Digital Signatures in Windows Executable Files
Windows executable files released by Cloanto have a digital signature to validate the origin and integrity of each file.
All Windows executable files ("desktop" apps) released by Cloanto since 1999 have been signed and timestamped with Microsoft Authenticode technology. In 2014 this was extended to include dual SHA-1 and SHA-256 hashes (one for legacy compatibility, the other for increased security).
When you right-click a Windows executable file (e.g. files ending in .exe, .msi or .dll) you can select Properties, then Digital Signatures and click on Details to verify the digital signature of the file. This allows you to confirm the publisher, the signature time, and the integrity of the file. Under Details, the signer name should be "Cloanto Corporation" and the dialog should say "This digital signature is OK".
If you selected Properties/Digital Signatures on an executable file and noticed an error message, or no digital signature at all, or a digital signature not signed by Cloanto Corporation, a verified Nevada, USA, corporation, this may mean that the file is either incomplete or corrupt. This may have been caused by a download problem, or, for example, by a malicious modification (a virus program, an unauthorized download site adding their adware or malware, etc.), and we recommend that you download the software again.
Windows Installer (MSI) files are also signed with Authenticode. As these files do not support dual signatures, in 2019 the transition was made from SHA-1 to the more secure SHA-256. This means that the new signatures are not recognized on Windows XP and on Windows Server 2003. Windows 7 and Windows Server 2008 were extended to support SHA-256 via Windows Update mechanisms. This support is built-in on newer versions of Windows.
Windows Store and Windows Phone apps are signed and verified automatically by the respective store mechanisms.
|Additional Keywords:||sha-2, md5|