this API internet connectivity is a must. – Tausif Jul 12 '16 at 15:31
  • 1
    I'm not aware of workarounds, besides installing the required root certificates manually (or using active directory or something). Also Windows even itself cannot verify the signature w/o the root ca certificate. – MrTux Jul 12 '16 at 15:35
  • You could also try to use a more manual certificate verification by setting up your own certstore in memory which contains the root certificate and check it like described here: http://stackoverflow.com/q/2008519/3906760 – MrTux Jul 13 '16 at 09:39