Verify command

The verify command checks the validity of signed files, ensuring their integrity and confirming that the signatures are trusted. It can verify multiple files efficiently with wildcard support.

Usage

SignotaurTool.exe verify [options] [files]

Files Parameter

  • A list of file paths to verify. You can specify individual file paths or use wildcards to match multiple files. This parameter supports the following wildcard patterns:

    • *: Matches zero or more characters within a file name. For example, *.exe will match all executable files in the specified directory.
    • ?: Matches a single character. For instance, file?.dll will match file1.dll, file2.dll, but not file12.dll.
    • **: Indicates a recursive search across all subdirectories. For example, **/*.exe will match all .exe files found in the current directory and all its subdirectories.
    • !: Identifies an exclude pattern. This must be at the start of the pattern. It must be used in conjunction with a normal include pattern. For instance, the two patterns *.dll and !*.Test.dll will match all .dll files found in the current directory excluded all test dlls, that is file1.dll, file2.dll, but not file1.Test.dll.

  • Examples:

    • *.exe: Matches all executable files in the specified directory.
    • C:\Projects\**\*.dll: Matches all dynamic link library files in the C:\Projects directory and any of its subdirectories.
    • C:\MyFiles\file?.exe: Matches any executable files that start with "file" followed by a single character.
    • !*.pdb: Matches all debug files in the specified directory from the current match.

  • Notes:

    • Ensure that the directory paths are correctly specified, as the function will attempt to find matching files based on the directory provided in conjunction with the wildcards.
    • For verifying a large number of files, you can use the --file-list option to specify the path to a file containing the list of file paths.

ClickOnce and VSTO Content Pattern Filtering

When verifying ClickOnce (.application) or VSTO (.vsto) files, you can specify which dependency files should be verified using content patterns. Use a colon (:) to separate the root file pattern from the content patterns. See ClickOnce and VSTO Verification.

Options

  • --fl, --file-list <FileName>

    Specifies the path to a file containing a list of file paths to verify. Each line in the file should contain one file path. The tool will interpret each path just as it does for the Files parameter. For ClickOnce/VSTO files, you can use the content pattern syntax (:) to filter dependencies (e.g., MyApp.application:*.dll:*.exe).

  • -b, --base-directory <Directory>

    Sets the base directory for resolving relative file paths.

  • --ignore-untrusted-root

    Ignores untrusted root errors when verifying a file signed with a self-signed certificate. Use this option with caution as it bypasses trust validation for the root certificate.

  • -m, --max-degree-of-parallelism <MDOP>

    Specifies the maximum number of concurrent file verification operations. Default is 4. A higher value can speed up processing for large file sets.

  • --continue-on-fail

    Continues verifying subsequent files even if an error occurs while verifying a file. This option is useful for batch verification scenarios.

  • --encoding <Encoding>

    Specifies the output encoding. Set to one of UTF8, UTF16, OEMCodePage or CodePage### where ### is the number of the code page to use. Defaults to UTF8.

  • --nb, --no-banner

    Hides the banner in the output, which may be useful for scripting or logging purposes where you want a clean output.

  • -v, --verbose

    Enables verbose logging for the verification process, providing detailed output, which can be useful for debugging.

  • --rm, --revocation-mode <Mode> Specify the revocation check mode when verifying the certificate chain. By default, the verification process may try to check the certificate status against online Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responders. If these URLs are inaccessible or slow to respond — possibly due to firewall restrictions, then changing the revocation mode can improve verification performance. The parameter accepts the following <Mode> values:

    • Online (default): Performs live revocation checks.
    • Offline: Skips online checks and uses cached data.
    • NoCheck: Disables all revocation validation (not recommended for production).

  • --sl|--strict-lifetime
    Strictly enforce signature validity to the certificate’s validity period when a timestamp is present.

Examples

  1. Verify files with default settings:

    SignotaurTool.exe verify file1.exe file2.dll

  2. Verify files with a file list:

    SignotaurTool.exe verify --fl filelist.txt

Supported File Types

The verify command supports verification of the following file types: .appx, .appxbundle, .cab, .cat, .cdxml, .dll, .eappx, .eappxbundle, .emsix, .emsixbundle, .exe, .msi, .msix, .msixbundle, .msm, .msp, .mst, .ocx, .ps1, .ps1xml, .psd1, .psm1, .stl, .sys, .vbs, .vxd, .winmd. Additional PE file types may also be verified automatically.

ClickOnce or VSTO Verification

See ClickOnce and VSTO Signing for detailed information about content filtering and application-specific options. If the input includes a .application file (ClickOnce deployment manifest), or a .vsto file (Visual Studio Tools for Office add-in manifest), the verify command automatically detects and verifies all related application files and manifests. See ClickOnce and VSTO Signing.

Exit Codes

The following exit codes indicate the result of the operation performed by the verify command:

  • 0 (Success): All files were successfully verified.
  • 1 (NotFound): One or more specified files were not found.
  • 2 (Aborted): The verification process was aborted due to user intervention or other factors.
  • 16 (NoSignature): The file does not have a signature.
  • 17 (ExplicitDistrust): The certificate has been explicitly distrusted.
  • 18 (SubjectNotTrusted): The certificate is not trusted due to issues with the subject.
  • 20 (UntrustedRoot): The certificate's root is not trusted.
  • 21 (CertificateExpired): The certificate has expired and is no longer valid.
  • 22 (Malformed): The certificate is malformed and cannot be verified.
  • 23 (CertificateRevoked): The certificate has been revoked.
  • 28 (TrustFailure): The certificate failed the trust validation.
  • 29 (CertificateIssuerChaining): There was an issue with the certificate's issuer chain.
  • 36 (CertificateRevocationFailure): The certificate's revocation status could not be determined.

See also Sign command exit codes.

Typically a more specific message will be displayed before an error exit code is returned.