The verify command checks the validity of signed files, ensuring their integrity and confirming that the signatures are trusted. It can verify multiple files efficiently with wildcard support.
SignotaurTool.exe verify [options] [files]
A list of file paths to verify. You can specify individual file paths or use wildcards to match multiple files. This parameter supports the following wildcard patterns:
*
: Matches zero or more characters within a file name. For example, *.exe
will match all executable files in the specified directory.?
: Matches a single character. For instance, file?.dll
will match file1.dll
, file2.dll
, but not file12.dll
.**
: Indicates a recursive search across all subdirectories. For example, **/*.exe
will match all .exe
files found in the current directory and all its subdirectories.Examples:
*.exe
: Matches all executable files in the specified directory.C:\Projects\**\*.dll
: Matches all dynamic link library files in the C:\Projects
directory and any of its subdirectories.C:\MyFiles\file?.exe
: Matches any executable files that start with "file" followed by a single character.Notes:
--file-list
option to specify the path to a file containing the list of file paths.--fl, --file-list <FileName>
Specifies the path to a file containing a list of file paths to verify. Each line in the file should contain one file path.
--ignore-untrusted-root
Ignores untrusted root errors when verifying a file signed with a self-signed certificate. Use this option with caution as it bypasses trust validation for the root certificate.
-m, --max-degree-of-parallelism <MDOP>
Specifies the maximum number of concurrent file verification operations. Default is 4. A higher value can speed up processing for large file sets.
--continue-on-fail
Continues verifying subsequent files even if an error occurs while verifying a file. This option is useful for batch verification scenarios.
--encoding <Encoding>
Specifies the output encoding. Set to one of UTF8, UTF16, OEMCodePage or CodePage### where ### is the number of the code page to use. Defaults to UTF8.
--nb, --no-banner
Hides the banner in the output, which may be useful for scripting or logging purposes where you want a clean output.
-v, --verbose
Enables verbose logging for the verification process, providing detailed output, which can be useful for debugging.
--rm, --revocation-mode <Mode>
Specify the revocation check mode when verifying the certificate chain. By default, the verification process may try to check the certificate status against online Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responders. If these URLs are inaccessible or slow to respond — possibly due to firewall restrictions, then changing the revocation mode can improve verification performance. The parameter accepts the following <Mode>
values:
--sl|--strict-lifetime
Strictly enforce signature validity to the certificate’s validity period when a timestamp is present.
Verify files with default settings:
SignotaurTool.exe verify file1.exe file2.dll
Verify files with a file list:
SignotaurTool.exe verify --fl filelist.txt
The following exit codes indicate the result of the operation performed by the verify command:
Typically a more specific message will be displayed before an error exit code is returned.