Verify command

Verify Command

The verify command checks the validity of signed files, ensuring their integrity and confirming that the signatures are trusted. It can verify multiple files efficiently with wildcard support.

Usage

SignotaurTool.exe verify [options] [files]

Files Parameter

  • A list of file paths to verify. You can specify individual file paths or use wildcards to match multiple files. This parameter supports the following wildcard patterns:

    • *: Matches zero or more characters within a file name. For example, *.exe will match all executable files in the specified directory.
    • ?: Matches a single character. For instance, file?.dll will match file1.dll, file2.dll, but not file12.dll.
    • **: Indicates a recursive search across all subdirectories. For example, **/*.exe will match all .exe files found in the current directory and all its subdirectories.

  • Examples:

    • *.exe: Matches all executable files in the specified directory.
    • C:\Projects\**\*.dll: Matches all dynamic link library files in the C:\Projects directory and any of its subdirectories.
    • C:\MyFiles\file?.exe: Matches any executable files that start with "file" followed by a single character.

  • Notes:

    • Ensure that the directory paths are correctly specified, as the function will attempt to find matching files based on the directory provided in conjunction with the wildcards.
    • For verifying a large number of files, you can use the --file-list option to specify the path to a file containing the list of file paths.

Options

  • --fl, --file-list <FileName>

    Specifies the path to a file containing a list of file paths to verify. Each line in the file should contain one file path.

  • --ignore-untrusted-root

    Ignores untrusted root errors when verifying a file signed with a self-signed certificate. Use this option with caution as it bypasses trust validation for the root certificate.

  • -m, --max-degree-of-parallelism <MDOP>

    Specifies the maximum number of concurrent file verification operations. Default is 4. A higher value can speed up processing for large file sets.

  • --continue-on-fail

    Continues verifying subsequent files even if an error occurs while verifying a file. This option is useful for batch verification scenarios.

  • --encoding <Encoding>

    Specifies the output encoding. Set to one of UTF8, UTF16, OEMCodePage or CodePage### where ### is the number of the code page to use. Defaults to UTF8.

  • --nb, --no-banner

    Hides the banner in the output, which may be useful for scripting or logging purposes where you want a clean output.

  • -v, --verbose

    Enables verbose logging for the verification process, providing detailed output, which can be useful for debugging.

  • --rm, --revocation-mode <Mode> Specify the revocation check mode when verifying the certificate chain. By default, the verification process may try to check the certificate status against online Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responders. If these URLs are inaccessible or slow to respond — possibly due to firewall restrictions, then changing the revocation mode can improve verification performance. The parameter accepts the following <Mode> values:

    • Online (default): Performs live revocation checks.
    • Offline: Skips online checks and uses cached data.
    • NoCheck: Disables all revocation validation (not recommended for production).

  • --sl|--strict-lifetime
    Strictly enforce signature validity to the certificate’s validity period when a timestamp is present.

Examples

  1. Verify files with default settings:

    SignotaurTool.exe verify file1.exe file2.dll

  2. Verify files with a file list:

    SignotaurTool.exe verify --fl filelist.txt

Exit Codes

The following exit codes indicate the result of the operation performed by the verify command:

  • 0 (Success): All files were successfully verified.
  • 1 (NotFound): One or more specified files were not found.
  • 2 (Aborted): The verification process was aborted due to user intervention or other factors.
  • 16 (NoSignature): The file does not have a signature.
  • 17 (ExplicitDistrust): The certificate has been explicitly distrusted.
  • 18 (SubjectNotTrusted): The certificate is not trusted due to issues with the subject.
  • 20 (UntrustedRoot): The certificate's root is not trusted.
  • 21 (CertificateExpired): The certificate has expired and is no longer valid.
  • 22 (Malformed): The certificate is malformed and cannot be verified.
  • 23 (CertificateRevoked): The certificate has been revoked.
  • 28 (TrustFailure): The certificate failed the trust validation.
  • 29 (CertificateIssuerChaining): There was an issue with the certificate's issuer chain.
  • 36 (CertificateRevocationFailure): The certificate's revocation status could not be determined.

Typically a more specific message will be displayed before an error exit code is returned.